sendmail and hosts_access(5)

Matthew Seaman m.seaman at infracaninophile.co.uk
Wed Sep 13 09:59:13 PDT 2006 

Giorgos Keramidas wrote:
> On 2006-09-13 11:14, Kevin Kinsey <kdk at daleco.biz> wrote:
>> Hello all,
>>
>> I am attempting to block an SMTP server with /etc/hosts.allow:
>>
>> ----------------------------------------------------------
>> Received: from 241net251.net.zeork.com.pl (241net251.net.zeork.com.pl
>> [194.117.241.251] (may be forged))
>> ----------------------------------------------------------
>> [506] Tue 12.Sep.2006 20:55:44
>> [kadmin at archangel][~]
>> #ssh kadmin at elisha grep zeork /home/kadmin/spammers
>> .net.zeork.com.pl
>>
>> [507] Tue 12.Sep.2006 20:56:55
>> [kadmin at archangel][~]
>> #ssh kadmin at elisha grep /home/kadmin/spammers /etc/hosts.allow
>> sendmail : /home/kadmin/spammers : deny
>> --------------------------------------------------------------
>>
>> hosts_access(5) says this:
>>       The access control language implements the following patterns:
>>        * A string that begins with  a  `.'  character.  A  host
>> 	name is matched  if the last components of its name match the
>> 	specified pattern.  For example, the pattern `.tue.nl'  matches
>> 	the host name `wzv.win.tue.nl'
>>
>> So, why does my server continue accepting SMTP connections from 
>> "241net251.net.zeork.com.pl" ?
>>
>> Thoughts, pointers, gentle kicks on the bum welcomed.
> 
> I don't think you can have the hostnames in a separate "map file" and
> then reference this file from /etc/hosts.allow.

hosts.allow triggers special behaviour with sendmail.  Unlike other services
which just close the connection immediately, with sendmail what happens is
that it will accept the connection, let the sender attempt to send
e-mail, but then respond with a 500 'permanent failure' code.

The reason for that is fairly simple: if a MTA gets no answer when trying
to connect to a server and deliver e-mail, then the standards say it should
requeue the message and try again for up to 5 days.  The only way to get the
sending MTA to give up immediately is to issue a SMTP 500 error code.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060913/af553df7/signature.pgp

More information about the freebsd-questions mailing list