Re: [exim] ot: rDNS + spam assassin

Góra strony
Delete this message
Reply to this message
Autor: Dave Lugo
Data:  
Dla: exim-users
Temat: Re: [exim] ot: rDNS + spam assassin
On Mon, 19 Sep 2016, Mike Tubby wrote:
>
> My point is that there's nothing in any of the RFCs that says your reverse
> DNS must work which is why we perform our checking against known block lists
> such as SpamHaus et. al.
>


This may be true, but the reality of mail receiving is that sending IPs
which are NXDOMAIN are generally safe to reject mail from.



> Our experience is that rDNS cannot be used reliably for several reasons that
> include:
>
>    * multiple hosts behind load balancer

>


Outbound hosts typically don't go through a load-balancer.


>    * mis-match between exact host and generic host like "mx01a.megacorp.com" 
> and "mx.megacorp.com"



I make no claims as to mismatches. I do agree if you're going to to a
fcrDNS check, it's best to be lenient if the names are different but are
in the same domain.

>
>    * internal hosts calling out through firewalls, eg. host 
> MSEXCH01.internal.megacorp.com calls out through a firewall with a public IP 
> that either reverses to "fw.megacorp.com" or in case of some organisations 
> like the police is simply anonymous (no rDNS)

>



See above.

> hence our experience is that it is dangerous to attribute lack of correct
> rDNS to being SPAM, however YMMV ;-)
>


There's a difference between lack of correct rDNS, and NXDOMAIN, and
SERVFAIL.

The first, see my comments above. The second, rejecting is relatively
safe. The third, deferral is recommended.

-- 
--------------------------------------------------------
Dave Lugo   dlugo@???    LC Unit #260   TINLC
Have you hugged your firewall today?   No spam, thanks.
--------------------------------------------------------
Are you the police?  . . . .  No ma'am, we're sysadmins.