Re: what is triggering NO_DNS_FOR_FROM
Thanks all who replied to my question, sorry for the late reply. It seems this was a temporary error on the senders DNS servers (I assume as I've only seen this issue on their email). Rerunning spamassassin on the same message now doesn't trigger NO_DNS_FOR_FROM. Thanks Matus, yes I know the MX isn't the same as the senders IP, in Exim if the sending IP PTR doesn't match a subsequent lookup of the returned FQDN in the PTR then Exim marks the mail as being sent from a server without rDNS (even though a PTR exists) and therefore triggers RDNS_NONE in spamassassin. Not sure if this behaviour is typical in other SMTP servers. Thanks also RW for the tips about "-D" and envelope_sender_header documentation. Noted for future reference! many thanks, Andy.
Re: what is triggering NO_DNS_FOR_FROM
On Mon, 2017-03-13 at 17:49 +0100, Andy Smith wrote: I can see that the domain in question does have A and MX records, possibly issues are that the A record doesn't match the PTR for the IP returned by the A record and that one of the MX records doesn't have a PTR. I'd be keen to know if one or both of these are the issue, and what the situation WRT RFCs on email DNS says about what are required for proper operation of email. Martin, On 13.03.17 18:08, Martin Gregorie wrote: Does the domain have a PTR record for every A record and, by extension, for every MX record? You should be able to check this with 'dig' or simply use 'host' to verify that the relevant reverse lookups work OK. no, he shoult not check that for any MX records. No sane software does resolve MX and A/ records to check their PTRs. There's no sane reason one should have reverse DNS records on incoming mail servers. SA does not (and should not) do that. PTR records (and matching A records) are required for outgoing mail, that's all. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night.
Re: what is triggering NO_DNS_FOR_FROM
On 13.03.17 17:49, Andy Smith wrote: I can see that the domain in question does have A and MX records, possibly issues are that the A record doesn't match the PTR for the IP returned by the A record and that one of the MX records doesn't have a PTR. I'd be keen to know if one or both of these are the issue, and what the situation WRT RFCs on email DNS says about what are required for proper operation of email. This has never been an issue, and you should never expect that to match. There's no point in checking those. Please, do not advise enyone ever to check for this combination (1). What is supposed to match: sending IP => PTR => A/ => sending IP MX => A/ => IP (public aka no private ranges) See? no reverse checks in the latter case. You would be surprised that companies like google, aol, yahoo (at the time I last checked, and I did this multiple times, see (1)) don't have rDNS for those - that's because there's no requirement (and no sane reason) for that. I've already had to ask the owners of the domain to correct an issue where their sending server's A record didn't match the PTR and was triggering the RDNS_NONE rule (as detected by Exim), so if I'm going to convince them to do more modifications I'd prefer to know what I was talking about, The sending IP is NOT the MX record - those are two separate things. Yes, it may be the same server, but the PTR is checked on incoming mail, and _never_ on the MX->A record. Simply - don't mix those, you'll lose focus on the real issue. (1) In the past I got customer complaints about them being rejected because "their MX records pointing to A's that didn't matchtheir PTRs". This never turned out to be true - they were blacklisted, they were refused because their HELO string was nonexistent, or they just made complaint without any real problem. Once the admin wasn't even able to translate clear error message from english, nor search for the error message on the net... Simply, don't do that. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody
Re: what is triggering NO_DNS_FOR_FROM
On Mon, 13 Mar 2017 17:49:47 +0100 Andy Smith wrote: > Hi all, > > I have a some genuine emails getting marked with NO_DNS_FOR_FROM > from one particular domain and I'd like to know exactly why. I've had > a dig in the Spamassasin Dns.pm but I can't work out exactly what > process_dnsbl_result is doing. What exactly does it check WRT MX and A > records? It does what it says it does, it checks if the envelope sender address has neither an MX nor A record. One complication is that SA has to work out what the envelope sender address is, see "envelope_sender_header" in the configuration documentation. If you have a copy of the email that failed on NO_DNS_FOR_FROM, run it through SA and see if the problem is reproducible. If it is run it through spamassassin -D and search for NO_DNS_FOR_FROM to see what address is being used.
