Previous | Contents | Index |
DNS_VERIFY can be used to validate domain names or IP addresses via DNS. For example, it can be used to verify that an entry in DNS exists for the domain used in the SMTP MAIL FROM:
command, or to look up an IP address in the blackhole lists supplied by
such services as MAPS and ORBS. The message can be rejected or accepted
based on the presence or absence of a corresponding DNS record, or a
new header can be added to the message to indicate the problem.
Performing DNS checks may result in the rejection of some valid messages. For instance, this could include mail from legitimate sites that simply have not yet registered their domain name, or during periods of bad information in DNS. |
Please be aware that doing DNS lookups is contrary to the spirit of being generous in what you accept, as expressed in RFC 1123, Requirements for Internet Hosts. However, some sites may desire to perform such checks in cases where junk e-mail (SPAM) is, for example, being sent with forged e-mail addresses from non-existent domains.
If DNS or connections to the sites being used for DNS verification become unavailable then mail delivery will be impacted. Use of DNS_VERIFY can impact performance as well as result in unreliable mail reception due to the dependency on multiple DNS lookups for every incoming SMTP connection.
Mail addressed to postmaster
must never be rejected. Violation of this rule is
sufficient cause for your domain to be disconnected from the Internet.
|
DNS_VERIFY is supplied as a sharable image on VMS (PMDF_EXE:DNS_VERIFY.EXE
), as a sharable object library on UNIX (/pmdf/lib/dns_verify
), and as a DLL on NT (C:\pmdf\bin\dns_verify.dll
). It can be used from any of the mapping tables described in this
chapter, using the routine callout described in Section 2.2.6.7, Customer-supplied Routine Substitutions, $[...].
On VMS, make sure that the PMDF_DNS_VERIFY logical name is set. For PMDF V6.2 and later, this logical is defined in PMDF_STARTUP.COM. If you are running PMDF V6.1 or earlier, add the following line to your PMDF_COM:PMDF_SITE_STARTUP.COM command procedure (create it if necessary):
$ DEFINE/SYSTEM/EXEC PMDF_DNS_VERIFY PMDF_EXE:DNS_VERIFY.EXE |
DNS_VERIFY has 4 routines that can be called:
dns_verify
dns_verify_domain
dns_verify_domain_port
dns_verify_domain_warn
These are each described in the sections below.
Note that your mapping tables with DNS_VERIFY callouts can be tested by using the pmdf test -mapping
utility (pmdf test/mapping
on VMS).
16.1.8.1 dns_verify Routine
The dns_verify
routine is the most general of the routines. It simply does a lookup in DNS of the domain name that you specify, which could be the domain from the SMTP MAIL FROM:
command, or could be the domain name corresponding to the IP address in a blackhole list such as blackholes.mail-abuse.org
. Any mapping table action can be taken if the domain exists or does
not exist in DNS.
Note that when doing the DNS lookup, dns_verify
looks for both an A DNS record and an MX DNS record.
The dns_verify
routine performs the same type of action as the mailfromdnsverify
channel keyword. Using DNS_VERIFY allows you more control over which
connections trigger the DNS lookups.
The dns_verify
routine's argument is four strings separated by "|", as
follows:
domainname[|success[|failure[|unknown]]] |
domainname
is the name to look up in DNS.
success
string is optional. If specified, it is the mapping table string to return if domainname
is found in DNS. If not specified, the default is "$Y", to
accept the message.
failure
string is optional. If specified, it is the mapping table string to return if domainname
is not found in DNS. If not specified, the default is "$N",
to reject the message.
unknown
string is optional. If specified, it is the mapping table string to return if there was a temporary DNS failure during lookup. If not specified, and the success
string was specified, that string is used. If neither are specified,
the default is "$Y".
Note that in the mapping table, the $'s need to be doubled. For example, to specify "$Y", you need to put in "$$Y".
An alternative separator can be used instead of "|". To specify an alternative separator, specify it as the first character of the routine's argument. For example, to specify "+" as the separator, use the following syntax:
+domainname+success+failure+unknown |
The success
, failure
, and unknown
strings can contain the following format characters:
%a |
If successful, the primary name for
domainname . If there was no A record, but there was an MX
record, this contains the domainname from the first MX record received
from DNS.
