List-Managers: Re: Blocking Domains

List-Managers
(October 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Blocking Domains
From:	Brad Knowles <brad @ his . com>
Date:	Thu, 24 Oct 1996 01:07:40 -0400
To:	marym @ Finesse . COM (Mary Morris), List-Managers @ GreatCircle . COM
In-reply-to:	<199609081706.KAA00898@thyme>

At 1:06 PM -0400 9/8/1996, Mary Morris wrote:

I know this is kind of old, but I'd like to respond to it anyway.

>Everyone here is talking about using sendmail to refuse to accept
>email from specific domains. I'd like to understand the situation
>a little better.
>
>First, sendmail doesn't read the header until after it receives the
>message and this is something that requires a change of the SMTP
>protocol to change. It isn't something that some email product,
>sendmail or whatever can change. Correct?

	Nope.  Put checks in LOCAL_RULE_0 for version 8 sendmail, and you
can check the envelope information on the fly.  Version 8.8 (now up
to 8.8.2) integrates TCP-Wrappers with sendmail (if you compile &
link it to do so), and you can then refuse connections based on
connecting IP address/domain name, without having to use the
alternative features now built in to sendmail to do something
similar, but using rewrite rules instead (Eric gave you both choices).

>Secondly, people are looking to block an entire system or domain.
>Correct?

	Some just want to block a particular sender at a site.

>Can anyone see a reason to not use firewall techniques to refuse
>a connection to port 25 from specific systems or domains? By refusing
>connection to a known email transit point, email can be denied
>without ever receiving it to examine it. This of course does nothing
>to the good domain with one bad user. I use a piece of software
>called TCPD which refuses connection to any host in a hosts.deny
>file for services.

	Yup.  You refuse connections to badsite.com.  The guys at
badsite.com want to make sure they get past your checks, so they use
goodsite.com as their mail relay (say, somebody like CompuServe.com).
But you can't refuse all connections from goodsite.com.  Now what do
you do?

	BTW, you've got the same problems with integrating TCP-Wrappers
with sendmail, or using the now integral features of sendmail that
let you check the host IP address/domain name with rewrite rules.



	There are some basic flaws in the RFC 822 SMTP protocol, and
they're simply impossible to eliminate if the guy at the other end
gets sufficiently crafty.  There *must* be legal action to
permanently solve this problem.

--
Brad Knowles,                                  MIME/PGP: brad@his.com
    comp.mail.sendmail FAQ Maintainer     <http://www.his.com/~brad/>
        finger brad@his.com for my PGP Public Keys and Geek Code
The comp.mail.sendmail FAQ is at <http://www.his.com/~brad/sendmail/>

Indexed By Date	Previous:	Re: List-Managers-Digest V5 #222 From: John Hein <johndunedin@drink.demon.co.uk>
Indexed By Date	Next:	Re: Help with Forgeries From: Brad Knowles <brad@his.com>
Indexed By Thread	Previous:	Re: List-Managers-Digest V5 #222 From: John Hein <johndunedin@drink.demon.co.uk>
Indexed By Thread	Next:	Re[2]: Blocking Domains From: Brad Knowles <brad@his.com>