On Sat, 21 Sep 2002, James P. Roberts wrote:
> <snip>
>
> >The spammers have made the business of operating relays
> >of ANY kind very difficult.
>
> I totally agree.
>
> >As an ISP/Service Bureau I can tell you that we ALWAYS
> >validate the domain name returned by the reverse-DNS query
> >and if they don't match? Sorry, your not getting email in here!
> >It is getting far too risky for us to do it any other way.
>
> I probably mis-understand what you do, so I'll ask by example...
>
> I run a small web and email hosting service. My ISP provides me
> with a very small block of static IP's. I run my own DNS servers.
> HOWEVER, I cannot get my ISP to properly delegate reverse
> DNS lookups. (Huge sigh). A reverse DNS on my IP gets a
> single valid response, which is some made-up name provided by
> the ISP. With me so far?
Yikes. Your ISP doesnt seem to be comnpetent to provide service then. I
would keep pestering them until they get this right.
BTW, there is an RFC on how to do delegations that dont align with a IP
dot boundry. Search google for it and forward a copy to your ISP. Its
about 5+ years old, long enough for any competent ISP to be able to
support.
> OK, now, I host several customer domains. They are permitted
> to relay only after SMTP AUTH over TLS. I re-write their email
> headers to replace my domain name with their own, so that they
> appear (correctly) to be sending from their own domain. If you
> look up the MX or A records for their domains, you will get my
Hopefully if you look up an MX for these domains, you get a host *name*
which then has an A record with your IP address. IP addresses cannot go
directly in MX records.
> static IP address (i.e. correct place to send replies to their domain).
> If you reverse lookup that IP, you get my ISP's pseudo-name.
> No match. Not even for my own domain!
>
> Even if I could get my IP addresses properly delegated (ie. able to
> control the reverse DNS entries), you still wouldn't necessarily get
> a match, because you could get MULTIPLE answers to a reverse
The 'canonical/proper' name of your server should not change, regardless
of what domain (or how many domains )its handling mail for. Virtual
hosting does not change that, nor does it need to.
The ISP I work for does virtual webhosting, and virtual mail. The
servers that handle these functions still have only one name.. Eg:
domain1.com IN MX 10 ourserver.ourdomain.com.
domain2.org IN MX 10 ourserver.ourdomain.com.
otehrdomain.net IN MX 10 ourserver.ourdomain.com.
The name of the server does not need to match the domain of the email
addresses it handles.
> DNS query, one for each domain hosted. If there are a LOT of
> answers, DNS will truncate the results. BTW it is perfectly
> legitimate to get multiple answers to a reverse DNS query.
> Happens all the time. As it should. Face it, we can't
> afford to have one unique IP per domain. There aren't enough to
Yes but 'domains' dont need IPs. Only servers do.
For virtual webhosting, on a server called 'webserver.ourdomain.com':
www.somecustomer.net. IN CNAME webserver.ourdomain.com.
www.anothercust.com. IN CNAME webserver.ourdomain.com.
www.foocompany.org. IN CNAME webserver.ourdomain.com.
www.yetanother.com. IN CNAME webserver.ourdomain.com.
The server should have its own name, which stands alone from the
hostnames of any websites it runs.
> go around anymore. Virtual hosting is a virtual necessity!
>
> If I understand your comments correctly, (and I very well may
> not; it's >5:30 am and I've not been to bed yet!), you may be
> blocking dramatically more email than mere spam. I would
> hazard a guess that more than half of all email users do not have
> matching forward and reverse DNS entries. (Not even counting
> spammers). Does anyone have any hard data on this?
*Many* ISP's use lists of dynamic IP pools to block mail. If your IP's
are listed in one of the lists of 'dynamic/dialup' blocks, and your IPs
are NOT dynamic, you should contact the maintainer of that list and let
them know. (Or possibly if your ISP provided that information to the
list, ask your ISP to request that it be updated)
*Some* people running mailservers require the name you give in a HELO to
resolve via a forard lookup to the IP address you are talking to them
from. This shouldnt be that hard to do.
*Some* people running mailservers require the HELO name to match, AND
require forward and reverse DNS for that name to match. Obviously you
cant do this unless you can get your ISP to give you a handle on your
in-addr lookups..
