Exim: Rejecting Mail With No Reverse DNS

 Computing, Linux, Security, Working Notes  No Responses »
Feb 122017
 

A very long time ago, I used to collect spam in order to graph how much spam a single mail server was likely to get over time, and almost as long ago, I lost interest in maintaining it. As a consequence I still get a ton of spam every day and after a long period of procrastination I have been slowly raising defences against spam.

This particular recipe is not really a defence against spam – it verifies that the remote server is properly DNS registered with a reverse DNS registration – in other words that the IP address it is connecting from is registered. This is a requirement for all mail servers, and as it turns out, spammers don’t care for registering their servers in the DNS.

This ACL snippet goes into the ACL for checking the recipient or for checking the message :-

 deny
   message = Your mail server is not properly DNS registered
   log_message = BLOCKED: No rDNS
   condition = ${if eq{$host_lookup_failed} {1} {1}{0}}
   # Check rDNS and block if not registered

There are three items of interest :-

  1. The message is intended to be easily read by recipients to determine what the problem is. It turns out that many people do not read NDRs, but if we get the message right at least we are doing the right thing.
  2. The log_message is intended to make automating log parsing easier.
  3. Within the condition, the $host_lookup_failed variable indicates that the reverse DNS lookup returned NXDOMAIN and not that it timed out (which would be $host_lookup_deferred).

That’s all there is to this little piece of configuration.

Why NAT Is Bad: The Blocklists

 Computing, Security  No Responses »
Feb 082017
 

One of the things that come up whenever IPv6 is mentioned on certain news sites, is that there are people out there who think that NAT solves all of the address size problems and doesn’t have any negatives. I could present a whole series of blog articles on why NAT is the work of the devil, and presents a clear and present danger to life, liberty, and the pursuit of happiness (I might be exaggerating just a touch here).

The naive approach to a security issue originating from a certain network address is to block that network address permanently, pending an appropriate response, or temporarily. Not a bad idea although it does resemble a game of hunt the wumpus, and to assist in this, there are community based collective blocklists.

But what happens when you block an address, and that address is the public address of a NAT device? You block everyone sharing that public address, which could be just a household or it could be thousands of unconnected people. For instance, I have up to 32,000 people behind a handful of public IP addresses.

And yes I do regularly see problems where blocks have been put in place, and from what I can see this is a problem that is widely shared amongst people who NAT.

And once you are blocked in this way, you may be able to get it removed if you manage to identify which blocklist you are on, stop the network abuse and it has a well-run mechanism for removal. Most blocklists (including the ones I run) don’t work this way.

Every IP address has a reputation associated with it, and if you share a public IP address that has a poor reputation, parts of the Internet will disappear for you, and these include some well known services.

Got Entropy?

 Linux, Security  No Responses »
Jan 192017
 

Entropy.

Any serious cryptographic routines needs a good source of random numbers, and whilst Linux provides a random number generator by default it’s sources of entropy can be somewhat limited. Especially when you’re talking about a virtual machine.

Indeed if you try to pull too much randomness out of the Linux entropy pool (especially when it is especially limited), what you get might not be quite as random as you expect.

Which is where hardware randomness generators come in. And I finally have one (actually two), and have hooked them up. You may be able to guess what time I plugged it in from the graph below :-

So what real world difference does it make?

Well nothing is dramatically obvious, but :-

  1. I have slightly more confidence that any cryptographic software I might run has a good source of randomness and is less likely to accidentally perform poorly (in terms of cryptographic strength).
  2. Some cryptographic software blocks if the Linux entropy pool is empty; with a hardware source I can be more confident that any performance issues are not due to a lack of randomness.

In Praise of Pedantry and Precision

 Computing  No Responses »
Dec 282016
 

“You’re such a pedant” goes the insult as though being right about something is somehow wrong.

Now don’t get me wrong – there are some areas where being a pedant is not entirely right – such as declaring that Christmas Day isn’t a bank holiday but instead a common-law holiday. But there are many areas where being pedantic and precise is not just the right thing, it is essential.

I work in IT, and many of the biggest problems in IT are down to lack of precision and not getting things right. I can’t recall the number of times things have gone wrong or have been delayed (probably the most common result) because things have not been specified clearly enough, with enough detail, and correctly.

So in certain specialised areas – such as IT – it is good to be pedantic and precise. Include too much information rather than too little.

 

Announcing … The iPC

 Computing  No Responses »
Dec 172016
 

In the dim and distant past when dinosaurs roamed the data centre (although it was called the machine room, or for trendy types who liked to keep up to date, the computer room), sometimes called the 1970s, a new type of computer gradually started to appear. This computer was intended to be used by one individual at a time, and more it was intended to be part of the furniture of an office (in the sense it belonged). It became known as the personal computer.

To quote Steve Wozniak: “To me, a personal computer should be small, reliable, convenient to use and inexpensive“. Of course “inexpensive” is relative and we wouldn’t think the personal computer of the 1970s was inexpensive. When you trawl through old copies of BYTE, please remember that when you get shocked at the prices that you have to add in inflation!

The field of personal computers grew so quickly that most of the dinosaur behemoths grew interested and joined in. One – the IBM PC – grew so popular that IBM grew to regret throwing it together so quickly, and it eventually came to dominate the market. Except for a small bunch of weirdos who insisted that the Apple Mac was the bees knees, and that the PC would soon die.

The argument between the two groups of fanatics grew so heated that “PC” become synonymous with the IBM PC – even well after IBM stopped dominating the market, and Macs were excluded from the “PC” label. Even after they become PC in all but name – today an Apple machine is no different to a normal PC from someone like Dell, HP, etc. except from the operating system.

Yet because of that ridiculous “cold war” between the Microsofties and the Applites, every time I issue a communique I have to use the phrase “PCs and Macs” because some cold war era warrior will claim “… but you didn’t say anything about Macs” or “… but not Macs?”.

So in the interests of clarity, although when I say PCs I mean both, I shall start using the phrase inclusive personal computers. Or iPCs.

And no, I don’t mean the Sun IPC.

 

 Older Entries  Newer Entries