Autor: Kevin P. Fleming Datum: CC: exim-users Betreff: Re: [Exim] Example of legit email rejected by testing on reverse
IP lookup
James P. Roberts wrote:
> The following is the response from ipal.net to an ordinary email sent
> from punsterproductions.com (my own server); I include the headers from
> the message as well, for completeness. It was obviously rejected
> because the admin at mx0.ipal.net implemented a "reverse DNS" check, and
> the resulting hostname did not match. I've been making the point for
> some time that this is not a great idea, as one will block legitimate
> email, because there are so many people who are STUCK, without any
> recourse, with ISPs that refuse to properly delegate IP address blocks
> (they instead provide "dummy" host names for reverse lookups). My own
> so-called "business" DSL service (from Covad, the only DSL provider in
> my area) is such a case. Until I can afford a T1 line from a "real"
> ISP, I am stuck with this situation. (Don't think I haven't tried to
> explain this to Covad. I might as well beat my head on a brick wall.)
>
> All I can do is ask MTA admins to not reject email just because the
> reverse DNS hostname doesn't match. In a lot of perfectly legitimate
> cases, it will not match. There are plenty of other (better) ways to
> block spam, without blocking legitimate email traffic.
And anyone who is using Exim to do this reverse lookup (seeing as how
you sent this to the Exim list) would not have this problem. Exim only
requires that at least _one_ host name provided as a result of a PTR
query forward resolves to that same IP address. It does not care about
any other names that the calling server may provide (unless the
administrator has enabled HELO verification, which is entirely different).
I run all my servers with reverse lookup verification enabled, and it
has not yet stopped one piece of legitimate mail. It wouldn't have
stopped yours either, since Covad's "fake" name for your IP address is
what comes back from the PTR query, and a forward lookup on that name
would give back the same IP address. There's no need for the ISP to
support reverse DNS delegation to get Exim's reverse lookups to pass.
And, if I'm not mistaken this was discussed a few months back when you
brought up the same issue, and the responses were all the same ("Exim
does not have that problem..."). I could be wrong, my memory's not what
is used to be :-)
I can't think of a single reason to accept mail from any host that
doesn't have a reverse lookup available, or whose reverse lookup name
doesn't resolve to the original IP address.