[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [filtered-ww] [vps-mail] Issue re sendmail/ abuse (attempted relay????)

On a bit of Internet search

man 5 hosts_access

one site that seems an easy read
http://ezine.deamonnews.org/200206/hosts_allow.html

But now I have a question....
If I enable reverse IP look up from within the hosts.allow file, will
I end up blocking servers like my own VPS where the registered domain
name (with IP) doesn't corresponds with any virtual domain name. ie.
if someone sends mail from virtual.domain.name to a VPS, and PARANOID
is used, will it get blocked as the IP address in reality is
registered to another domain name. (The other discussion re: PTR)

cheers,
tim.

Saturday, August 23, 2003, 7:41:57 AM, Bruce Armstrong wrote:

BA> I'll be responding inline.

BA> On Fri, 22 Aug 2003, Abigail Marshall wrote:

>> BA> On VPS1, tcpwrappers can be used to block the connection without even
>> BA> starting a sendmail process.
>>
>> BA> There are some other interesting possibilities with tcpwrappers, worth
>> BA> checking out.
>>
>> Bruce,
>>
>> All I can say is wow ... I have seen server load go down
>> before my eyes, almost instantly.
>>
>> Can the hosts.allow file be used in lieu of domain or IP
>> specific blocking in the Sendmail Access file?
>>
BA> Yes

>> Am I correct that it would work with even less impact on
>> server resources, but that the difference would be that the
>> sender would simply not be able to connect, as opposed to
>> receiving a Sendmail-generated RFC error message?
>>
BA> You are correct

>> Or is hosts.allow only going to work against those attempting
>> an SMTP relay connection, rather than rejecting email simply
>> sent from another server to a domain on the VPS1?
>>
BA> The hosts.allow file is used by iservd to determine whether or not to
BA> allow a connection to a particular service.  The comments in the default
BA> hosts.allow list a number of services you can allow or deny access to.
BA> Among them are telnet, ftp, pop3, imap, etc.  If a default hosts.allow
BA> doesn't exist, you can find one in the skel directory.  Most of my servers
BA> got the new file when the change happened, but some didn't (I thought
BA> that was odd).  Anyway, if you specify that a host can't connect to a
BA> service, then the connections will be flat out refused or dropped.

BA> Hope that helps. I'd direct you to the manpage, but it doesn't seem to
BA> exist on the vps servers.

BA>         --Bruce

BA> ======================================================================
BA> Technical questions regarding this list may be sent to
BA> <vps-mail-owner@xxxxxxxxxxxx>. You may request an automated help
BA> response by sending an email with the word 'help' (w/o quotes) in the
BA> BODY of the message (subject is ignored) to <vps-mail-request@xxxxxxxxxxxx>.
BA> ======================================================================


---------------------------------------------------
Teletechnics Afield
Tel +34 65 22 60 777 Fax +34 63 73 01 920
mailto:email@xxxxxxxxxxxxxxxx   http://www.teletechnics.com

currently in: Barceloneta, Spain

======================================================================
Technical questions regarding this list may be sent to
<vps-mail-owner@xxxxxxxxxxxx>. You may request an automated help
response by sending an email with the word 'help' (w/o quotes) in the
BODY of the message (subject is ignored) to <vps-mail-request@xxxxxxxxxxxx>.
======================================================================
Main Index | Thread Index
Match: Format: Sort by:
Search: