On Mon, 19 Sep 2016, Mike Tubby wrote:
My point is that there's nothing in any of the RFCs that says your reverse
DNS must work which is why we perform our checking against known block lists
such as SpamHaus et. al.
This may be true, but the reality of mail receiving is that sending IPs
which are NXDOMAIN are generally safe to reject mail from.
Our experience is that rDNS cannot be used reliably for several reasons that
include:
* multiple hosts behind load balancer
Outbound hosts typically don't go through a load-balancer.
* mis-match between exact host and generic host like "mx01a.megacorp.com"
and "mx.megacorp.com"
I make no claims as to mismatches. I do agree if you're going to to a
fcrDNS check, it's best to be lenient if the names are different but are
in the same domain.
* internal hosts calling out through firewalls, eg. host
MSEXCH01.internal.megacorp.com calls out through a firewall with a public IP
that either reverses to "fw.megacorp.com" or in case of some organisations
like the police is simply anonymous (no rDNS)
See above.
hence our experience is that it is dangerous to attribute lack of correct
rDNS to being SPAM, however YMMV ;-)
There's a difference between lack of correct rDNS, and NXDOMAIN, and
SERVFAIL.
The first, see my comments above. The second, rejecting is relatively
safe. The third, deferral is recommended.
--
--------------------------------------------------------
Dave Lugo [email protected] LC Unit #260 TINLC
Have you hugged your firewall today? No spam, thanks.
--------------------------------------------------------
Are you the police? . . . . No ma'am, we're sysadmins.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
