Jesse Stroik wrote:
Kris Deugau wrote:
Jesse Stroik wrote:
There are plenty of places still using mail gateways where the mail
server used for sending is still on an internal network, for a
variety of legitimate reasons, and those mail servers may resolve to
a private address. If you discard all mail with no appropriate
reverse DNS, you'll be discarding a lot of legitimate mail too from a
lot of legitimate mail configurations.
Um, no; the argument is for rejecting mail with **NO** rDNS at all.
Malformed or mismatched rDNS is still a nasty misconfiguration for a
number of reasons.
I can't think of ANY reasons (beyond sysadmin and/or ISP
incompentence) that a public IP originating legitimate SMTP traffic
should not have a reverse DNS entry. (Never mind a properly-formed
one, a whole other argument on its own.)
In my experience, I've come across exchange servers in private networks
behind mail gateways that were the originating server. In this case,
whether or not you and I think it is a poor configuration, it is a
legitimate SMTP configuration via the RFC and it will have no
reverse-DNS entry for the originating server.
we don't really care about private networks. the connection comes from a
public IP (with or without NAT) and it is considered good practice to
have a PTR record for every IP. RFC 1912 (section 2.1) states
"
Every Internet-reachable host should have a name. The consequences
of this are becoming more and more obvious. Many services available
on the Internet will not talk to you if you aren't correctly
registered in the DNS.
"
yes, this is an informational RFC, but many people believe that this
should be followed.
Anyway, some ISPs in some countries do not set a PTR for their networks,
so blocking on absence of PTR may cause FPs as Justin said. but if you
don't get legitimate mail from such places, you can reject.
And that sort of thing requires impetus and resources to change, neither
of which you and I control for remote networks. Dropping mail because
the originating server has no reverse DNS record is making bad
assumptions about SMTP.
It is not restricted to SMTP. for example, gandi.net whois server
doesn't accept connections for IPs without rDNS.
And, as I've said, we have to be careful which
assumptions we make. The rDNS assumption is particularly tempting
because it is particularly effective but that doesn't make it a good
assumption.
Best,
Jesse
