Jeffrey Laramie wrote: >Tracy wrote: > > > >>At 19:47 1/12/2004, Jeffrey Laramie wrote: >> >> >> >> >>>In a standard DNS configuration you would have a domain 'zone' file for >>>each domain name and a 'reverse lookup' zone file for each block of IPs. >>>The zone file typically has records that resolve a name to an IP address: >>> >>>myhost A 12.34.56.78 >>> >>>The reverse lookup zone file has the opposite record: >>> >>>78 PTR myhost.mydomain.org >>> >>>The reverse lookup zone file knows what domain each IP is in. If a >>>remote mail server does a reverse lookup and gets mydomain instead of >>>myseconddomain, then it's configured wrong and you need to contact the >>>ISP or whomever handles DNS for these domains. It would be good policy >>>for the remote mail server to reject any address that fails RDNS lookup >>>since it's most likely either spoofed or broken. >>> >>> >>> >>> >>There are cases where there is overlap between multiple domains and the >>same IP space (web hosting comes most prominently to mind, but there are >>other situations). >> >>For instance, if you look up the following DNS names: >> >>mail.vbot.org >>mail.arisiasoft.com >> >>You will find they both resolve as 66.219.172.36 - if you look up >>66.219.172.36, it should resolve as: >> >>karen.arisiasoft.com >> >>You'll note that neither of the mail names match the PTR record (one >>matches at the primary domain level, but not a complete match). Both of the >>mail. DNS names point to the same machine - mail for both domains is hosted >>there (on the same copy of Xmail). >> >> >> >> >> >True. I have a reverse zone file for each IP range I provide DNS for, >but each IP only has one PTR record. Likewise each domain zone file >generally should have only one A record for each IP, although there can >be many CNAMEs. Virtual domains can be assigned an IP or will use the IP >of the host as in your case. > > > >>>If a >>>remote mail server does a reverse lookup and gets mydomain instead of >>>myseconddomain, then it's configured wrong and you need to contact the >>>ISP or whomever handles DNS for these domains. >>> >>> >>> >>> >>If I understand your logic here, you are saying that because mail.vbot.org >>--> 66.219.172.36 --> karen.arisiasoft.com, you would recommend rejecting >>all mail from mail.vbot.org? Even though it has a valid RDNS (even if it >>doesn't match the original DNS name), and a valid MX record for the domain >>pointing to the same IP address? >> >> >> >> > >Does your SMTP server identify itself as mail.vbot.org, >mail.aristiasoft.com, or karen.aristiasoft.com? Does it change depending >on who sends the mail? I'm pretty sure the server only identifies itself >by one name and that should be karen.aristiasoft.com which should pass >the RDNS check. If for some reason it doesn't, I believe you can set the >HeloDomain variable to ensure the RDNS check works properly, correct? > > > >>I think if you followed through on that, you would end up rejecting a lot >>of mail from a lot of places... >> >> >> >> >> >> > >I may be misunderstanding how the mail server uses DNS, but I thought >that a SMTP server should always identify itself by it's host name as >listed by the PTR record and not by the virtual domains it handles. When >a mail server uses SMTP-RDNS to verify the identity of the sending host >doesn't it check the IP of the sending host against the IP returned by > >
What I tried to say here was: ...doesn't it check the IP of the sending host and compare the host name to the name returned by RDNS... It's getting too late to think this hard :-) >RDNS to determine if the host is indeed who it says it is? I've used >SMTP-RDNS since I started using XMail and I've never noticed any valid >mail getting rejected (although, getting back to my original point, if a >system is mis-configured it could happen). If I'm off track here maybe >you could clarify this for me ;-) > >Jeff > >- >To unsubscribe from this list: send the line "unsubscribe xmail" in >the body of a message to [EMAIL PROTECTED] >For general help: send the line "help" in the body of a message to >[EMAIL PROTECTED] > > > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
