reverse dns configuration for IPV4, IPV6+ dns+ mail ?

Matus UHLAR - fantomas uhlar at fantomas.sk
Mon Jun 19 13:00:25 UTC 2017 

>>On 19.06.17 01:05, Reindl Harald wrote:
>>>it's nearly always misleading and results in randomness on the 
>>>receiving server which name get logged and if A/PTR matches
>>>
>>>normally you should always have:
>>>
>>>* IP with *one* PTR
>>>* the A-Record for the PTR matches

these two are correct.

>>>* smtp_helo_name of your MTA matches the same name

this one is incorrect and my next comment applies only to this one:

>Am 19.06.2017 um 08:49 schrieb Matus UHLAR - fantomas:
>>Even this is not required. In fact, requiring this breaks SMTP RFC.
>>The only requirement on helo name is that host must exist and be canonical,
>>which means it has to point to A or AAAA record

there's no requirement that the HELO string matches the same name as PTR
and A/AAAA

IP -> PTR -> A/AAAA must match

HELO does NOT have to match IP -> PTR record. It only has to be resolvable
to A/AAAA.

On 19.06.17 11:25, Reindl Harald wrote:
>should != required
>it's best practice
>
>anyways, with 2 PTR records for the same IP on servers with 
>http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname 
>you play lottery because one time it's logged as unknown and the 
>other time as matching, the unknown cases would trigger 
>reject_unknown_client_hostname

Actually, this would only happen when one of the A/AAAA records didn't exist.
Having two PTR records with valid A/AAAA would only confuse people because
they could see different one each time client connects, but doesn't break
anything (only dns-based acl's)

On 19.06.17 12:39, John Levine wrote:
>Regardless of what the RFC says, if an IP doesn't have matching
>forward/backward DNS that is an extremely strong indication that it's
>a random computer in a botnet and few people will accept mail from it.


>As others have noted, it doesn't matter what the forward/backward name
>is so long as at least one pair of A and PTR match.  You do want the
>HELO name to resolve correctly, again, again non-resolving HELO is a
>very strong indication of a bot.

which is the same I wrote above :)

>Yes, we know the SMTP specs say otherwise but they haven't been
>updated since bot spam became such a problem.

RFCs weren't update in last case above. 

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.

More information about the bind-users mailing list