[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?

On Sat, 09 Jul 2011 19:00:42 +0200
lee <lee@yun.yagibdah.de> wrote:

> Erwan David <erwan@rail.eu.org> writes:
> 
> > On 09/07/11 18:15, lee wrote:
> >> 
> >> Apparently they can, though I don't like the idea. For outgoing
> >> email, you need to make sure that the hostname given in [E]HLO
> >> statements and the IP address of the host connecting to a remote
> >> MTA always match when the remote MTA resolves either.  You may
> >> send me some test mails to check.
> >> 
> >> 
> >
> > My mail server is behind a NAT gateway in IPv4, and directly
> > connects in IPv6. What shoud I configure it for HELO : the name of
> > the NAT gateway (for IPv4) or its own name (IPv6 only from
> > outside) ?
> 
> Hm.  Can you send me an email through IPV6?  My guess is that you can
> not, and that you would need to configure the [E]HLO depending on
> which version of the protocol you use to send outgoing messages.  But
> then, I'd have to look up how exactly exim4 is doing the rDNS
> checking to be sure.
> 
> > This kind of check is useless and makes loose too many legit emails.
> 
> The rDNS check is very useful because it keeps out tons of SPAM
> without occupying too many resources.  It also seems to be common
> practise.  Do you have a better suggestion?
> 
> 

Yes. 

-Check that sender IP address has a PTR.
-Check that the PTR string exists as an A record in public DNS and the
A record returns the same IP address
-Check that HELO resolves in public DNS either to a domain or an A
record, though not necessarily the same one as the sender PTR

Exim4 will do this easily. I can no longer recall whether these are
default settings, but they are certainly only a matter of enabling
existing programmed checks. They do indeed eliminate nearly all spam,
as my email address as shown is valid and has been used freely on
Usenet for more than twelve years, so I need all the help I can get.

There's no need for the HELO to match the PTR, mine have almost no
relationship as I lease an Internet connection from one company and a
number of domain names elsewhere, which are all hosted on my mail
server. My ISP provides complementary PTR and A records, but I do not
use the PTR hostname for anything, as it is long and rambling, though
at least it doesn't look like a DHCP-issued one.

I don't even bother varying the HELO for different sending domains,
which exim4 will do if necessary. I don't find it so, anything
resolvable in public DNS seems OK. I've even seen email from BT servers
carrying what is obviously a Microsoft private domain name as HELO, one
which ends in .local, which is not a valid top-level domain. OK, it
wouldn't get into my server, but there are obviously some which don't
check.

I occasionally use telnet to connect to a mail server to verify
something. I use a six-character HELO which is quick to type, and
which is valid, but which I have no entitlement to use at all. It is
never a problem.

There's also no need for the MX to match either HELO or PTR, as some
people suggest. Many large companies use separate send and receive
servers, many small ones receive via a spam-removing service that has
nothing to do with their own mail server.

>> Andrew McGlashan <andrew.mcglashan@affinityvision.com.au> writes:
>>   
>>> Can rDNS lookups for different IPs return the same result such as
>>> "mail.example.com" or must each IP have it's own unique PTR record
>>> name?  

Not if many mail servers are configured as mine is, and I think many
are. The complementary PTR-A record pair would not work, as your
hostname A record would only point to one IP address. But there's no
problem with multiple MX records, and as I say they don't have to match
a PTR anywhere, so there's no problem with using two different
hostnames for your two IP addresses. Just ensure the PTRs for the
addresses match the hostnames. By the way, many MTAs will accept an MX
record containing an IP address, but some won't. The SMTP RFC
specifically requires an MX record to contain a hostname, which will
have a corresponding A record which points to the IP address.

Even if your ISP will not configure the PTR to suit you, if it is
configured at all, the ISP will probably have a matching A record
pointing back to it. If the PTR isn't configured at all, and the ISP
won't do it, forget about sending mail, you have to use a smarthost.
Even mail servers which don't look for a complementary pair will still
look for the existence of a PTR.

-- 
Joe
Reply to: