PMDF System Manager's Guide


Previous Next Contents Index

16.1.8 DNS_VERIFY

DNS_VERIFY can be used to validate domain names or IP addresses via DNS. For example, it can be used to verify that an entry in DNS exists for the domain used in the SMTP MAIL FROM: command, or to look up an IP address in the blackhole lists supplied by such services as MAPS and ORBS. The message can be rejected or accepted based on the presence or absence of a corresponding DNS record, or a new header can be added to the message to indicate the problem.

Note

Performing DNS checks may result in the rejection of some valid messages. For instance, this could include mail from legitimate sites that simply have not yet registered their domain name, or during periods of bad information in DNS.

Please be aware that doing DNS lookups is contrary to the spirit of being generous in what you accept, as expressed in RFC 1123, Requirements for Internet Hosts. However, some sites may desire to perform such checks in cases where junk e-mail (SPAM) is, for example, being sent with forged e-mail addresses from non-existent domains.

If DNS or connections to the sites being used for DNS verification become unavailable then mail delivery will be impacted. Use of DNS_VERIFY can impact performance as well as result in unreliable mail reception due to the dependency on multiple DNS lookups for every incoming SMTP connection.

Caution

Mail addressed to postmaster must never be rejected. Violation of this rule is sufficient cause for your domain to be disconnected from the Internet.

DNS_VERIFY is supplied as a sharable image on VMS (PMDF_EXE:DNS_VERIFY.EXE), as a sharable object library on UNIX (/pmdf/lib/dns_verify), and as a DLL on NT (C:\pmdf\bin\dns_verify.dll). It can be used from any of the mapping tables described in this chapter, using the routine callout described in Section 2.2.6.7, Customer-supplied Routine Substitutions, $[...].

On VMS, make sure that the PMDF_DNS_VERIFY logical name is set. For PMDF V6.2 and later, this logical is defined in PMDF_STARTUP.COM. If you are running PMDF V6.1 or earlier, add the following line to your PMDF_COM:PMDF_SITE_STARTUP.COM command procedure (create it if necessary):


$ DEFINE/SYSTEM/EXEC PMDF_DNS_VERIFY PMDF_EXE:DNS_VERIFY.EXE 

DNS_VERIFY has 4 routines that can be called:

These are each described in the sections below.

Note that your mapping tables with DNS_VERIFY callouts can be tested by using the pmdf test -mapping utility (pmdf test/mapping on VMS).

16.1.8.1 dns_verify Routine

The dns_verify routine is the most general of the routines. It simply does a lookup in DNS of the domain name that you specify, which could be the domain from the SMTP MAIL FROM: command, or could be the domain name corresponding to the IP address in a blackhole list such as blackholes.mail-abuse.org. Any mapping table action can be taken if the domain exists or does not exist in DNS.

Note that when doing the DNS lookup, dns_verify looks for both an A DNS record and an MX DNS record.

The dns_verify routine performs the same type of action as the mailfromdnsverify channel keyword. Using DNS_VERIFY allows you more control over which connections trigger the DNS lookups.

The dns_verify routine's argument is four strings separated by "|", as follows:


domainname[|success[|failure[|unknown]]] 

Note that in the mapping table, the $'s need to be doubled. For example, to specify "$Y", you need to put in "$$Y".

An alternative separator can be used instead of "|". To specify an alternative separator, specify it as the first character of the routine's argument. For example, to specify "+" as the separator, use the following syntax:


+domainname+success+failure+unknown 

The success, failure, and unknown strings can contain the following format characters:
%a If successful, the primary name for domainname. If there was no A record, but there was an MX record, this contains the domainname from the first MX record received from DNS.
%e If not successful, the error message associated with the lookup.
%n If successful, the IP address found from the DNS lookup. If there was no A record, but there was an MX record, this contains the IP address corresponding to the first MX record received from DNS.

