[Mimedefang] OT: DNS sanity check

Les Mikesell les at futuresource.com
Wed Jul 4 14:20:32 EDT 2007


alan premselaar wrote:
>
> I've been scouring thru RFCs trying to find specific information about
> this to no avail.
> 
> sorry for the OT post, but the list traffic is sane enough and I suspect
> there are plenty of qualified people here that I might actually get a
> useful answer.
> 
> I have a situation where one of the ISPs i'm working with has started to
> reject mail from my mail servers since we've moved into a new data center.
> 
> currently our mail server doesn't have a reverse DNS PTR record
> configured and i'm in the process of getting that fixed.  In the
> meantime I decided (based on bounced mail) to route outgoing mail via a
> machine I have in the US which *does* have a reverse DNS PTR record for it.
> 
> the problem is, the reverse DNS PTR record for that machine is
> mail.12inch.com (my domain) ... i've moved the mail server for this
> domain to another machine in our datacenter here (which subsequently
> doesn't have a reverse DNS PTR record yet) but have changed the forward
> record for mail.12inch.com to reflect the IP address of this new machine.
> 
> the problem I'm told by the ISP is that they're rejecting mail from my
> machines because:
> 
> a) machine #1 doesn't have a reverse DNS PTR record defined
> b) machine #2 has a PTR record defined, but it doesn't match the forward
> A record
> 
> I can *kind of* understand why they would reject a connection from a
> machine with no PTR record, although since outgoing-only mail servers
> are valid, they shouldn't necessarily require a PTR record, right?
> 
> what gets me is, is there actually any requirement that the A record and
> the PTR record for a host match? i'm under the impression that they are
> unreasonably rejecting mail but I just want to get a sanity check before
> i start screaming at them (it's been a long day).
> 
> so, any information, assistance, references to RFCs, etc. would be
> greatly appreciated.

RFC 2821 section 4.1.3 says:
   "Sometimes a host is not known to the domain name system and
   communication (and, in particular, communication to report and repair
   the error) is blocked.  To bypass this barrier a special literal form
   of the address is allowed as an alternative to a domain name."

This isn't something that would exist if _any_ relationship to DNS were
an RFC requirement for email.

And section 4.1.4 says:

   "An SMTP server MAY verify that the domain name parameter in the EHLO
   command actually corresponds to the IP address of the client.
   However, the server MUST NOT refuse to accept a message for this
   reason if the verification fails: the information about verification
   failure is for logging and tracing only."

But, since you are dealing with someone who isn't following the RFC's
anyway, you probably aren't going to get it changed on the receiving
end.  Your ISP should either delegate reverse DNS to you or handle it
for you, or provide a forwarding SMTP server, or both.

-- 
   Les Mikesell
    lesmikesell at gmail.com




More information about the MIMEDefang mailing list