| Previous | Contents | Index |
DNS_VERIFY can be used to validate domain names or IP addresses via
DNS. For example, it can be used to verify that an entry in DNS exists
for the domain used in the SMTP MAIL FROM: command, or to
look up an IP address in the blackhole lists supplied by such services
as MAPS and ORBS. The message can be rejected or accepted based on the
presence or absence of a corresponding DNS record, or a new header can
be added to the message to indicate the problem.
Performing DNS checks may result in the rejection of some valid messages. For instance, this could include mail from legitimate sites that simply have not yet registered their domain name, or during periods of bad information in DNS. |
Please be aware that doing DNS lookups is contrary to the spirit of being generous in what you accept, as expressed in RFC 1123, Requirements for Internet Hosts. However, some sites may desire to perform such checks in cases where junk e-mail (SPAM) is, for example, being sent with forged e-mail addresses from non-existent domains.
If DNS or connections to the sites being used for DNS verification become unavailable then mail delivery will be impacted. Use of DNS_VERIFY can impact performance as well as result in unreliable mail reception due to the dependency on multiple DNS lookups for every incoming SMTP connection.
Mail addressed to postmaster must never
be rejected. Violation of this rule is sufficient cause for your domain
to be disconnected from the Internet.
|
DNS_VERIFY is supplied as a sharable image on VMS
(PMDF_EXE:DNS_VERIFY.EXE), as a sharable object library on
UNIX (/pmdf/lib/dns_verify), and as a DLL on NT
(C:\pmdf\bin\dns_verify.dll). It can be used from any of
the mapping tables described in this chapter, using the routine callout
described in Section 2.2.6.7, Customer-supplied Routine Substitutions, $[...].
On VMS, make sure that the PMDF_DNS_VERIFY logical name is set. For PMDF V6.2 and later, this logical is defined in PMDF_STARTUP.COM. If you are running PMDF V6.1 or earlier, add the following line to your PMDF_COM:PMDF_SITE_STARTUP.COM command procedure (create it if necessary):
$ DEFINE/SYSTEM/EXEC PMDF_DNS_VERIFY PMDF_EXE:DNS_VERIFY.EXE |
DNS_VERIFY has 4 routines that can be called:
dns_verify
dns_verify_domain
dns_verify_domain_port
dns_verify_domain_warn
These are each described in the sections below.
Note that your mapping tables with DNS_VERIFY callouts can be tested by
using the pmdf test -mapping utility (pmdf
test/mapping on VMS).
16.1.8.1 dns_verify Routine
The dns_verify routine is the most general of the
routines. It simply does a lookup in DNS of the domain name that you
specify, which could be the domain from the SMTP MAIL
FROM: command, or could be the domain name corresponding to the
IP address in a blackhole list such as
blackholes.mail-abuse.org. Any mapping table action can be
taken if the domain exists or does not exist in DNS.
Note that when doing the DNS lookup, dns_verify looks for
both an A DNS record and an MX DNS record.
The dns_verify routine performs the same type of action as
the mailfromdnsverify channel keyword. Using DNS_VERIFY
allows you more control over which connections trigger the DNS lookups.
The dns_verify routine's argument is four strings
separated by "|", as follows:
domainname[|success[|failure[|unknown]]] |
domainname is the name to look up in DNS.
success string is optional. If specified, it is
the mapping table string to return if domainname is found
in DNS. If not specified, the default is "$Y", to accept the
message.
failure string is optional. If specified, it is
the mapping table string to return if domainname is not
found in DNS. If not specified, the default is "$N", to
reject the message.
unknown string is optional. If specified, it is
the mapping table string to return if there was a temporary DNS failure
during lookup. If not specified, and the success string
was specified, that string is used. If neither are specified, the
default is "$Y".
Note that in the mapping table, the $'s need to be doubled. For example, to specify "$Y", you need to put in "$$Y".