While I strongly support and recommend the first, I don't generally
recommend the latter two.
Regardless, if someone is choosing to make these requirements, then
apparently its not important from them to receive mail from your or your
customers.
>
> <snip>
>
> >Even sending email from a web host is difficult now. Because
> >ARIN will no longer accept 'virtual hosting' as a justification
> >for address assignments you will notice that most hosting house
> >do not offer the possibility of relaying email through your site.
> >Some do - by using a separate machine to do the relaying.
> >But even this can fall down!
>
> I offer exactly that service, as described above. And I do not
> require a separate machine for relaying. The only thing that
> makes it "fall down" is people expecting unique IPs for
> every email domain. The entire DNS/Internet system now relies
Domains do not have to correspond to servers.
> on the ability to overlap multiple domains per IP address
> ("virtual hosting").
>
Domains do not have IP addresses, servers do.
> Actually, this might change again, if we ever adopt IPV6
> universally. But I digress.
>
> >My advice? If you are really serious go out and get a dedicated
> >server at a hosting house. They will give you an IP address (or
> >even a small block) and with some you even get to run your own
> >DNS. One company worth trying is to be found at
> >www.nocster.com (I use them but have no other association)
> >who currently offer Exim 3.36 on their servers.
> >
> >John Day
> >Toronto, Canada
>
> I offer Exim 4.x on my servers, along with POP and IMAP,
> which may accomplish what Jeff wants; that is, to have his own
> domain name on his own emails, with replies sent to same
> address actually getting back to him.
AFAIK, even the most drastic restrictions in use dont require the name
of the server (as given in HELO, or from DNS) to corrospond to the Email
address in the headers (or even the envelope) of messages.
>
> Jeff, contact me, and maybe we can setup something to get
> around your ISP problems, without making you change ISPs.
>
> Jim Roberts
> punster@???
> www.punsterproductions.com
>
>
> At 12:11 PM 9/20/2002 -0400, Jeff Breitner wrote:
> >> I'd like to use my own Linux-Box as SMTP-host because my ISP
> >> always rewrites my e-mail adress but I'd like to use my
> >> standard alias. (i use email@??? but after sending via
> >> my ISP the recipient would see email@??? and would answer
> >> to it ... ) The problem ist, that certain other ISPs will not
> >> accept emails sent from dial-up hosts (in this case, my
> >> privat pc), so how can I fix this???
> >>
> >
> >
> >The answer is, you can't.
> <snip>
>
> I disagree! (see above) You just need to buy email hosting services
> from someone other than your ISP (me, for example). Imagine being
> able to change ISP without changing your email address... Yep, this
> is possible!
>
> >I disagree with your ISP rewriting your mail envelopes to change your
> >address. I think that if they accept mail for relay, then they have to
> >accept it as is and it simply is not their business to change it. I
> >understand their reasoning, but fail to see how that changes anything
> >when fighting/researching the cause of junk and abusive mail.
>
> Maybe it is wrong for an ISP to do it. But I am not an ISP, only a
> hosting service. Different Beastie.
>
> My customers WANT their mail to be coming from the domain they
> are paying for, not from someone else's. I make a point of this.
> It is a FEATURE of my service. I enforce SMTP AUTH over TLS
> to verify my customer's identities. And I have a strict policy against
> my customers sending spam; anyone doing it loses their service.
>
> So, I hope you can understand that it is sometimes OK to use
> re-write rules on relayed mail? It has to be done with the customer's
> understanding, desire, permission. If it is for their benefit, then I feel
> it is not only OK, but downright un-ethical to NOT do it for them.
>
> Otherwise, I would be forcing my customers to advertise me with
> every email, instead of their own selves. And that just seems wrong.
>
> Just for clarification, the only thing my re-write does is replace
> occurrences of my domain name, with the authenticated customer's
> domain name, in any outgoing headers.
>
> Oh, I get it! The problem is with the ISP over-writing the
> customer's domain with their own. I do exactly the opposite!
> So, I really am a good guy. Sigh. I need sleep.
>
> Good night all! (Or is it morning already...? dang it).
>
> Jim Roberts
> Punster Productions, Inc.
>
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>
