Re: Mailserver requirements
On Tue 06 Apr 2004 (00:55 +0200), Daniel Roesen wrote: On Mon, Apr 05, 2004 at 11:53:15PM +0200, Arnold Nipper wrote: of course this server does have a reverse mapping. But this reverse mapped doamin does not have an MX record. Does it have an A RR? It also does have an A RR. And the forward mapping does also match the IP address. OK, so the check is even broken in what it probably tries to verify... that the reverse-domain of the sender IP would (possibly) be able to receive mail (bounces). Why would bounces go to an outbound mail server? They go to the envelope sender, which might well be in a different domain. The check is simply ill-advised and will cause the system running such a check to have cut itself off from a large number of legitimate sources of email Anyway... it's a heuristic which definately does give false positives. The only requirement is that IF a domain/host accepts mail there MUST be a postmaster@ address. In this case the host *sends* mail ... Sure. I was discussing the requirements for domains regarding email. In this specific case, domain being the domain of the PTR of the sending MTA host. If you are sending mail via a virtual ISP, then the 'real' ISP's mail servers will probably be in a different domain than your virtual ISP which might be a different domain than your account. Checking mail reachability of an outbound MTA is simply absurd. -- Jim Segrave [EMAIL PROTECTED]
Re: Mailserver requirements
Charles Sprickman wrote: This is yet another misguided effort to semi-telepathically tell if a sender is suspicious. Personally, I see nothing odd about a largish operation having one set of servers accepting mail and another set exclusively acting as smtp relays for customer mail. People that choose to do the does it have an mx check are hopefully blocking some really large amount of legit mail with the spam, as I can think of dozens of reasons why someone might wish to have their inbound mxers seperate from their outbound relays... A simple one would be that my outbound relays have queue and retry schedules different to my inbound SMTP listeners, which may more simply be configured for checking for SPAM etc. Also SMTP authentication for customers relaying may only be enabled on my outbound relays. Peter
Mailserver requirements
Today I run across a MTA which refused to accept mail because it could not detect an MX record for the reverse mapping of the IP address of the server which tried to deliver mail. Is this correct? Or: if A is the IP Address of server trying to deliver mail, does mx(reverse(A)) have to exist? -- Arnold
Re: Mailserver requirements
* [EMAIL PROTECTED] (Arnold Nipper) [Mon 05 Apr 2004, 23:04 CEST]: Today I run across a MTA which refused to accept mail because it could not detect an MX record for the reverse mapping of the IP address of the server which tried to deliver mail. Is this correct? Any mail server operator is of course free to implement such a policy, but no RFC exists to back it up. MX records aren't needed to send mail; an A record is enough. -- Niels. -- Today's subliminal thought is:
RE: Mailserver requirements
Arnold, I am surprised you don't have problems sending to AOL as well. They don't accept email from servers that do not have reverse addresses. I don't accept email from severs without reverse addressing. Mike Walter, MCP 3z.net a PCD Company http://www.3z.net When Success is the Only Solution t h i n K 3z.net -Original Message- From: Arnold Nipper [mailto:[EMAIL PROTECTED] Sent: Monday, April 05, 2004 5:03 PM To: NANOG Subject: Mailserver requirements Today I run across a MTA which refused to accept mail because it could not detect an MX record for the reverse mapping of the IP address of the server which tried to deliver mail. Is this correct? Or: if A is the IP Address of server trying to deliver mail, does mx(reverse(A)) have to exist? -- Arnold
Re: Mailserver requirements
On Mon, 05 Apr 2004 23:03:05 +0200, Arnold Nipper [EMAIL PROTECTED] said: Today I run across a MTA which refused to accept mail because it could not detect an MX record for the reverse mapping of the IP address of the server which tried to deliver mail. Is this correct? Depends on your definition of correct. Checking that there's a PTR and A record that match has become common, although not strictly standard. Checking that said PTR points to a hostname that has an MX is certainly way out there. Or: if A is the IP Address of server trying to deliver mail, does mx(reverse(A)) have to exist? There's no RFC requirement that an MX exist at all (only that you check for an MX before using the A record). The last 2 AOL boxes I got mail from were omr-m07.mx.aol.com and rly-ye05.mail.aol.com. I'm not seeing an MX for either of those. Draw your own conclusions as to whether a Randy Bush quote is needed pgp0.pgp Description: PGP signature
Re: Mailserver requirements
