Failure to check FCrDNS with long DNS replies?

Tue, 21 Jul 2020 03:56:55 -0700 

Hello,
I have a strange problem, emails coming from a specific SMTP from SFR, namely smtp26.services.sfr.fr get incorrectly filtered by a fcrdns check. The filter line in question is: 

filter check_fcrdns phase connect match !fcrdns disconnect "550 incorrect or no PTR 
record for submitting host (no FC)"



I made sure it's exactly that check, and not any other that is 
triggered, by using a specific error message.



The connecting server in my case is 93.17.128.197, which points 
back to smtp26.services.sfr.fr:


--%<-----------------------------------
$ dig -x 93.17.128.197

; <<>> DiG 9.16.2 <<>> -x 93.17.128.197
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34923
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;197.128.17.93.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
197.128.17.93.in-addr.arpa. 83568 IN    PTR     smtp26.services.sfr.fr.

;; Query time: 0 msec
;; SERVER: 127.0.0.10#53(127.0.0.10)
;; WHEN: Tue Jul 21 12:26:47 CEST 2020
;; MSG SIZE  rcvd: 91
----------------------------------->%--


And this is what smtp26.services.sfr.fr resolves to:

--%<-----------------------------------
$ dig smtp26.services.sfr.fr

; <<>> DiG 9.16.2 <<>> smtp26.services.sfr.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4219
;; flags: qr rd ra; QUERY: 1, ANSWER: 42, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;smtp26.services.sfr.fr.                IN      A

;; ANSWER SECTION:
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.198
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.199
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.200
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.201
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.202
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.203
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.204
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.205
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.207
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.208
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.209
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.210
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.211
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.212
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.213
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.206
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.214
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.215
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.216
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.217
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.218
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.3
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.163
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.20
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.10
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.1
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.11
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.12
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.13
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.2
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.4
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.21
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.22
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.189
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.190
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.191
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.192
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.193
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.194
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.195
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.196
smtp26.services.sfr.fr. 3084    IN      A       93.17.128.197

;; Query time: 0 msec
;; SERVER: 127.0.0.10#53(127.0.0.10)
;; WHEN: Tue Jul 21 12:26:50 CEST 2020
;; MSG SIZE  rcvd: 723
----------------------------------->%--



So, from my understanding, their DNS setup is correct, and the check 
shouldn't fail. The only thing that looks suspicious to me is that 
smtp26.services.sfr.fr points to a lot of records. Their order is 
seemingly random when fetching those records, I haven't tested, yet, 
whether it works if 93.17.128.19 is one of the first records returned. 
In the lookup that's cached at the moment, it's the last record.



So... is it somehow somewhere limited how many records are checked by a 
fcrdns check?


Thank you!
























					Reply via email to