On Mon, 19 Sep 2016, Mike Tubby wrote:
>
> My point is that there's nothing in any of the RFCs that says your reverse
> DNS must work which is why we perform our checking against known block lists
> such as SpamHaus et. al.
>
This may be true, but the reality of mail receiving is that sending IPs
which are NXDOMAIN are generally safe to reject mail from.
> Our experience is that rDNS cannot be used reliably for several reasons that
> include:
>
> * multiple hosts behind load balancer
>
Outbound hosts typically don't go through a load-balancer.
> * mis-match between exact host and generic host like "mx01a.megacorp.com"
> and "mx.megacorp.com"
I make no claims as to mismatches. I do agree if you're going to to a
fcrDNS check, it's best to be lenient if the names are different but are
in the same domain.
>
> * internal hosts calling out through firewalls, eg. host
> MSEXCH01.internal.megacorp.com calls out through a firewall with a public IP
> that either reverses to "fw.megacorp.com" or in case of some organisations
> like the police is simply anonymous (no rDNS)
>
See above.
> hence our experience is that it is dangerous to attribute lack of correct
> rDNS to being SPAM, however YMMV ;-)
>
There's a difference between lack of correct rDNS, and NXDOMAIN, and
SERVFAIL.
The first, see my comments above. The second, rejecting is relatively
safe. The third, deferral is recommended.
--
--------------------------------------------------------
Dave Lugo dlugo@??? LC Unit #260 TINLC
Have you hugged your firewall today? No spam, thanks.
--------------------------------------------------------
Are you the police? . . . . No ma'am, we're sysadmins.
