Author: James P. Roberts Date: To: exim-users Subject: Re: [Exim] Example of legit email rejected by testing on reverse IP lookup
<snip> > > All I can do is ask MTA admins to not reject email just because the
> > reverse DNS hostname doesn't match. In a lot of perfectly legitimate > > cases, it will not match. There are plenty of other (better) ways to > > block spam, without blocking legitimate email traffic.
>
> And anyone who is using Exim to do this reverse lookup (seeing as how
> you sent this to the Exim list) would not have this problem. Exim only
> requires that at least _one_ host name provided as a result of a PTR
> query forward resolves to that same IP address. It does not care about
> any other names that the calling server may provide (unless the
> administrator has enabled HELO verification, which is entirely different). >
> I run all my servers with reverse lookup verification enabled, and it
> has not yet stopped one piece of legitimate mail. It wouldn't have
> stopped yours either, since Covad's "fake" name for your IP address is
> what comes back from the PTR query, and a forward lookup on that name
> would give back the same IP address. There's no need for the ISP to
> support reverse DNS delegation to get Exim's reverse lookups to pass.
An interesting tidbit: This is the first email I've seen rejected
because my reverse DNS name is a "generic" name provided by Covad,
rather than my real hostname. On the other hand, during a 3 day period,
immediately after Covad changed my IP block, they had NO reverse DNS
entry setup, and I had many, many emails rejected. I was upset and
tried to get proper reverse DNS setup at that time...
As the salmon said upon hitting a concrete wall... "Dam!"
But at least I got a "dummy" reverse DNS from them, which apparently
satisfies most MTA installations. But obviously not all.
>
> And, if I'm not mistaken this was discussed a few months back when you
> brought up the same issue, and the responses were all the same ("Exim
> does not have that problem..."). I could be wrong, my memory's not what > is used to be :-)
Mine either!
("I think I used to have a good memory, but I don't really remember.")
>
> I can't think of a single reason to accept mail from any host that
> doesn't have a reverse lookup available, or whose reverse lookup name
> doesn't resolve to the original IP address.
>
Thanks for the additional clarification on how Exim handles it. (I was
confused - shame on me - by the "This message was automatically
generated by Exim" part of the bounce message. Doh.) As it happens,
the MTA that rejected my email was actually Postfix. BTW, I would like
to publicly thank the admin thereof for putting me on his whitelist (it
made continuing discussion of the issue so much easier, since we could
do it off-list). He has been very helpful in explaining his system, and
exactly why my original email to him bounced.
I've gotten a lot of helpful feedback on the issue, from a number of
people, and my thanks to you all.
I am coming over to the conclusion that it is in the general
best-interest to convince ISPs to do static IP block delegation
correctly, rather than trying to convince innumerable MTA installations
to work around it. Thus, I am in the market for a new ISP that is
technically competent.
Unfortunately, in order to use SDSL in my area, I only have one choice
(Covad). I am exploring alternative methods of having a reliable, 24x7,
reasonably hi-speed, hopefully reasonably priced, internet connection
that permits web and email servers. Unfortunately, all the alternatives
are more expensive, which means I may have to raise my prices, which I
REALLY don't want to do.