Re: what is triggering NO_DNS_FOR_FROM
On Mon, 2017-03-13 at 17:49 +0100, Andy Smith wrote: > I can see that the domain in question does have A and MX records, > possibly issues are that the A record doesn't match the PTR for the > IP returned by the A record and that one of the MX records doesn't > have a PTR. I'd be keen to know if one or both of these are the > issue, and what the situation WRT RFCs on email DNS says about what > are required for proper operation of email. > Does the domain have a PTR record for every A record and, by extension, for every MX record? You should be able to check this with 'dig' or simply use 'host' to verify that the relevant reverse lookups work OK. Is the domain's SPF record valid and configured properly? I use this site for checking SPF records: http://www.kitterman.com/spf/validate.html Martin
Re: what is triggering NO_DNS_FOR_FROM
>From: Reindl Harald <h.rei...@thelounge.net> >Sent: Monday, March 13, 2017 12:11 PM >To: Andy Smith; users@spamassassin.apache.org; David Jones >Subject: Re: what is triggering NO_DNS_FOR_FROM >it's also about the FROM-HEADER and not about envelopes alone and hence >i doubt "because I reject these senders at the postfix MTA level >before SA" The rule description says "Envelope sender" which is what I was going by: 20_net_tests.cf:header NO_DNS_FOR_FROM eval:check_dns_sender() 20_net_tests.cf:describe NO_DNS_FOR_FROMEnvelope sender has no MX or A DNS records I do block the envelope-from domain in postfix if it can't be resolved therefore I don't see any hits on that rule. http://www.postfix.org/postconf.5.html#reject_unknown_sender_domain Dave
Re: what is triggering NO_DNS_FOR_FROM
>From: Andy Smith <a.sm...@ldexgroup.co.uk> >Sent: Monday, March 13, 2017 11:49 AM >To: users@spamassassin.apache.org >Subject: what is triggering NO_DNS_FOR_FROM >Hi all, > I have a some genuine emails getting marked with NO_DNS_FOR_FROM from one >particular domain and I'd like to know exactly why. I've had a dig in the >>Spamassasin Dns.pm but I can't work out exactly what process_dnsbl_result is >doing. What exactly does it check WRT MX and A records? >I can see that the domain in question does have A and MX records, possibly >issues are that the A record doesn't match the PTR for the IP returned by the >A record >and that one of the MX records doesn't have a PTR. I'd be keen to >know if one or both of these are the issue, and what the situation WRT RFCs >on email DNS says >about what are required for proper operation of email. >I've already had to ask the owners of the domain to correct an issue where >their sending server's A record didn't match the PTR and was triggering the >RDNS_NONE >rule (as detected by Exim), so if I'm going to convince them to do >more modifications I'd prefer to know what I was talking about, >thanks, Andy. I have never seen this rule in SA because I reject these senders at the postfix MTA level before SA. I recommend doing this at the MTA level so the senders get a good bounce message that they can Google themselves and hopefully figure out their own problem before having to contact you. # grep NO_DNS_FOR_FROM /var/lib/spamassassin/3.004001/updates_spamassassin_org/* 20_net_tests.cf:header NO_DNS_FOR_FROM eval:check_dns_sender() 20_net_tests.cf:describe NO_DNS_FOR_FROMEnvelope sender has no MX or A DNS records Dave
what is triggering NO_DNS_FOR_FROM
Hi all, I have a some genuine emails getting marked with NO_DNS_FOR_FROM from one particular domain and I'd like to know exactly why. I've had a dig in the Spamassasin Dns.pm but I can't work out exactly what process_dnsbl_result is doing. What exactly does it check WRT MX and A records? I can see that the domain in question does have A and MX records, possibly issues are that the A record doesn't match the PTR for the IP returned by the A record and that one of the MX records doesn't have a PTR. I'd be keen to know if one or both of these are the issue, and what the situation WRT RFCs on email DNS says about what are required for proper operation of email. I've already had to ask the owners of the domain to correct an issue where their sending server's A record didn't match the PTR and was triggering the RDNS_NONE rule (as detected by Exim), so if I'm going to convince them to do more modifications I'd prefer to know what I was talking about, thanks, Andy.