|
%e | If not successful, the error message associated with the lookup. |
%n | If successful, the IP address found from the DNS lookup. If there was no A record, but there was an MX record, this contains the IP address corresponding to the first MX record received from DNS. |
The following example shows a simple SEND_ACCESS mapping table entry on VMS to verify that the sender's hostname is in DNS:
SEND_ACCESS *tcp_*|*@*|*|* \ $C$[pmdf_dns_verify,dns_verify,$3|$$Y|$$NInvalid$ host:$ $$3$-$ %e]$E |
The following example shows a PORT_ACCESS mapping table entry on UNIX to check the IP address of the system sending the message:
PORT_ACCESS TCP|*|25|*|* \ $C$[/pmdf/lib/dns_verify,dns_verify,\ $1|$$Y|$$N500$ Message$ refused$ from$ $$1$ -$ %e]$E |
The dns_verify_domain
and dns_verify_domain_port
routines are used to query the specified blackhole list and return pre-defined success, failure, and unknown messages. The same operation can be performed using the dns_verify
routine, but with more complicated setup.
The dns_verify_domain_port
routine is used in the PORT_ACCESS mapping table. The dns_verify_domain
routine is used in the MAIL_ACCESS, SEND_ACCESS, and similar mapping
tables.
The dns_verify_domain
and dns_verify_domain_port
routines perform the same type of action as the DNS_VERIFY_DOMAIN
dispatcher option. Using DNS_VERIFY allows you more control over which
connections trigger the DNS lookups.
The dns_verify_domain
and dns_verify_domain_port
routines' argument is three strings separated by ",", as
follows:
ip-address,domainname[,text-string] |
ip-address
is the IP address that you want to check against the blackhole list.
domainname
is the name of the blackhole list to check against, for example, blackholes.mail-abuse.org
.
text-string
is optional. If specified, it is the text to return if no TXT record is
available. If not specified, the default is "No Error Text
Available".
dns_verify_domain
and dns_verify_domain_port
check the given list for the IP address. For example, if ip-address
is 127.0.0.2, and domainname
is bl.spamcop.net
, dns_verify_domain
and dns_verify_domain_port
looks up the following name: 2.0.0.127.bl.spamcop.net. They first first
look up the TXT record for that name, and if it is not available, they
look up the A record.
The following examples show the use of these routines on VMS:
MAIL_ACCESS TCP|*|25|*|*|*|*|tcp_local|*|*|* \ $C$[pmdf_dns_verify,dns_verify_domain,$1,bl.spamcop.net]$E PORT_ACCESS TCP|*|25|*|* \ $C$[pmdf_dns_verify,dns_verify_domain_port,$1,bl.spamcop.net]$E |
The approximate equivalent of the previous MAIL_ACCESS example using the dns_verify
routine would be:
MAIL_ACCESS TCP|*|25|*.*.*.*|*|*|*|tcp_local|*|*|* \ $C$[pmdf_dns_verify,dns_verify,+$4.$3.$2.$1.bl.spamcop.net+\ $$N$$X5.7.1|Blocked$ -$ see$ http://spamcop.net/bl.shtml?$$1.$$2.$$3.$$4+$$Y]$E |
The dns_verify_domain_warn
routine performs the same DNS lookup as the dns_verify_domain
and dns_verify_domain_port
routines, but instead of rejecting the message if the DNS entry exists, it adds a new header line to the message. The dns_verify_domain_warn
routine can be used in any of the ACCESS mapping tables.
The dns_verify_domain_warn
routine's argument is four strings separated by ",", as
follows:
ip-address,domainname[,text-string[,header]] |
ip-address
, domainname
, and text-string
are the same as for dns_verify_domain
and dns_verify_domain_port
.
header
is optional. If specified, it is a string containing the header name, and other optional text, to include before the TXT record string or text-string
value. The header name must be one that PMDF recognizes. The default is
"X-Dispatcher: ".
The following example shows an ORIG_MAIL_ACCESS mapping table entry on NT to query spamcop.net
:
ORIG_MAIL_ACCESS TCP|*|25|*|*|*|*|*|*|*|* \ $C$[C:\pmdf\bin\dns_verify.dll,dns_verify_domain_warn,$1,\ bl.spamcop.net,spamcop.net:$ entry$ found$ for$ $$1,\ X-Dispatcher:$ SPAMfilter$ (spamcop.net):$ ]$E |
For a source IP address of 127.0.0.2, this example would return
$Y$AX-Dispatcher: SPAMfilter (spamcop.net): Blocked - see http://spamcop.net/bl.shtml?127.0.0.2 |
This is then added as a header to the message. To act upon this, create a system-wide, channel or user filter file containing a SIEVE command similar to:
if header :contains "X-Dispatcher" "SPAMfilter" { discard; } |
Previous | Next | Contents | Index |