On Sat, 09 Jul 2011 19:00:42 +0200 lee <l...@yun.yagibdah.de> wrote: > Erwan David <er...@rail.eu.org> writes: > > > On 09/07/11 18:15, lee wrote: > >> > >> Apparently they can, though I don't like the idea. For outgoing > >> email, you need to make sure that the hostname given in [E]HLO > >> statements and the IP address of the host connecting to a remote > >> MTA always match when the remote MTA resolves either. You may > >> send me some test mails to check. > >> > >> > > > > My mail server is behind a NAT gateway in IPv4, and directly > > connects in IPv6. What shoud I configure it for HELO : the name of > > the NAT gateway (for IPv4) or its own name (IPv6 only from > > outside) ? > > Hm. Can you send me an email through IPV6? My guess is that you can > not, and that you would need to configure the [E]HLO depending on > which version of the protocol you use to send outgoing messages. But > then, I'd have to look up how exactly exim4 is doing the rDNS > checking to be sure. > > > This kind of check is useless and makes loose too many legit emails. > > The rDNS check is very useful because it keeps out tons of SPAM > without occupying too many resources. It also seems to be common > practise. Do you have a better suggestion? > >
Yes. -Check that sender IP address has a PTR. -Check that the PTR string exists as an A record in public DNS and the A record returns the same IP address -Check that HELO resolves in public DNS either to a domain or an A record, though not necessarily the same one as the sender PTR Exim4 will do this easily. I can no longer recall whether these are default settings, but they are certainly only a matter of enabling existing programmed checks. They do indeed eliminate nearly all spam, as my email address as shown is valid and has been used freely on Usenet for more than twelve years, so I need all the help I can get. There's no need for the HELO to match the PTR, mine have almost no relationship as I lease an Internet connection from one company and a number of domain names elsewhere, which are all hosted on my mail server. My ISP provides complementary PTR and A records, but I do not use the PTR hostname for anything, as it is long and rambling, though at least it doesn't look like a DHCP-issued one. I don't even bother varying the HELO for different sending domains, which exim4 will do if necessary. I don't find it so, anything resolvable in public DNS seems OK. I've even seen email from BT servers carrying what is obviously a Microsoft private domain name as HELO, one which ends in .local, which is not a valid top-level domain. OK, it wouldn't get into my server, but there are obviously some which don't check. I occasionally use telnet to connect to a mail server to verify something. I use a six-character HELO which is quick to type, and which is valid, but which I have no entitlement to use at all. It is never a problem. There's also no need for the MX to match either HELO or PTR, as some people suggest. Many large companies use separate send and receive servers, many small ones receive via a spam-removing service that has nothing to do with their own mail server. >> Andrew McGlashan <andrew.mcglas...@affinityvision.com.au> writes: >> >>> Can rDNS lookups for different IPs return the same result such as >>> "mail.example.com" or must each IP have it's own unique PTR record >>> name? Not if many mail servers are configured as mine is, and I think many are. The complementary PTR-A record pair would not work, as your hostname A record would only point to one IP address. But there's no problem with multiple MX records, and as I say they don't have to match a PTR anywhere, so there's no problem with using two different hostnames for your two IP addresses. Just ensure the PTRs for the addresses match the hostnames. By the way, many MTAs will accept an MX record containing an IP address, but some won't. The SMTP RFC specifically requires an MX record to contain a hostname, which will have a corresponding A record which points to the IP address. Even if your ISP will not configure the PTR to suit you, if it is configured at all, the ISP will probably have a matching A record pointing back to it. If the PTR isn't configured at all, and the ISP won't do it, forget about sending mail, you have to use a smarthost. Even mail servers which don't look for a complementary pair will still look for the existence of a PTR. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110709214156.740f0...@jresid.jretrading.com