On Mon, 5 Apr 2004, Arnold Nipper wrote: Today I run across a MTA which refused to accept mail because it could not detect an MX record for the reverse mapping of the IP address of the server which tried to deliver mail. Is this correct? Not if you want to get mail, no. :) Or: if A is the IP Address of server trying to deliver mail, does mx(reverse(A)) have to exist? This is yet another misguided effort to semi-telepathically tell if a sender is suspicious. Personally, I see nothing odd about a largish operation having one set of servers accepting mail and another set exclusively acting as smtp relays for customer mail. People that choose to do the does it have an mx check are hopefully blocking some really large amount of legit mail with the spam, as I can think of dozens of reasons why someone might wish to have their inbound mxers seperate from their outbound relays... Charles -- Arnold
Re: Mailserver requirements
He isn't saying it needs a reverse address. He's saying that the reverse address needs an MX record. Roman Volf Keystreams Internet Solutions [EMAIL PROTECTED] Mike Walter wrote: Arnold, I am surprised you don't have problems sending to AOL as well. They don't accept email from servers that do not have reverse addresses. I don't accept email from severs without reverse addressing. Mike Walter, MCP 3z.net a PCD Company http://www.3z.net When Success is the Only Solution t h i n K 3z.net -Original Message- From: Arnold Nipper [mailto:[EMAIL PROTECTED] Sent: Monday, April 05, 2004 5:03 PM To: NANOG Subject: Mailserver requirements Today I run across a MTA which refused to accept mail because it could not detect an MX record for the reverse mapping of the IP address of the server which tried to deliver mail. Is this correct? Or: if A is the IP Address of server trying to deliver mail, does mx(reverse(A)) have to exist? -- Arnold -- Roman Volf Keystreams Internet Solutions [EMAIL PROTECTED]
RE: Mailserver requirements
Hi Arnold- Whether or not you will accept mail from an address without a (matching?) reverse record is usually an option on your mailserver software. In terms of outbound mail, AOL, for example will no longer accept mail unless the reverse is present. Some providers insist that it match, which makes things a little dicey if your mail server is handling multiple domains. I've gotten around that by wasting an ip address for each domain, and setting up the reverse records accordingly. Also, lots of folks are now verifying the validity of the sender to try to prevent spoofing the mailfrom. (although the spammers only have to spoof a valid email address to get around that) -Keith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, April 05, 2004 5:03 PM To: NANOG Subject: Mailserver requirements Today I run across a MTA which refused to accept mail because it could not detect an MX record for the reverse mapping of the IP address of the server which tried to deliver mail. Is this correct? Or: if A is the IP Address of server trying to deliver mail, does mx(reverse(A)) have to exist? -- Arnold
Re: Mailserver requirements
Mike, On 05.04.2004 23:18 Mike Walter wrote: Arnold, I am surprised you don't have problems sending to AOL as well. They don't accept email from servers that do not have reverse addresses. I don't accept email from severs without reverse addressing. of course this server does have a reverse mapping. But this reverse mapped doamin does not have an MX record. Arnold
Re: Mailserver requirements
On Mon, Apr 05, 2004 at 11:32:08PM +0200, Arnold Nipper wrote: I am surprised you don't have problems sending to AOL as well. They don't accept email from servers that do not have reverse addresses. I don't accept email from severs without reverse addressing. of course this server does have a reverse mapping. But this reverse mapped doamin does not have an MX record. Does it have an A RR? Anyway... it's a heuristic which definately does give false positives. The only requirement is that IF a domain/host accepts mail there MUST be a postmaster@ address. Regards, Daniel
Re: Mailserver requirements
On Mon, 05 Apr 2004 23:32:08 +0200 Arnold Nipper [EMAIL PROTECTED] wrote: On 05.04.2004 23:18 Mike Walter wrote: I am surprised you don't have problems sending to AOL as well. They don't accept email from servers that do not have reverse addresses. I don't accept email from severs without reverse addressing. of course this server does have a reverse mapping. But this reverse mapped doamin does not have an MX record. yes, and that's what's wacky. there is no requirement in the RFCs that i'm aware of that mail senders have MX records pointing back at them. there's not even a requirement for MX records for a domain, the SMTP RFCs clearly indicate that in the absense of an MX record, an A record will suffice. for that matter, if i were running a very very large mail farm with high volume in one or both directions, separating the inbound mail handlers (MX hosts) from the outbound mail relays would be something that i'd seriously consider doing as part of the architecture. this would interact very badly with the mail rejection strategy outlined in the original post in this thread. richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Re: Mailserver requirements
