reverse dns configuration for IPV4, IPV6+ dns+ mail ?
Matus UHLAR - fantomas
uhlar at fantomas.sk
Mon Jun 19 13:00:25 UTC 2017
>>On 19.06.17 01:05, Reindl Harald wrote:
>>>it's nearly always misleading and results in randomness on the
>>>receiving server which name get logged and if A/PTR matches
>>>
>>>normally you should always have:
>>>
>>>* IP with *one* PTR
>>>* the A-Record for the PTR matches
these two are correct.
>>>* smtp_helo_name of your MTA matches the same name
this one is incorrect and my next comment applies only to this one:
>Am 19.06.2017 um 08:49 schrieb Matus UHLAR - fantomas:
>>Even this is not required. In fact, requiring this breaks SMTP RFC.
>>The only requirement on helo name is that host must exist and be canonical,
>>which means it has to point to A or AAAA record
there's no requirement that the HELO string matches the same name as PTR
and A/AAAA
IP -> PTR -> A/AAAA must match
HELO does NOT have to match IP -> PTR record. It only has to be resolvable
to A/AAAA.
On 19.06.17 11:25, Reindl Harald wrote:
>should != required
>it's best practice
>
>anyways, with 2 PTR records for the same IP on servers with
>http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
>you play lottery because one time it's logged as unknown and the
>other time as matching, the unknown cases would trigger
>reject_unknown_client_hostname
Actually, this would only happen when one of the A/AAAA records didn't exist.
Having two PTR records with valid A/AAAA would only confuse people because
they could see different one each time client connects, but doesn't break
anything (only dns-based acl's)
On 19.06.17 12:39, John Levine wrote:
>Regardless of what the RFC says, if an IP doesn't have matching
>forward/backward DNS that is an extremely strong indication that it's
>a random computer in a botnet and few people will accept mail from it.
>As others have noted, it doesn't matter what the forward/backward name
>is so long as at least one pair of A and PTR match. You do want the
>HELO name to resolve correctly, again, again non-resolving HELO is a
>very strong indication of a bot.
which is the same I wrote above :)
>Yes, we know the SMTP specs say otherwise but they haven't been
>updated since bot spam became such a problem.
RFCs weren't update in last case above.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
More information about the bind-users
mailing list