Le 09/11/2010 11:33, Nick Edwards a écrit :
"Make sure your PTR and A records match. For every IP address, there
should be a matching PTR record in the in-addr.arpa domain. If a host is
multi-homed, (more than one IP address) make sure that all IP addresses
have a corresponding PTR record (not just the first one)."
what that says 'or should have said) is:
foreach $ip in (list of the IPs of your machine)
foreach $ptr in (list of names returned by resolving $ip)
foreach $ip2 in (list of IPs returned by resolving $ptr)
Then
$ip2 = $ip
so:
- for a given IP, you'd better use a single PTR. The use of multiple
PTRs is allowed by the standard, but you'll need to ask yourself: do you
really ned it. many people think that web multi-hosting requires
multiples PTRs. That's wrong. web multi-hosting is based on multiple A
records for one name (not the opposite).
- if you really use multiple PTRs, say
192.0.2.1 PTR name1.example.com.
192.0.2.1 PTR name2.example.com.
then make sure to have both names resolve to the IP (and _only_ to that IP):
name1.example.com. A 192.0.2.1
name2.example.com. A 192.0.2.1
if your system sends mail, then to avoid problems, create a single PTR
for its IP, and make this PTR resolve to that IP and only to that IP.
$ host 91.121.103.130
130.103.121.91.in-addr.arpa domain name pointer imlil.netoyen.net.
$ host imlil.netoyen.net
imlil.netoyen.net has address 91.121.103.130
now, other services run on this box. for example:
$ host www.netoyen.net
www.netoyen.net has address 91.121.103.130
but the IP doesn't resolve to www or anything other than the machine
"name" (which is not related to any service).
Apparently, I'm led to believe that postfix in doing lookups only takes
the first answer it gets, therefore if DNS returns 2 or more, and the
first entry for whatever reason has no record then pf fails the lookup
under unknown client hostname.
postfix (and other software) will not check all the values returned by
DNS. Otherwise, I could setup 200 PTR records for one IP (each PTR in
its own domain, so that resolving multiple PTRs requires queries to
different servers), and for each ptr, configure 200 A records. do you
want postfix to check the 200 x 200 possibilities? that's self DoS and
an opportunity for a "mirror" attack...
Let me state a principle: one client request should not result in N
queries, unless N is small (the value depends on context. the real thing
is: watch for potential of abuse).
Anyway, to make a long story short: there are two opposing views:
- FCrDNS fans: their view is explained above.
- FCrDNS opponents: they don't care about this story. Their primary
argument is that rDNS verification brings nothing, and only creates
problems. with IPv6 + zeroconfig + ..., FCrDNS is even less attractive
(more problematic).
feel free to chose your side. but it doesn't really matter. FCrDNS may
be important for a whitelist, but then you can do whatever tests you
want (it's an "offline" operation). other than that, rejecting mail
because the client doesn't resolve or has FCrDNS problems will cause
many FPs (even with "correctly" configured servers: DNS failure may
happen at the receiving side or somewhere in between).
Can someone in the know explain why this is so?
(please., no assumptions, there only a couple people on this list with
factual knowledge, I'm not interested in foo's opinion, or bars
opinion, I'm looking for executive's decisive reason )
