[Mimedefang] Potential for Business mail servers to not havereverse DNS
Kevin A. McGrail
kmcgrail at pccc.com
Fri Sep 22 09:14:07 EDT 2006
The consensus, IMO at least but largely driven by AOL's policy, has been
that a reverse ptr that isn't blank and others as suspect is not a
completely bad idea. Here is AOL's full policy. The emphasis is mine.
a.. AOL does *require* that all connecting Mail Transfer Agents have
established reverse DNS, regardless of whether it matches the domain.
b.. Reverse DNS must be in the form of a fully-qualified domain name.
Reverse DNS containing in-addr.arpa are not acceptable, as these are merely
placeholders for a valid PTR record. Reverse DNS consisting of IP addresses
are also not acceptable, as they do not correctly establish the relationship
between domain and IP address.
c.. Reverse DNS that may be similar to dynamic IP space (containing pool,
dhcp, dyn, etc.) *may be treated as suspect*. Therefore should be changed to
reflect a fully-qualified domain name with standard MTA reverse DNS.
Others have taken it to more of an extreme and checked to see if the reverse
ptr includes anything that indicates a dynamic IP.
However, I believe the extreme policy has very mixed results.
We have seem mergers between ISPs leave the control of the reverse DNS zones
in a tangle. As an example, we have found that XO simply reset the reverse
PTR's recently. We also had a customer that took 9 weeks to get a reverse
PTR entered with Verizon because no one knew who at Verizon had control of
the reverse DNS zone.
And we find that some ISPs are using reverse DNS as a way to force customers
to upgrade to "business" class services as a way of extorting more money for
the exact same service.
But, in conclusion, because AOL is such a behemoth, you should be able to
enforce the requirement that they have a reverse PTR entry. That entry can
be something like "LookMa.Imareverseentry.com". Doing anything more than
that is proven to be problematic even for people I have helped that know
what they are doing but have an uncooperative (or technically incable) ISP.
The goal being that if ISPs start blanking out reverse DNS for their dynamic
IP ranges, the dynamic IPs can't send email. I personally think it would be
better to put dymanic into the reverse so that we can block dynamic IPs and
leave mail servers to those with static IPs but that isn't reliable. People
with dynamic IPs should be relaying off their ISPs mail gateways.
I'll look at my code and see what I have that I can publish.
> Just wondering what the consensus is in regards to mail servers that do
> have reverse DNS configured.
> Is it common for business mail servers to be unconfigured in this way?
> [Stupid disclaimer removed]
More information about the MIMEDefang