On Mon, May 06, 2013 at 11:13:20PM +0200, Vincent Lefevre wrote: > On 2013-05-06 01:10:59 -0500, Stan Hoeppner wrote: > > On 5/5/2013 8:10 PM, Vincent Lefevre wrote: > > > Received: from carotte.tilapin.org (unknown [95.138.72.61]) > > > by ioooi.vinc17.net (Postfix) with ESMTPS id EFA4959 > > > for <vinc...@vinc17.net>; Tue, 2 Oct 2012 03:15:23 > > > +0200 (CEST) > > > > > > $ host 95.138.72.61 > > > Host 61.72.138.95.in-addr.arpa. not found: 3(NXDOMAIN) > > > > ~$ host 95.138.72.61 > > Host 61.72.138.95.in-addr.arpa. not found: 3(NXDOMAIN) > > > > ~$ host carotte.tilapin.org > > carotte.tilapin.org has address 5.187.106.61 > > > > Not only is rDNS non-existent but the HELO name points to an IP > > different than the client IP. It's difficult to FUBAR this more > > than it is. > > AFAIK, there's no requirement in the RFCs that the HELO name point > to the client IP, and there are good reasons to allow a mismatch, e.g. > due to several machines sharing the same IP with NAT, or a machine > having several interfaces (with several IPs), or a laptop that can > move between various networks.
It's not usual, and definitely not ideal, to use NAT on a mail exchanger, although a load balancer (which is more common and sensible) can have similar effects. Also, a laptop as you describe would usually not be in the role of mail exchanger, so its HELO should only matter to its MSA. So while you are right, strictly speaking, you should consider what's best practice for mail exchangers. Ideally they should have HELO matching FCrDNS. FCrDNS itself is not just a best practice, it is a requirement. > > > and this is from a Debian developer. > > snip > > I just meant that > * his mail config is probably sane (the fact that the IP doesn't > have a rDNS is not his fault, but the ISP's); Don't try to run a mail exchanger on a dynamic IP address or one lacking FCrDNS. It's definitely his fault for doing so. > * one can lose rather important mail (e.g. related to work). Yes. Reread Noel's post upthread. I was the one who originally said reject_unknown_reverse_client_hostname is safe, and Noel explained why: the mail you reject is also being rejected by most major receivers. Your would-be correspondent has trouble corresponding with everyone. Eventually he should figure out that he can't run a mail server on a dynamic IP address. Sure, you might choose to open your floodgates to these clients. I guarantee the vast majority of them are spam zombies. > Anyway one should be able to configure *client*-side mail software > without being a specialist of SMTP RFCs and things like that... Absolutely. You would have your MUA submit to a MSA. Your MSA would not care about FCrDNS. This isn't about MUAs, this is about MTAs. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