On 05.04.2004 23:42 Daniel Roesen wrote: On Mon, Apr 05, 2004 at 11:32:08PM +0200, Arnold Nipper wrote: I am surprised you don't have problems sending to AOL as well. They don't accept email from servers that do not have reverse addresses. I don't accept email from severs without reverse addressing. of course this server does have a reverse mapping. But this reverse mapped doamin does not have an MX record. Does it have an A RR? It also does have an A RR. And the forward mapping does also match the IP address. Anyway... it's a heuristic which definately does give false positives. The only requirement is that IF a domain/host accepts mail there MUST be a postmaster@ address. In this case the host *sends* mail ... Arnold
Re: Mailserver requirements
On Mon, 05 Apr 2004 23:42:28 +0200, Daniel Roesen [EMAIL PROTECTED] said: Anyway... it's a heuristic which definately does give false positives. The only requirement is that IF a domain/host accepts mail there MUST be a postmaster@ address. If you squint and cross your eyes, you can even convince yourself that RFC2821 says it's OK for said address to be bouncing due to over-quota conditions, because the requirement is for existence, not for usability. :) pgp0.pgp Description: PGP signature
Re: Mailserver requirements
On Mon, Apr 05, 2004 at 11:53:15PM +0200, Arnold Nipper wrote: of course this server does have a reverse mapping. But this reverse mapped doamin does not have an MX record. Does it have an A RR? It also does have an A RR. And the forward mapping does also match the IP address. OK, so the check is even broken in what it probably tries to verify... that the reverse-domain of the sender IP would (possibly) be able to receive mail (bounces). Anyway... it's a heuristic which definately does give false positives. The only requirement is that IF a domain/host accepts mail there MUST be a postmaster@ address. In this case the host *sends* mail ... Sure. I was discussing the requirements for domains regarding email. In this specific case, domain being the domain of the PTR of the sending MTA host. Regards, Daniel
Re: Mailserver requirements
* [EMAIL PROTECTED] (Richard Welty) [Mon 05 Apr 2004, 23:50 CEST]: On Mon, 05 Apr 2004 23:32:08 +0200 Arnold Nipper [EMAIL PROTECTED] wrote: of course this server does have a reverse mapping. But this reverse mapped doamin does not have an MX record. yes, and that's what's wacky. there is no requirement in the RFCs that i'm aware of that mail senders have MX records pointing back at them. there's not even a requirement for MX records for a domain, the SMTP RFCs clearly indicate that in the absense of an MX record, an A record will suffice. People do all sorts of wacky things in the name of policy. The .za registrar, for example, required nameservers for domains in it to respond authoritatively and positively to questions about PTR records for its (the nameserver's) own IP address... -- Niels. -- Today's subliminal thought is:
Re: Mailserver requirements
--On Monday, April 05, 2004 5:48 PM -0400 Richard Welty [EMAIL PROTECTED] wrote: for that matter, if i were running a very very large mail farm with high volume in one or both directions, separating the inbound mail handlers (MX hosts) from the outbound mail relays would be something that i'd seriously consider doing as part of the architecture. this would interact very badly with the mail rejection strategy outlined in the original post in this thread. While I think it's pretty anal-retentive to require a mail sender to have a valid MX record, I don't see what would be so hard about setting up MX records for this scenario: inbound-mx01IN A192.168.1.98 inbound-mx02IN A192.168.1.99 outbound-01 IN A192.168.1.100 IN MX 10inbound-mx01 IN MX 20inbound-mx02 Or am I missing something? -J -- Jeff Workman | [EMAIL PROTECTED] | http://www.pimpworks.org
Re: Mailserver requirements
On Mon, 05 Apr 2004 20:03:58 -0400 Jeff Workman [EMAIL PROTECTED] wrote: --On Monday, April 05, 2004 5:48 PM -0400 Richard Welty [EMAIL PROTECTED] wrote: for that matter, if i were running a very very large mail farm with high volume in one or both directions, separating the inbound mail handlers (MX hosts) from the outbound mail relays would be something that i'd seriously consider doing as part of the architecture. this would interact very badly with the mail rejection strategy outlined in the original post in this thread. While I think it's pretty anal-retentive to require a mail sender to have a valid MX record, I don't see what would be so hard about setting up MX records for this scenario: snip Or am I missing something? yes. what's hard about it is getting every single mail server on the public internet to suddenly be set up this way so that they can talk to one single mail server with a novel policy. ain't going to happen. false positive city. cheers, richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security