On Mon, 19 Sep 2016, Mike Tubby wrote:

My point is that there's nothing in any of the RFCs that says your reverse DNS must work which is why we perform our checking against known block lists such as SpamHaus et. al.


This may be true, but the reality of mail receiving is that sending IPs which are NXDOMAIN are generally safe to reject mail from.



Our experience is that rDNS cannot be used reliably for several reasons that include:

   * multiple hosts behind load balancer


Outbound hosts typically don't go through a load-balancer.


* mis-match between exact host and generic host like "mx01a.megacorp.com" and "mx.megacorp.com"


I make no claims as to mismatches. I do agree if you're going to to a fcrDNS check, it's best to be lenient if the names are different but are
in the same domain.


* internal hosts calling out through firewalls, eg. host MSEXCH01.internal.megacorp.com calls out through a firewall with a public IP that either reverses to "fw.megacorp.com" or in case of some organisations like the police is simply anonymous (no rDNS)



See above.

hence our experience is that it is dangerous to attribute lack of correct rDNS to being SPAM, however YMMV ;-)


There's a difference between lack of correct rDNS, and NXDOMAIN, and SERVFAIL.

The first, see my comments above.  The second, rejecting is relatively
safe.  The third, deferral is recommended.

--
--------------------------------------------------------
Dave Lugo   dl...@etherboy.com    LC Unit #260   TINLC
Have you hugged your firewall today?   No spam, thanks.
--------------------------------------------------------
Are you the police?  . . . .  No ma'am, we're sysadmins.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to