North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Reverse DNS and SMTP

  • From: Mathias Koerber
  • Date: Thu Feb 28 22:25:43 2002

> You are most correct, it is definitely a double edged sword. Let's say
> you try to reverse DNS on an address who's nameserver is down or
> otherwise unreachable, what then? Some admins I know deliberately do run

Temporary DNS errors (timeouts reaching a server etc) are/should be
from hard errors (NXDOMAIN responses, no such RR for the queried name),
and the SMTP daemon could/should then react appropriately by using a
5xx error for hard DNS errors and 4xx errors for temporary errors, where
a 4xx error should then result in the sending side queueing the mail
for a later attempt.

> reverse DNS as they view it as system cracker tool, or they feel it is

You mean don't run reverse DNS? Having good reverse DNS is a requirement
to allow things like tcp-wrappers to work with domainnames rather than
just IP addresses.

> an unwarranted load, RFCs be damned. Is this admin decision the fault of
> the user?
> You are not first one to try this. I have tried this myself and a
> financial type didn't get an important email because of it. You know the
> rest of the story.
> A better solution is to check the ip and see if it is an MX record for
> the domain the mail purports to be from.

An MX record always contains a name, not an IP address. Thus, you will still
to do reverse lookup on the IP to try and match it against that name. Your
will be further complicated by the fact that MX record do not (necessarily)
list the canonical name of the MTA (ie for which a PTR record exists).

Further, you are requiring that everyone sends mail from the same server
that they
receive mail on. Such a requirement is too restrictive.

What should be checked is that the domain of the sender's address exists and
has a valid MX record (and that the name that MX record points to exists as
an A record), so that there is a chance that complaints/bounces actually can
be returned to the sender.

AFAIK, sendmail (and likely other MTAs) already have facilities to perform
these checks.

One could go further and actually try whether any of those listed MX servers
actually accepts SMTP connections before accepting the mail, but that would
a *lot* of unneccessary traffic and would most likely overload one's own
server too.

> Just my opinion, and I could wrong.

same here.