The following example shows a simple SEND_ACCESS mapping table entry on VMS to verify that the sender's hostname is in DNS:


SEND_ACCESS 
 
  *tcp_*|*@*|*|*    \
$C$[pmdf_dns_verify,dns_verify,$3|$$Y|$$NInvalid$ host:$ $$3$-$ %e]$E 

The following example shows a PORT_ACCESS mapping table entry on UNIX to check the IP address of the system sending the message:


PORT_ACCESS 
 
  TCP|*|25|*|*     \
$C$[/pmdf/lib/dns_verify,dns_verify,\
$1|$$Y|$$N500$ Message$ refused$ from$ $$1$ -$ %e]$E 

16.1.8.2 dns_verify_domain and dns_verify_domain_port Routines

The dns_verify_domain and dns_verify_domain_port routines are used to query the specified blackhole list and return pre-defined success, failure, and unknown messages. The same operation can be performed using the dns_verify routine, but with more complicated setup.

The dns_verify_domain_port routine is used in the PORT_ACCESS mapping table. The dns_verify_domain routine is used in the MAIL_ACCESS, SEND_ACCESS, and similar mapping tables.

The dns_verify_domain and dns_verify_domain_port routines perform the same type of action as the DNS_VERIFY_DOMAIN dispatcher option. Using DNS_VERIFY allows you more control over which connections trigger the DNS lookups.

The dns_verify_domain and dns_verify_domain_port routines' argument is three strings separated by ",", as follows:


ip-address,domainname[,text-string] 

dns_verify_domain and dns_verify_domain_port check the given list for the IP address. For example, if ip-address is 127.0.0.2, and domainname is bl.spamcop.net, dns_verify_domain and dns_verify_domain_port looks up the following name: 2.0.0.127.bl.spamcop.net. They first first look up the TXT record for that name, and if it is not available, they look up the A record.

The following examples show the use of these routines on VMS:


MAIL_ACCESS 
 
  TCP|*|25|*|*|*|*|tcp_local|*|*|* \
$C$[pmdf_dns_verify,dns_verify_domain,$1,bl.spamcop.net]$E 
 
PORT_ACCESS 
 
  TCP|*|25|*|*     \
$C$[pmdf_dns_verify,dns_verify_domain_port,$1,bl.spamcop.net]$E 

The approximate equivalent of the previous MAIL_ACCESS example using the dns_verify routine would be:


MAIL_ACCESS 
 
  TCP|*|25|*.*.*.*|*|*|*|tcp_local|*|*|*    \
$C$[pmdf_dns_verify,dns_verify,+$4.$3.$2.$1.bl.spamcop.net+\
$$N$$X5.7.1|Blocked$ -$ see$ http://spamcop.net/bl.shtml?$$1.$$2.$$3.$$4+$$Y]$E 

16.1.8.3 dns_verify_domain_warn Routine

The dns_verify_domain_warn routine performs the same DNS lookup as the dns_verify_domain and dns_verify_domain_port routines, but instead of rejecting the message if the DNS entry exists, it adds a new header line to the message. The dns_verify_domain_warn routine can be used in any of the ACCESS mapping tables.

The dns_verify_domain_warn routine's argument is four strings separated by ",", as follows:


ip-address,domainname[,text-string[,header]] 

The following example shows an ORIG_MAIL_ACCESS mapping table entry on NT to query spamcop.net:


ORIG_MAIL_ACCESS 
 
 TCP|*|25|*|*|*|*|*|*|*|* \
$C$[C:\pmdf\bin\dns_verify.dll,dns_verify_domain_warn,$1,\
bl.spamcop.net,spamcop.net:$ entry$ found$ for$ $$1,\
X-Dispatcher:$ SPAMfilter$ (spamcop.net):$ ]$E 

For a source IP address of 127.0.0.2, this example would return


$Y$AX-Dispatcher: SPAMfilter (spamcop.net): Blocked - see http://spamcop.net/bl.shtml?127.0.0.2 

This is then added as a header to the message. To act upon this, create a system-wide, channel or user filter file containing a SIEVE command similar to:


if header :contains "X-Dispatcher" "SPAMfilter" { discard; } 


Previous Next Contents Index