[Mimedefang] OT: DNS sanity check

John Nemeth jnemeth at victoria.tc.ca
Thu Jul 5 01:26:19 EDT 2007 

On Nov 24,  7:25pm, alan premselaar wrote:
} 
} I've been scouring thru RFCs trying to find specific information about
} this to no avail.

     As others have pointed out, RFC 2821 talks about this.

} I have a situation where one of the ISPs i'm working with has started to
} reject mail from my mail servers since we've moved into a new data center.
} 
} currently our mail server doesn't have a reverse DNS PTR record

     This is very bad.  This is indicative of a severely misconfigured
system or one where the administrator doesn't have a clue.  Many sites
will reject connections from it.

} configured and i'm in the process of getting that fixed.  In the
} meantime I decided (based on bounced mail) to route outgoing mail via a
} machine I have in the US which *does* have a reverse DNS PTR record for it.
} 
} the problem is, the reverse DNS PTR record for that machine is
} mail.12inch.com (my domain) ... i've moved the mail server for this
} domain to another machine in our datacenter here (which subsequently
} doesn't have a reverse DNS PTR record yet) but have changed the forward
} record for mail.12inch.com to reflect the IP address of this new machine.
} 
} the problem I'm told by the ISP is that they're rejecting mail from my
} machines because:
} 
} a) machine #1 doesn't have a reverse DNS PTR record defined
} b) machine #2 has a PTR record defined, but it doesn't match the forward
} A record
} 
} I can *kind of* understand why they would reject a connection from a
} machine with no PTR record, although since outgoing-only mail servers
} are valid, they shouldn't necessarily require a PTR record, right?

     All servers on the internet should have proper PTR records.

     The problem is that people can make PTR records say anything
regardless of whether they have any right to use a domain.  This is
forging or spoofing.  By default, sendmail will add a "may be forged"
tag to the "Received: " header.  However, some sites will quite simply
reject the message, since they have no way of knowing if the server is
who it claims to be.

} what gets me is, is there actually any requirement that the A record and
} the PTR record for a host match? i'm under the impression that they are

     A records and PTR records are inversely related.  If they don't
refer to the same host, then something is seriously wrong.

} unreasonably rejecting mail but I just want to get a sanity check before

      Dispite the silly bickering, the bottom line is that your DNS
setup is seriously broken and receiving sites have every right to
reject your mail because of it.

}-- End of excerpt from alan premselaar

More information about the MIMEDefang mailing list