Re: [Firestarter-user] Re: Firestarter-user digest, Vol 1 #1140 - 5 msgs
Brought to you by:
majix
Menu
▾
▴
Re: [Firestarter-user] Re: Firestarter-user digest, Vol 1 #1140 - 5 msgs
|
From: ryan <ry...@zo...> - 2005-04-24 22:03:34
|
I was always under the impression /etc//hosts.allow ALL: EXCEPT PARANOID was ok to use with sendmail. http://www.cert.org/security-improvement/implementations/i041.07.html You pointed out something interesting - check this page - http://postmaster.aol.com/info/rdns.html "Reverse DNS must be in the form of a fully-qualified domain name reverse DNS containing in-addr.arpa are not acceptable, as these are merely placeholders for a valid PTR record. Reverse DNS consisting only of IP addresses are also not acceptable, as they do not correctly establish the relationship between domain and IP address." Wonder if anyone tried to blacklist AOL's 20 million subs? ;-) On Sun, 2005-04-24 at 22:35 +0200, J.O. Aho wrote: > On Sun, 24 Apr 2005, ryan wrote: > > > You can usually block all connections to your servers (ssh, vsftp, sendmail) > > from domain names withour proper reverse dns entries via tcp wrappers and the > > "paranoid" switch. > > http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-tcpwrappers-access.html > > (apache, etc sometimes have their own more advanced settings) > > This will only protect clients connecting to you, not the other way around. > > tcpwrapper isn't a good solution for sendmail (nor any other MTA) as that > breaks how a MTA is supposed to work and can get you into a blacklist > over servers that are missconfigured. There is a "hack" for sendmail that > will tell the connecting server that the reserve check failed and mail not > allowed from the host untill the DNS is fixed. > Can't remember the number of the RPC, but it says that a MTA shall always > give a response and that don't happen when you wrapp. > > |