filtering home : internet : mail : toaster : filtering : reverse dns blocking RBL (real time blacklists)

Should I block based on reverse DNS?

That is purely a policy decision. You must consider who is expected to receive mail using your server, and if they too want to have mail blocked from mail servers who don't have proper DNS set up.

There are few valid reasons to not have correct DNS set up for a mail system. In most cases is laziness or ineptitude on the part of the mail administrator, and I don't mind blocking messages from such mail servers. However, there are also good reasons not to use reverse DNS blocking. Chief among them is having to whitelist your clients and friends because their organization has incompetent DNS administrators.

How do I block connections from servers with no reverse DNS?

Edit your ~vpopmail/etc/tcp.smtp (fix any wrapped lines):

  • 127.:allow,RELAYCLIENT=""
  • 209.218.8.2:allow
  • =:allow
  • :allow,RBLSMTPD="Blocked - Reverse DNS queries for your IP fail. You cannot send me mail."
    • :allow,RBLSMTPD="-Blocked - Reverse DNS queries for your IP fail. You cannot send me mail."

Line 1: Obvious, allows localhost to relay.

Line 2: Allows traffic from the inter7 email list

Line 3: Matches any mail message with reverse dns.

Line 4: default

  • The default matches what's left (no reverse DNS). By setting the RBLSMTPD environment variable, we actually get to pass a message back to the mail server we're blocking telling them why. That gives them a chance to fix it before the messages bounces.
  • They'll get a message like this in their mail logs:
  • .
    • Mar 27 08:40:43 seattle qmail: 1048783243.397888 info msg 6469: bytes 258 from qp 13226 uid 0
    • Mar 27 08:40:43 seattle qmail: 1048783243.438981 starting delivery 533: msg 6469 to remote matt@simerson.net
    • Mar 27 08:40:43 seattle qmail: 1048783243.979048 delivery 533: deferral: 207.89.154.94_does_not_like_recipient./ Remote_host_said:_451_Blocked_Reverse_DNS_queries_for_your_IP_failed. You_cannot_send_me_mail. Giving_up_on_207.89.154.94./

line 5. Getting agressive

  • If you want to be a little more aggressive about it, use the 5th line instead of the fourth. Notice the '-' character in there. That tells rblsmtpd to return a permanent error (ie, don't try again!)
  • .
    • Mar 27 08:42:40 seattle qmail: 1048783360.776812 info msg 6475: bytes 250 from qp 13464 uid 0
    • Mar 27 08:42:40 seattle qmail: 1048783360.805534 starting delivery 534: msg 6475 to remote matt@simerson.net
    • Mar 27 08:42:41 seattle qmail: 1048783361.259737 delivery 534: failure: 207.89.154.94_does_not_like_recipient. Remote_host_said:_553_Blocked_-_Reverse_DNS_queries_for_your_IP_fail. You_cannot_send_me_mail. Giving_up_on_207.89.154.94./
    • Mar 27 08:42:41 seattle qmail: 1048783361.269637 bounce msg 6475 qp 13467
    • Mar 27 08:42:41 seattle qmail: 1048783361.270564 end msg 6475
  • .
  • Notice that in the second case, the message bounces immediately. It's your mail server, you have to decide what policy you think is best. Bouncing messages seems to get more attention, and gets it faster than deferring connections.

That's all there is to it. Of course, that assumes you are running rblsmtpd as part of your smtp invocation, which is the default.

Last modified on 4/28/05.