An alternative separator can be used instead of "|". To specify an alternative separator, specify it as the first character of the routine's argument. For example, to specify "+" as the separator, use the following syntax:
+domainname+success+failure+unknown |
The success, failure, and
unknown strings can contain the following format
characters:
| %a |
If successful, the primary name for
domainname. If there was no A record, but there was an MX
record, this contains the domainname from the first MX record received
from DNS.
|
| %e | If not successful, the error message associated with the lookup. |
| %n | If successful, the IP address found from the DNS lookup. If there was no A record, but there was an MX record, this contains the IP address corresponding to the first MX record received from DNS. |
The following example shows a simple SEND_ACCESS mapping table entry on VMS to verify that the sender's hostname is in DNS:
SEND_ACCESS *tcp_*|*@*|*|* \ $C$[pmdf_dns_verify,dns_verify,$3|$$Y|$$NInvalid$ host:$ $$3$-$ %e]$E |
The following example shows a PORT_ACCESS mapping table entry on UNIX to check the IP address of the system sending the message:
PORT_ACCESS TCP|*|25|*|* \ $C$[/pmdf/lib/dns_verify,dns_verify,\ $1|$$Y|$$N500$ Message$ refused$ from$ $$1$ -$ %e]$E |
The dns_verify_domain and
dns_verify_domain_port routines are used to query the
specified blackhole list and return pre-defined success, failure, and
unknown messages. The same operation can be performed using the
dns_verify routine, but with more complicated setup.
The dns_verify_domain_port routine is used in the
PORT_ACCESS mapping table. The dns_verify_domain routine
is used in the MAIL_ACCESS, SEND_ACCESS, and similar mapping tables.
The dns_verify_domain and
dns_verify_domain_port routines perform the same type of
action as the DNS_VERIFY_DOMAIN dispatcher option. Using
DNS_VERIFY allows you more control over which connections trigger the
DNS lookups.
The dns_verify_domain and
dns_verify_domain_port routines' argument is three strings
separated by ",", as follows:
ip-address,domainname[,text-string] |
ip-address is the IP address that you want to check
against the blackhole list.
domainname is the name of the blackhole list to check
against, for example, blackholes.mail-abuse.org.
text-string is optional. If specified, it is the text
to return if no TXT record is available. If not specified, the default
is "No Error Text Available".
dns_verify_domain and dns_verify_domain_port
check the given list for the IP address. For example, if
ip-address is 127.0.0.2, and domainname is
bl.spamcop.net, dns_verify_domain and
dns_verify_domain_port looks up the following name:
2.0.0.127.bl.spamcop.net. They first first look up the TXT record for
that name, and if it is not available, they look up the A record.
The following examples show the use of these routines on VMS:
MAIL_ACCESS TCP|*|25|*|*|*|*|tcp_local|*|*|* \ $C$[pmdf_dns_verify,dns_verify_domain,$1,bl.spamcop.net]$E PORT_ACCESS TCP|*|25|*|* \ $C$[pmdf_dns_verify,dns_verify_domain_port,$1,bl.spamcop.net]$E |
The approximate equivalent of the previous MAIL_ACCESS example using
the dns_verify routine would be:
MAIL_ACCESS TCP|*|25|*.*.*.*|*|*|*|tcp_local|*|*|* \ $C$[pmdf_dns_verify,dns_verify,+$4.$3.$2.$1.bl.spamcop.net+\ $$N$$X5.7.1|Blocked$ -$ see$ http://spamcop.net/bl.shtml?$$1.$$2.$$3.$$4+$$Y]$E |
The dns_verify_domain_warn routine performs the same DNS
lookup as the dns_verify_domain and
dns_verify_domain_port routines, but instead of rejecting
the message if the DNS entry exists, it adds a new header line to the
message. The dns_verify_domain_warn routine can be used in
any of the ACCESS mapping tables.
The dns_verify_domain_warn routine's argument is four
strings separated by ",", as follows:
ip-address,domainname[,text-string[,header]] |
ip-address, domainname, and
text-string are the same as for
dns_verify_domain and dns_verify_domain_port.
header is optional. If specified, it is a string
containing the header name, and other optional text, to include before
the TXT record string or text-string value. The header
name must be one that PMDF recognizes. The default is
"X-Dispatcher: ".
The following example shows an ORIG_MAIL_ACCESS mapping table entry on
NT to query spamcop.net:
ORIG_MAIL_ACCESS TCP|*|25|*|*|*|*|*|*|*|* \ $C$[C:\pmdf\bin\dns_verify.dll,dns_verify_domain_warn,$1,\ bl.spamcop.net,spamcop.net:$ entry$ found$ for$ $$1,\ X-Dispatcher:$ SPAMfilter$ (spamcop.net):$ ]$E |
For a source IP address of 127.0.0.2, this example would return
$Y$AX-Dispatcher: SPAMfilter (spamcop.net): Blocked - see http://spamcop.net/bl.shtml?127.0.0.2 |
This is then added as a header to the message. To act upon this, create a system-wide, channel or user filter file containing a SIEVE command similar to:
if header :contains "X-Dispatcher" "SPAMfilter" { discard; }
|
| Previous | Next | Contents | Index |