Date: Mon, 17 Mar 2003 06:56:24 -0600 From: Len Conrad <LConrad@Go2France.com> To: freebsd-questions@freebsd.org Subject: Re: Sending mail to this list Message-ID: <5.2.0.9.0.20030317062946.01d82870@mail.go2france.com> In-Reply-To: <3E75BCFB.2090409@potentialtech.com> References: <48294587-583E-11D7-A325-000393BF3DE2@nmu.edu> <48294587-583E-11D7-A325-000393BF3DE2@nmu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
>1) The name the mailserver announces in it's HELO line must resolve via > forward DNS. It doesn't matter to what, it just has to resolve. # telnet mx1.freebsd.org 25 Trying 216.136.204.125... Connected to mx1.freebsd.org. Escape character is '^]'. 220 mx1.FreeBSD.org ESMTP Postfix (Postfix Rules!) helo this is len 250 mx1.FreeBSD.org mail from:<lconrad@go2france.com> 250 Ok rcpt to:<freebsd-questions@freebsd.org> 501 <this is len>: Helo command rejected: Invalid name quit 221 Bye Connection closed by foreign host. .... confirmed. >2) The IP of the server must reverse resolve to something, it doesn't > matter to what: except that that name is then tested on a forward > DNS check, which must work. this is the postfix "A + PTR" must match as indicted in the "cannot find your hostname". But afaik, the A+PTR check is only done if the MX uses the "compound" restriction lik this: check_sender_access hash:/path/to/from_senders_bogus.map .... which file contains a list of known frequently forged @sender.domains that are known to be sent only from IPs with A + PTR matching, a test which is activated per-domain: some_forged_sender.domain reject_unknown_client .... where "client" is the ip of the MTA as SMTP client sending to mx1.postfix.org. We used a list of 3500 frequently forged domains from monkeys.com, which contains all the big domains of msn, aol, yahoo, earthlink, excite etc, all of which send their mail from IPs with matching A + PTR. >My understanding is that these simple tests block thousands of spam >emails per second! per hour, not per second. >The most common mistake I've seen people make is to add multiple reverse >DNS records (when the machine has multiple forward DNS records) Most >DNS servers will allow you to do this, but it doesn't work. DNS works fine having a set of PTR records per ip. What doesn't work is that applications that query for PTR records only use the physically first PTR record returned in the DNS responce packet, which, due to caching, is uncontrollable. >The 'host' >command there are two smtpd_*_restrictions in postfix being used: 1) reject_unknown_host ... where host is the HELO hostname, plus 2) the compound restiction A + PTR match. > is smart enough to respond intelligently even if rdns is >configured wrong, so the easy way to check is to enter >'host my.ip.addy.x'. If it returns several different names for the >server, then that's your problem. if an RR-set of PTR records is returned, the which PTR is first and used as the basis of the PTR hostname query for the hostname A query it non deterministic. > If it returns no name , then that's >the problem. because "no PTR cannot possibly match any A record. Len To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.0.20030317062946.01d82870>