Am 25.11.2015 um 20:16 schrieb Bill Cole:
On 24 Nov 2015, at 14:27, Edda wrote:Older versions performed rdns lookups for every IP in relay-untrusted directly in Received.pm, this was deleted: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=5054I think Justin's rationale there isn't even the whole case for NOT doing DNS checks on the client IPs in Received headers written by "trusted" relays absent some special motivation. DNS is ephemeral and results can be a function of where a query comes from. It seems to me that the relevant DNS mapping is whatever can be resolved by the MTA that acts as the MX for the recipient's domain when it is being offered the message. It is NOT the DNS mapping that is discernible a few seconds (or days)) later on some final destination machine.
while that may be true (but in most cases won't matter even if it happens) - you can *never* know what "unknown" in the MTA header means - try it out - in case of a dns timeout on the MTA you get the same "unknown" and fire RDNS_NONE because you just have no other information because you can only verify that by doing the DNS lookup at your own and distinct between NXDOMAIN and errors
i had real world samples flagged with RDNS_NONE noticed in "tail -f" of the maillog and a "dig IP" had a correct answer 2 seconds later and there are good chances that SA would have been able to resolve it in the milter-stage
signature.asc
Description: OpenPGP digital signature
