No subject


Tue Mar 11 20:20:00 PDT 2014


dominant-carrier telcos) one guess is that you are 'grandfathered' on a 
service package they no longer offer at all.

Hence they *want* those still on it to cancel and upgrade.  Denying a 
proper RR becomes a tool in that progression, will probably be justified 
on the 'obsolete package, no-such feature, end of story', grounds.

BTW: the IP address (63.195.85.27) is not in any "DNS based
blocklist" that I know of. It's not even "classified" as dynamic IP
in any of those. Moreover, there is a PTR record for it (as those who
claim to know something about RFCs could have easily checked.)
ACK - but that is part of the burden you need to get out from under.

Within a dynamic block or not, (SORBS don't list it as such...) that RR 
is precisely the sort of RR that *specifies* a dynamic IP not assigned 
to any one organization:

adsl-63-195-85-27.dsl.snfc21.pacbell.net

rDNS quite aside, we would catch it in three different acl's on the 
'dsl' string match on my servers.

Dunno how Matt is doing it, but suspect a similar tool.


It would be nice if it was possible to configure sendmail to not
block any STARTTLS secure mail regardless of the ip or rDNS of the
sender,
That's not a good idea. Spammers can easily set up TLS.

Not a good idea 'naked' - but while RFC provides wiggle-room w/r whether 
one uses TLS, an SSL tunnel, VPN, matching certs, or whatever - RFC and 
BCP are quite specific that the relay-submission function (as used by 
customer's MUA's) - require valid authentication.

Just for comparison, Exim's flag is tested with simply:

   authenticated = *

where the right side *could* be a complex test or a lookup.

But we've already matched to a specific port AND the non-standard 
protocol our user community must utilize as well as their UID:GID and 
pwd match when we set that flag.

I'm sure sendmail's rule syntax is different, but trust that the same 
functionality already exists.

;-)

as you web-page suggests; but to my knowledge, such configuration
of sendmail is quite non-trivial, so most people don't use it. If
you could provide some examples on the web-page where you make this
 suggestion, or, better yet, include such examples in the default 
configuration file, it would, IMHO, be the best approach to this 
problem.
I'll take a look, thanks for the suggestion.


Bill





More information about the Kernel mailing list