[Mimedefang] Potential for Business mail servers to not havereverse DNS

John Rudd john at rudd.cc
Fri Sep 22 11:37:31 EDT 2006 

Kevin A. McGrail wrote:
>
> The consensus, IMO at least but largely driven by AOL's policy, has 
> been that a reverse ptr that isn't blank and others as suspect is not 
> a completely bad idea. Here is AOL's full policy.  The emphasis is mine.
>
>  a.. AOL does *require* that all connecting Mail Transfer Agents have 
> established reverse DNS, regardless of whether it matches the domain.
>  b.. Reverse DNS must be in the form of a fully-qualified domain name. 
> Reverse DNS containing in-addr.arpa are not acceptable, as these are 
> merely placeholders for a valid PTR record. Reverse DNS consisting of 
> IP addresses are also not acceptable, as they do not correctly 
> establish the relationship between domain and IP address. 
It's not just AOL policy, it's a strict interpretation of RFC 1912, 
section 2.1:

#   2.1 Inconsistent, Missing, or Bad Data
#
#   Every Internet-reachable host should have a name.  The consequences
#   of this are becoming more and more obvious.  Many services available
#   on the Internet will not talk to you if you aren't correctly
#   registered in the DNS.
#
#   Make sure your PTR and A records match.  For every IP address, there
#   should be a matching PTR record in the in-addr.arpa domain.  If a
#   host is multi-homed, (more than one IP address) make sure that all IP
#   addresses have a corresponding PTR record (not just the first one).
#   Failure to have matching PTR and A records can cause loss of Internet
#   services similar to not being registered in the DNS at all.  Also,
#   PTR records must point back to a valid A record, not a alias defined
#   by a CNAME.  It is highly recommended that you use some software
#   which automates this checking, or generate your DNS data from a
#   database which automatically creates consistent data.


So:

1) every host on the internet should have a name
2) every IP address should have a PTR record
3) PTR records must point to a valid A record, and not a CNAME record
4) it's a good idea for the A record to match the PTR record (resolve 
back to the IP addr)

By "strict interpretation", I mean "enforce all of these as MUST 
directives, instead of mere SHOULD directives/suggestions".

My mimedefang-filter enforces these in filter_sender, along with 
something like the "c" requirement from AOL's policy (about names that 
look dynamic).  And I interpret #1 as meaning "must have a name which is 
listed in DNS" (in otherwords, it must be the key for an A or CNAME 
record).  This translates into:

Every system which wishes to deliver email to me must have:

* A PTR record for its IP address ("the connecting IP address").  
Failure leads to a temporary rejection of the message.
* The PTR record must resolve to a name which is they key for an A 
record.  Failure leads to a temporary rejection of the message.
* The A record must have at least 1 IP address which matches the 
connecting IP address.  Failure leads to a permanent failure of the message.
* The name from the PTR record must not look dynamic.  Failure is a 
permanent rejection of the message.
* The above restrictions can be avoided via SMTP-AUTH.


I have yet to find out that any such rejection was a valid email message.

More information about the MIMEDefang mailing list