|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Reverse DNS and SMTP
> > You are most correct, it is definitely a double edged sword. Let's say > you try to reverse DNS on an address who's nameserver is down or > otherwise unreachable, what then? Some admins I know deliberately do run Temporary DNS errors (timeouts reaching a server etc) are/should be distinguishable from hard errors (NXDOMAIN responses, no such RR for the queried name), and the SMTP daemon could/should then react appropriately by using a 5xx error for hard DNS errors and 4xx errors for temporary errors, where a 4xx error should then result in the sending side queueing the mail appropriately for a later attempt. > reverse DNS as they view it as system cracker tool, or they feel it is You mean don't run reverse DNS? Having good reverse DNS is a requirement to allow things like tcp-wrappers to work with domainnames rather than just IP addresses. > an unwarranted load, RFCs be damned. Is this admin decision the fault of > the user? > > You are not first one to try this. I have tried this myself and a > financial type didn't get an important email because of it. You know the > rest of the story. > > A better solution is to check the ip and see if it is an MX record for > the domain the mail purports to be from. An MX record always contains a name, not an IP address. Thus, you will still need to do reverse lookup on the IP to try and match it against that name. Your approach will be further complicated by the fact that MX record do not (necessarily) list the canonical name of the MTA (ie for which a PTR record exists). Further, you are requiring that everyone sends mail from the same server that they receive mail on. Such a requirement is too restrictive. What should be checked is that the domain of the sender's address exists and has a valid MX record (and that the name that MX record points to exists as an A record), so that there is a chance that complaints/bounces actually can be returned to the sender. AFAIK, sendmail (and likely other MTAs) already have facilities to perform these checks. One could go further and actually try whether any of those listed MX servers actually accepts SMTP connections before accepting the mail, but that would generate a *lot* of unneccessary traffic and would most likely overload one's own server too. > Just my opinion, and I could wrong. same here. Mathias
|