On Tue, 24 Nov 2015 15:15:17 -0800 (PST) John Hardin wrote: > On Tue, 24 Nov 2015, RW wrote: > > > On Tue, 24 Nov 2015 12:03:12 -0800 (PST) > > John Hardin wrote: > > > >> On Tue, 24 Nov 2015, Reindl Harald wrote: > >> > >>> i would suggest when the Received header for the *first* untrusted > >>> hop > >> > >> Just so we're clear on first vs. last: the host that submitted the > >> mail to the most-remote MTA whose headers you trust. > >> > >>> don't contain a reverse dns information *and only then* do that > >>> lookup directly in SA if network tests are enabled > >> > >> This seems to me a reasonable approach. There's no need to check > >> RDNS on hops prior to the final untrusted hop (chronologically > >> speaking). > > > > It would be the last relay into the internal network, if it's from > > an untrusted server. The edge of the trusted network may be a > > submission server. > > You don't trust the headers your submission server generates?
It's more a question of why you would want to lookup the reverse dns of a mail client. It's only the handover into the internal network from an untrusted server where reverse dns matters.
