Re: [Exim] Require A records for host names in HELOs?

Top Page
Delete this message
Reply to this message
Author: The prejudiciously configured Exim User's Mailing List
Date:  
To: Fred Viles
CC: Exim User's Mailing List
Subject: Re: [Exim] Require A records for host names in HELOs?
[ On Thursday, February 5, 2004 at 10:38:31 (-0800), Fred Viles wrote: ]
> Subject: Re: [Exim] Require A records for host names in HELOs?
>
> I believe I did. But before replying, I'll try it again to be
> sure... Yup, just what I remembered. Maybe *you* should read it
> carefully:
>
> SMTP error from remote mailer after HELO epitools.com:
> host mail.weird.com [204.92.254.2]: 501-fatal error while validating 'HELO' host name 'epitools.com'.
> 501-connection rejected from ns.epitools.com remote address [66.166.77.34].
> 501-Reason given was:
> 501- No reverse DNS PTR for the remote address [66.166.77.34] has a hostname
> 501 matching 'epitools.com'


The error above is in fact derived in much the same way as the one
below is derived by 'host'.

$ host -v -A epitools.com
Query about epitools.com for record types A
Found 1 address for host epitools.com
Hostname epitools.com maps to address 66.166.77.34
Checking epitools.com address 66.166.77.34
*** epitools.com address 66.166.77.34 maps to hostname ns.epitools.com
*** Hostname epitools.com does not belong to address 66.166.77.34
*** Not all addresses for hostname epitools.com have a matching hostname.


I.e. I've already verified that your hostname does resolve to your
source address -- now I'm just checking that if there are any PTRs for
that address then at least one must have the same hostname from which it
could be derived from via an A RR lookup. Everything must fit together.

If you had no reverse PTR, and _if_ I had configured my mailer to
require one, then the error reason would have been something like:

    Remote address PTR lookup failed: Host not found.


(but of course as much as I'd like to, I don't actually require PTRs so
my mailer should never generate that error -- I just require that any
existing PTRs be correct, and by correct I mean that they point to
hostnames which will resolve to hostnames with an address they were be
derived from)

In your case the simple addition of a few more PTRs (in your CIDR-ized
reverse zone) would solve the problem for all your hostnames:

    h-66-166-77-34.rev.epitools.com.    IN PTR    epitools.com.
    h-66-166-77-34.rev.epitools.com.    IN PTR    ftp.epitools.com.
    h-66-166-77-34.rev.epitools.com.    IN PTR    gold.epitools.com.
    h-66-166-77-34.rev.epitools.com.    IN PTR    gw-pub.epitools.com.
    h-66-166-77-34.rev.epitools.com.    IN PTR    imap.epitools.com.
    h-66-166-77-34.rev.epitools.com.    IN PTR    mail.epitools.com.
    h-66-166-77-34.rev.epitools.com.    IN PTR    www.epitools.com.


(i.e. add these in addition to the one pointing to ns.epitools.com)

(and no, that's not too many -- the practical and usable limit is 35)

You might also consider making "rev.epitools.com" a proper zone and have
it separately slaved by your secondary service.

--
                        Greg A. Woods


+1 416 218-0098                  VE3TCP            RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>