Hi all,
Can some of you tell, how you deal with mailservers sending mail to your servers, which have not/incorrect configured dns informations?
Postfix rejects mail with "reject_unknown_client", even when a ptr record exist, but forward and reverse lookup are not identical. In our logs we see this misconfiguration happen very often. When I activate blocking these clients, the reject rate nearly doubles.
Just want to know, how you deal with this. Do you reject mail from clients with misconfigured dns or do you tolerate it?
Regards and have a nice weekend.
Mit freundlichen Grüssen Tobias Glasow ------------------------------------ Magnet.ch AG Güterstrasse 86 4053 Basel Tel.: 0842 420 420 Fax.: 0842 420 422 E-Mail: t.glasow@magnet.ch ----------------------------------- Ihr unabhängiger Internetprovider -----------------------------------
Some providers are Rejecting Mails whith wrong configurated DNS. Every Provider is handling by self... But the best way is when you are configurate your DNS include the Reverse Zone... Some Providers and Firewalls are checking the Reverse Zone entries. When you have forgot to programm it you can have big trouble...
-----Ursprüngliche Nachricht----- Von: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch]Im Auftrag von Tobias Glasow Gesendet: Freitag, 18. März 2005 15:39 An: swinog@swinog.ch Betreff: [swinog] Rejecting unknown/misconfigured mailclients
Hi all,
Can some of you tell, how you deal with mailservers sending mail to your servers, which have not/incorrect configured dns informations?
Postfix rejects mail with "reject_unknown_client", even when a ptr record exist, but forward and reverse lookup are not identical. In our logs we see this misconfiguration happen very often. When I activate blocking these clients, the reject rate nearly doubles.
Just want to know, how you deal with this. Do you reject mail from clients with misconfigured dns or do you tolerate it?
Regards and have a nice weekend.
Mit freundlichen Grüssen Tobias Glasow ------------------------------------ Magnet.ch AG Güterstrasse 86 4053 Basel Tel.: 0842 420 420 Fax.: 0842 420 422 E-Mail: t.glasow@magnet.ch ----------------------------------- Ihr unabhängiger Internetprovider ----------------------------------- _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Dear Tobias,
"Postfix rejects mail with "reject_unknown_client", even when a ptr record exist, but forward and reverse lookup are not identical. In our logs we see this misconfiguration happen very often. When I activate blocking these clients, the reject rate nearly doubles."
While not having a ptr in DNS is just a bad behavior, there is no requirement at all forward and reverse lookup to be identical. You will generate a lot of false positives (e.g. blocked mails from the correct senders) and your service quality for the customers will go down.
Beyond that, there is no requirement that the originating IP address (nor the associated domain name) has to match with the MX address to receive mails for these domains. Any many SOHO organizations are forced to send their SMTP traffic over the ISP SMTP server, highly probably not related to their small corporate infrastructure at all.
Reserving a dedicated IP address for each domain handled is simply a waste of IP addresses for the community.
There are smarter ideas around then black and white approaches, such as SPF, but this is not the golden egg either.
-Kurt.
-----Original Message----- From: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch] On Behalf Of Xaver Aerni Sent: Saturday, March 19, 2005 11:53 AM To: swinog@swinog.ch Subject: AW: [swinog] Rejecting unknown/misconfigured mailclients
<snip>
On Sam, Mär 19, 2005 at 12:40:58 +0100, Kurt A. Schumacher wrote:
While not having a ptr in DNS is just a bad behavior, there is no requirement at all forward and reverse lookup to be identical. You will generate a lot of false positives (e.g. blocked mails from the correct senders) and your service quality for the customers will go down.
RFC1912 - Common DNS Operational and Configuration Errors
2.1 Inconsistent, Missing, or Bad Data
Every Internet-reachable host should have a name. The consequences of this are becoming more and more obvious. Many services available on the Internet will not talk to you if you aren't correctly registered in the DNS.
Make sure your PTR and A records match. For every IP address, there should be a matching PTR record in the in-addr.arpa domain. If a host is multi-homed, (more than one IP address) make sure that all IP addresses have a corresponding PTR record (not just the first one). Failure to have matching PTR and A records can cause loss of Internet services similar to not being registered in the DNS at all. Also, PTR records must point back to a valid A record, not a alias defined by a CNAME. It is highly recommended that you use some software which automates this checking, or generate your DNS data from a database which automatically creates consistent data.
Beyond that, there is no requirement that the originating IP address (nor the associated domain name) has to match with the MX address to receive mails for these domains. Any many SOHO organizations are forced to send their SMTP traffic over the ISP SMTP server, highly probably not related to their small corporate infrastructure at all.
That's not the issue, in fact it's not an issue at all...
Reserving a dedicated IP address for each domain handled is simply a waste of IP addresses for the community.
You got the meaning of reject_unknown_client slightly wrong....
There are smarter ideas around then black and white approaches, such as SPF, but this is not the golden egg either.
No it's not... but it is the best approach known to "patch" smtp for the things smtp is used these days...
Regards Philipp