KBA-01904

Configuring reverse-DNS lookup options in SecurityGateway

This article explains how to setup SecurityGateway to do a reverse-DNS (rDNS) lookup on various information given in incoming SMTP connections, to help prevent 'spoofing' of a supposed sending domain, and to therefore help cut down on spam.

From the Dashboard, after logging in:

  1. Click on Security in the lower-left hand corner
  2. Locate the Anti-Spoofing section 
  3. Click on Reverse Lookups

You may then configure the following options:

  • Perform reverse PTR record lookup on inbound SMTP connections

    SecurityGateway will attempt to query the PTR (pointer record) registered on the connecting IP address to see if it lists the given hostname. By default, this is enabled. If there is not PTR record on the connecting IP address, or the records do not match, the server can do the following:

    • Send 501 and close connection if no PTR record exists (caution)

      If the connecting IP address does not have a PTR record registered, SecurityGateway will refuse the connection with the given error number. As stated, use this only with caution, as even legitimate senders may not have this information recorded. By default, this is disabled.

    • Send 501 and close connection if no PTR record match

      If the connecting IP address does not match the PTR record returned after doing a check, SecurityGateway will refuse the connection with the given error number. By default, this is disabled.

    • Exclude authenticated sessions (lookup with defer until after MAIL)

      If the sending session authenticates with a username and password, SecurityGateway will not do any reverse-DNS lookups on the information. SecurityGateway will therefore not perform any reverse-DNS lookups until after the MAIL FROM command is received, in case authentication is given. By default, this is enabled.

    • Exclude global whitelisted IP addresses

      If the connecting server's IP address is listed in SecurityGateway's global whitelist, it will not perform any reverse-DNS lookups. By default, this is enabled.

  • Perform lookup on HELO/EHLO domain

    SecurityGateway will check the given domain in the HELO/EHLO to verify it is valid. By default, this is enabled. If it returns an error, it can do the following:

    • Send 501 and close connection on forged identification (caution)

      If the information given in the EHLO/HELO is validated as an existing domain, but does not match the connecting IP address, SecurityGateway will refuse the connection with the given error number. Note that legitimate senders may send different information in their HELO/EHLO greeting, so use this with caution, as noted. By default, this is disabled.

    • Refuse to accept email if a lookup returns 'domain not found'.

      If the information given in the EHLO/HELO cannot be validated as an existing domain, SecurityGateway can perform the actions listed in the options below. Note that legitimate senders may send non-domain information in their HELO/EHLO greeting, so use this with caution. By default, this is disabled.

      • ... Send 501 error code (normally sends 451 error code)

        SecurityGateway normally sends a 451 error code to the sending server to refuse accepting of the message, but not drop the connection. Enabling this will cause SecurityGateway to send a '501 syntax error in parameters or arguments' error instead. By default, this is disabled.

      • ... And close the connection

        Enabling this will cause SecurityGateway to close the connection to the sending server itself, instead of letting the connection continue after refusing to accept the message. By default, this is disabled.

    • Exclude authenticated sessions (lookup with defer until after MAIL)

      If the sending session authenticates with a username and password, SecurityGateway will not do any reverse-DNS lookups on the information. SecurityGateway will therefor not perform any reverse-DNS lookups until after the MAIL FROM command is given, to verify if authentication is given. By default, this is enabled.

    • Exclude global whitelisted IP addresses

      If the connecting server's IP address is listed in SecurityGateway's global whitelist, it will not perform any reverse-DNS lookups. By default, this is enabled.

  • Perform lookup on value passed in the MAIL command

    SecurityGateway will check the given domain in the supplied MAIL FROM address to verify it is valid. By default, this is enabled. If it returns an error, it can do the following:

    • Send 501 and close connection on forged identification (caution)

      If the information given in the MAIL FROM domain is validated as an existing domain, but does not match the connecting IP address, SecurityGateway will refuse the connection with the given error number. Note that sending email address may not be associated with the connecting IP address, so use this with caution, as noted. By default, this is disabled.

    • Refuse to accept email if a lookup returns 'domain not found'.

      If the information given in the MAIL FROM domain cannot be validated as an existing domain, SecurityGateway can perform the actions listed in the options below. By default, this is enabled.

      • ... Send 501 error code (normally sends 451 error code)

        SecurityGateway normally sends a 451 error code to the sending server to refuse accepting of the message, but not drop the connection. Enabling this will cause SecurityGateway to send a '501 syntax error in parameters or arguments' error instead. By default, this is disabled.

      • ... And close the connection

        Enabling this will cause SecurityGateway to close the connection to the sending server itself, instead of letting the connection continue after refusing to accept the message. By default, this is disabled.

    • Exclude authenticated sessions

      If the sending session authenticates with a username and password, SecurityGateway will not do any reverse-DNS lookups on the information. By default, this is enabled.

    • Exclude global whitelisted senders

      If the address given in MAIL FROM is listed in SecurityGateway's global whitelist, it will not perform any reverse-DNS lookups. By default, this is enabled.

  • Insert warning headers into suspicious messages

    If a message is accepted, but fails a reverse-DNS check on any selected parts of the connection, it will add an 'X-Lookup-Warning' flag to the message header, with information regarding why it failed. By default, this is enabled.

    Additional Comments

    Note that these settings are for all domains setup on the SecurityGateway server. They cannot be configured for individual domains.