berny wrote, at 04/08/2009 05:41 AM: > 2. If yes, what type do you use? > a) only PTR check [reject_unknown_reverse_client_hostname] > b) or PTR=A check [reject_unknown_client_hostname] > 3. What are your experiencies and opinion to it?
I have found it unsafe to use either. At the very least, it will reject mail from poorly run (but legitimate) mailing lists. There are also an alarming number of schools, government and other nonprofit sites that cannot make it past these checks due to poorly configured DNS and the lack of expertise to correct it. At the extreme end, some major registrars cannot pass these checks, which could put domains at risk for recipients who depend on email reminders to renew their domain registrations. It's a shame, because enforcing these checks would have a noticeable impact on spam, especially FCrDNS: http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS Sadly, I have been unable to uncover a method to use FCrDNS in a scoring system. Ideally, I would like to use SpamAssassin, but if anyone knows of another way, please share. In any case, you can review the potential impact of the above directives by including this in smtpd_(client|recipient)_restrictions: warn_if_reject reject_unknown_reverse_client_hostname warn_if_reject reject_unknown_client_hostname Watch your logs and monitor potential rejections. Be aware, however, that it can take months to reveal something truly serious (like a yearly notification from a registrar).
