Tracy wrote: >At 19:47 1/12/2004, Jeffrey Laramie wrote: > > >>In a standard DNS configuration you would have a domain 'zone' file for >>each domain name and a 'reverse lookup' zone file for each block of IPs. >>The zone file typically has records that resolve a name to an IP address: >> >>myhost A 12.34.56.78 >> >>The reverse lookup zone file has the opposite record: >> >>78 PTR myhost.mydomain.org >> >>The reverse lookup zone file knows what domain each IP is in. If a >>remote mail server does a reverse lookup and gets mydomain instead of >>myseconddomain, then it's configured wrong and you need to contact the >>ISP or whomever handles DNS for these domains. It would be good policy >>for the remote mail server to reject any address that fails RDNS lookup >>since it's most likely either spoofed or broken. >> >> >There are cases where there is overlap between multiple domains and the >same IP space (web hosting comes most prominently to mind, but there are >other situations). > >For instance, if you look up the following DNS names: > >mail.vbot.org >mail.arisiasoft.com > >You will find they both resolve as 66.219.172.36 - if you look up >66.219.172.36, it should resolve as: > >karen.arisiasoft.com > >You'll note that neither of the mail names match the PTR record (one >matches at the primary domain level, but not a complete match). Both of the >mail. DNS names point to the same machine - mail for both domains is hosted >there (on the same copy of Xmail). > > > True. I have a reverse zone file for each IP range I provide DNS for, but each IP only has one PTR record. Likewise each domain zone file generally should have only one A record for each IP, although there can be many CNAMEs. Virtual domains can be assigned an IP or will use the IP of the host as in your case.
>>If a >>remote mail server does a reverse lookup and gets mydomain instead of >>myseconddomain, then it's configured wrong and you need to contact the >>ISP or whomever handles DNS for these domains. >> >> > >If I understand your logic here, you are saying that because mail.vbot.org >--> 66.219.172.36 --> karen.arisiasoft.com, you would recommend rejecting >all mail from mail.vbot.org? Even though it has a valid RDNS (even if it >doesn't match the original DNS name), and a valid MX record for the domain >pointing to the same IP address? > > Does your SMTP server identify itself as mail.vbot.org, mail.aristiasoft.com, or karen.aristiasoft.com? Does it change depending on who sends the mail? I'm pretty sure the server only identifies itself by one name and that should be karen.aristiasoft.com which should pass the RDNS check. If for some reason it doesn't, I believe you can set the HeloDomain variable to ensure the RDNS check works properly, correct? >I think if you followed through on that, you would end up rejecting a lot >of mail from a lot of places... > > > > I may be misunderstanding how the mail server uses DNS, but I thought that a SMTP server should always identify itself by it's host name as listed by the PTR record and not by the virtual domains it handles. When a mail server uses SMTP-RDNS to verify the identity of the sending host doesn't it check the IP of the sending host against the IP returned by RDNS to determine if the host is indeed who it says it is? I've used SMTP-RDNS since I started using XMail and I've never noticed any valid mail getting rejected (although, getting back to my original point, if a system is mis-configured it could happen). If I'm off track here maybe you could clarify this for me ;-) Jeff - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
