Kris Deugau wrote:
Jesse Stroik wrote:
There are plenty of places still using mail gateways where the mail
server used for sending is still on an internal network, for a variety
of legitimate reasons, and those mail servers may resolve to a private
address. If you discard all mail with no appropriate reverse DNS,
you'll be discarding a lot of legitimate mail too from a lot of
legitimate mail configurations.
Um, no; the argument is for rejecting mail with **NO** rDNS at all.
Malformed or mismatched rDNS is still a nasty misconfiguration for a
number of reasons.
I can't think of ANY reasons (beyond sysadmin and/or ISP incompentence)
that a public IP originating legitimate SMTP traffic should not have a
reverse DNS entry. (Never mind a properly-formed one, a whole other
argument on its own.)
In my experience, I've come across exchange servers in private networks
behind mail gateways that were the originating server. In this case,
whether or not you and I think it is a poor configuration, it is a
legitimate SMTP configuration via the RFC and it will have no
reverse-DNS entry for the originating server.
And that sort of thing requires impetus and resources to change, neither
of which you and I control for remote networks. Dropping mail because
the originating server has no reverse DNS record is making bad
assumptions about SMTP. And, as I've said, we have to be careful which
assumptions we make. The rDNS assumption is particularly tempting
because it is particularly effective but that doesn't make it a good
assumption.
Best,
Jesse
