On 1 Apr 2015, at 17:26, Amir Caspi wrote:
On Apr 1, 2015, at 3:03 PM, Kevin Miller <kevin.mil...@juneau.org>
wrote:
You can reject on RDNS (or lack thereof) in sendmail depending on the
version. Search for "require_rdns".
Thanks, I'll look into it. Sadly I don't think I have time to
manually whitelist misconfigured servers, since I suspect there are
not a few of them... a lot of people fail to put rDNS entries on their
mail servers (including my own $DAYJOB employer, who only fixed it
once I complained).
That experience may bias your expectations. When I was handling spam
control for a corporate system that had a million SMTP sessions per day
and legit inbound mail in 5 digits per day with prominent public retail
brand domains, our policy was to reject mail from IP's without valid
rDNS. From 2004-2008 we had to whitelist *zero* sending systems and only
had a handful of cases where we were the "bully" to get senders to fix
their DNS. In the 7 years since I've been handling a much smaller
corporate mail system of less significance to senders with the same
policy, where we've seen no need to whitelist anyone and 2 cases where
we know the policy has played some role in fixing senders' rDNS.
However, it is a bit more common to have transient false positives due
to DNS robustness issues (anything from connectivity problems to zone
file typos) which are the price of any DNS-based filtering policy. The
more DNS rules you enforce, the more ways DNS carelessness can be
caught, and there's a richly diverse ecosystem of DNS carelessness.