[Mimedefang] Potential for Business mail servers to not havereverse DNS

Kevin A. McGrail kmcgrail at pccc.com
Fri Sep 22 09:14:07 EDT 2006 

The consensus, IMO at least but largely driven by AOL's policy, has been 
that a reverse ptr that isn't blank and others as suspect is not a 
completely bad idea. Here is AOL's full policy.  The emphasis is mine.

  a.. AOL does *require* that all connecting Mail Transfer Agents have 
established reverse DNS, regardless of whether it matches the domain.
  b.. Reverse DNS must be in the form of a fully-qualified domain name. 
Reverse DNS containing in-addr.arpa are not acceptable, as these are merely 
placeholders for a valid PTR record. Reverse DNS consisting of IP addresses 
are also not acceptable, as they do not correctly establish the relationship 
between domain and IP address.
  c.. Reverse DNS that may be similar to dynamic IP space (containing pool, 
dhcp, dyn, etc.) *may be treated as suspect*. Therefore should be changed to 
reflect a fully-qualified domain name with standard MTA reverse DNS.

Others have taken it to more of an extreme and checked to see if the reverse 
ptr includes anything that indicates a dynamic IP.

However, I believe the extreme policy has very mixed results.

We have seem mergers between ISPs leave the control of the reverse DNS zones 
in a tangle.  As an example, we have found that XO simply reset the reverse 
PTR's recently.  We also had a customer that took 9 weeks to get a reverse 
PTR entered with Verizon because no one knew who at Verizon had control of 
the reverse DNS zone.

And we find that some ISPs are using reverse DNS as a way to force customers 
to upgrade to "business" class services as a way of extorting more money for 
the exact same service.

But, in conclusion, because AOL is such a behemoth, you should be able to 
enforce the requirement that they have a reverse PTR entry.  That entry can 
be something like "LookMa.Imareverseentry.com".  Doing anything more than 
that is proven to be problematic even for people I have helped that know 
what they are doing but have an uncooperative (or technically incable) ISP.

The goal being that if ISPs start blanking out reverse DNS for their dynamic 
IP ranges, the dynamic IPs can't send email.  I personally think it would be 
better to put dymanic into the reverse so that we can block dynamic IPs and 
leave mail servers to those with static IPs but that isn't reliable.  People 
with dynamic IPs should be relaying off their ISPs mail gateways.

I'll look at my code and see what I have that I can publish.

Regards,
KAM

> Just wondering what the consensus is in regards to mail servers that do 
> not
> have reverse DNS configured.
>
> Is it common for business mail servers to be unconfigured in this way?
> [Stupid disclaimer removed]

More information about the MIMEDefang mailing list