I think that's exactly what you said, at least that's how I read it...altho= ugh it's late here too :)
>>> [EMAIL PROTECTED] 01/12/04 10:37PM >>> Jeffrey Laramie wrote: >Tracy wrote: > > =20 > >>At 19:47 1/12/2004, Jeffrey Laramie wrote: >>=20 >> >> =20 >> >>>In a standard DNS configuration you would have a domain 'zone' file for >>>each domain name and a 'reverse lookup' zone file for each block of = IPs. >>>The zone file typically has records that resolve a name to an IP = address: >>> >>>myhost A 12.34.56.78 >>> >>>The reverse lookup zone file has the opposite record: >>> >>>78 PTR myhost.mydomain.org >>> >>>The reverse lookup zone file knows what domain each IP is in. If a >>>remote mail server does a reverse lookup and gets mydomain instead of >>>myseconddomain, then it's configured wrong and you need to contact the >>>ISP or whomever handles DNS for these domains. It would be good policy >>>for the remote mail server to reject any address that fails RDNS lookup >>>since it's most likely either spoofed or broken. >>> =20 >>> >>> =20 >>> >>There are cases where there is overlap between multiple domains and = the=20 >>same IP space (web hosting comes most prominently to mind, but there = are=20 >>other situations). >> >>For instance, if you look up the following DNS names: >> >>mail.vbot.org >>mail.arisiasoft.com >> >>You will find they both resolve as 66.219.172.36 - if you look up=20 >>66.219.172.36, it should resolve as: >> >>karen.arisiasoft.com >> >>You'll note that neither of the mail names match the PTR record (one=20 >>matches at the primary domain level, but not a complete match). Both of = the=20 >>mail. DNS names point to the same machine - mail for both domains is = hosted=20 >>there (on the same copy of Xmail). >> >>=20 >> >> =20 >> >True. I have a reverse zone file for each IP range I provide DNS for,=20 >but each IP only has one PTR record. Likewise each domain zone file=20 >generally should have only one A record for each IP, although there = can=20 >be many CNAMEs. Virtual domains can be assigned an IP or will use the = IP=20 >of the host as in your case. > > =20 > >>>If a >>>remote mail server does a reverse lookup and gets mydomain instead of >>>myseconddomain, then it's configured wrong and you need to contact the >>>ISP or whomever handles DNS for these domains. >>> =20 >>> >>> =20 >>> >>If I understand your logic here, you are saying that because mail.vbot.or= g=20 >>--> 66.219.172.36 --> karen.arisiasoft.com, you would recommend = rejecting=20 >>all mail from mail.vbot.org? Even though it has a valid RDNS (even if = it=20 >>doesn't match the original DNS name), and a valid MX record for the = domain=20 >>pointing to the same IP address? >>=20 >> >> =20 >> > >Does your SMTP server identify itself as mail.vbot.org,=20 >mail.aristiasoft.com, or karen.aristiasoft.com? Does it change = depending=20 >on who sends the mail? I'm pretty sure the server only identifies = itself=20 >by one name and that should be karen.aristiasoft.com which should pass=20 >the RDNS check. If for some reason it doesn't, I believe you can set = the=20 >HeloDomain variable to ensure the RDNS check works properly, correct? > > =20 > >>I think if you followed through on that, you would end up rejecting a = lot=20 >>of mail from a lot of places... >> >> >>=20 >> >> =20 >> > >I may be misunderstanding how the mail server uses DNS, but I thought=20 >that a SMTP server should always identify itself by it's host name as=20 >listed by the PTR record and not by the virtual domains it handles. = When=20 >a mail server uses SMTP-RDNS to verify the identity of the sending = host=20 >doesn't it check the IP of the sending host against the IP returned by=20 > =20 > What I tried to say here was: ...doesn't it check the IP of the sending=20 host and compare the host name to the name returned by RDNS... It's=20 getting too late to think this hard :-) >RDNS to determine if the host is indeed who it says it is? I've used=20 >SMTP-RDNS since I started using XMail and I've never noticed any valid=20 >mail getting rejected (although, getting back to my original point, if = a=20 >system is mis-configured it could happen). If I'm off track here maybe=20 >you could clarify this for me ;-) > >Jeff > >- >To unsubscribe from this list: send the line "unsubscribe xmail" in >the body of a message to [EMAIL PROTECTED] >For general help: send the line "help" in the body of a message to >[EMAIL PROTECTED] > > > =20 > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
