Arnold, I am surprised you don't have problems sending to AOL as well. They don't accept email from servers that do not have reverse addresses. I don't accept email from severs without reverse addressing. Mike Walter, MCP 3z.net a PCD Company <http://www.3z.net> "When Success is the Only Solution t h i n K 3z.net" -----Original Message----- From: Arnold Nipper [mailto:arnold@nipper.de] Sent: Monday, April 05, 2004 5:03 PM To: NANOG Subject: Mailserver requirements Today I run across a MTA which refused to accept mail because it could not detect an MX record for the reverse mapping of the IP address of the server which tried to deliver mail. Is this correct? Or: if A is the IP Address of server trying to deliver mail, does mx(reverse(A)) have to exist? -- Arnold
Mike, On 05.04.2004 23:18 Mike Walter wrote:
Arnold, I am surprised you don't have problems sending to AOL as well. They don't accept email from servers that do not have reverse addresses. I don't accept email from severs without reverse addressing.
of course this server does have a reverse mapping. But this reverse mapped doamin does not have an MX record. Arnold
On Mon, Apr 05, 2004 at 11:32:08PM +0200, Arnold Nipper wrote:
I am surprised you don't have problems sending to AOL as well. They don't accept email from servers that do not have reverse addresses. I don't accept email from severs without reverse addressing.
of course this server does have a reverse mapping. But this reverse mapped doamin does not have an MX record.
Does it have an A RR? Anyway... it's a heuristic which definately does give false positives. The only requirement is that IF a domain/host accepts mail there MUST be a postmaster@ address. Regards, Daniel
On 05.04.2004 23:42 Daniel Roesen wrote:
On Mon, Apr 05, 2004 at 11:32:08PM +0200, Arnold Nipper wrote:
I am surprised you don't have problems sending to AOL as well. They don't accept email from servers that do not have reverse addresses. I don't accept email from severs without reverse addressing.
of course this server does have a reverse mapping. But this reverse mapped doamin does not have an MX record.
Does it have an A RR?
It also does have an A RR. And the forward mapping does also match the IP address.
Anyway... it's a heuristic which definately does give false positives. The only requirement is that IF a domain/host accepts mail there MUST be a postmaster@ address.
In this case the host *sends* mail ... Arnold
On Mon, Apr 05, 2004 at 11:53:15PM +0200, Arnold Nipper wrote:
of course this server does have a reverse mapping. But this reverse mapped doamin does not have an MX record.
Does it have an A RR?
It also does have an A RR. And the forward mapping does also match the IP address.
OK, so the check is even broken in what it probably tries to verify... that the reverse-domain of the sender IP would (possibly) be able to receive mail (bounces).
Anyway... it's a heuristic which definately does give false positives. The only requirement is that IF a domain/host accepts mail there MUST be a postmaster@ address.
In this case the host *sends* mail ...
Sure. I was discussing the requirements for domains regarding email. In this specific case, "domain" being the domain of the PTR of the sending MTA host. Regards, Daniel
On Tue 06 Apr 2004 (00:55 +0200), Daniel Roesen wrote:
On Mon, Apr 05, 2004 at 11:53:15PM +0200, Arnold Nipper wrote:
of course this server does have a reverse mapping. But this reverse mapped doamin does not have an MX record.
Does it have an A RR?
It also does have an A RR. And the forward mapping does also match the IP address.
OK, so the check is even broken in what it probably tries to verify... that the reverse-domain of the sender IP would (possibly) be able to receive mail (bounces).
Why would bounces go to an outbound mail server? They go to the envelope sender, which might well be in a different domain. The check is simply ill-advised and will cause the system running such a check to have cut itself off from a large number of legitimate sources of email
Anyway... it's a heuristic which definately does give false positives. The only requirement is that IF a domain/host accepts mail there MUST be a postmaster@ address.
In this case the host *sends* mail ...
Sure. I was discussing the requirements for domains regarding email.
In this specific case, "domain" being the domain of the PTR of the sending MTA host.
If you are sending mail via a virtual ISP, then the 'real' ISP's mail servers will probably be in a different domain than your virtual ISP which might be a different domain than your account. Checking mail reachability of an outbound MTA is simply absurd. -- Jim Segrave jes@nl.demon.net
On Mon, 05 Apr 2004 23:42:28 +0200, Daniel Roesen <dr@cluenet.de> said:
Anyway... it's a heuristic which definately does give false positives. The only requirement is that IF a domain/host accepts mail there MUST be a postmaster@ address.
If you squint and cross your eyes, you can even convince yourself that RFC2821 says it's OK for said address to be bouncing due to over-quota conditions, because the requirement is for existence, not for usability. :)
On Mon, 05 Apr 2004 23:32:08 +0200 Arnold Nipper <arnold@nipper.de> wrote:
On 05.04.2004 23:18 Mike Walter wrote:
I am surprised you don't have problems sending to AOL as well. They don't accept email from servers that do not have reverse addresses. I don't accept email from severs without reverse addressing.
of course this server does have a reverse mapping. But this reverse mapped doamin does not have an MX record.
yes, and that's what's wacky. there is no requirement in the RFCs that i'm aware of that mail senders have MX records pointing back at them. there's not even a requirement for MX records for a domain, the SMTP RFCs clearly indicate that in the absense of an MX record, an A record will suffice. for that matter, if i were running a very very large mail farm with high volume in one or both directions, separating the inbound mail handlers (MX hosts) from the outbound mail relays would be something that i'd seriously consider doing as part of the architecture. this would interact very badly with the mail rejection strategy outlined in the original post in this thread. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
* rwelty@averillpark.net (Richard Welty) [Mon 05 Apr 2004, 23:50 CEST]:
of course this server does have a reverse mapping. But this reverse mapped doamin does not have an MX record. yes, and that's what's wacky. there is no requirement in the RFCs that i'm aware of that mail senders have MX records pointing back at them.
On Mon, 05 Apr 2004 23:32:08 +0200 Arnold Nipper <arnold@nipper.de> wrote: there's not even a requirement for MX records for a domain, the SMTP RFCs clearly indicate that in the absense of an MX record, an A record will suffice.
People do all sorts of wacky things in the name of policy. The .za registrar, for example, required nameservers for domains in it to respond authoritatively and positively to questions about PTR records for its (the nameserver's) own IP address... -- Niels. -- Today's subliminal thought is:
--On Monday, April 05, 2004 5:48 PM -0400 Richard Welty <rwelty@averillpark.net> wrote:
for that matter, if i were running a very very large mail farm with high volume in one or both directions, separating the inbound mail handlers (MX hosts) from the outbound mail relays would be something that i'd seriously consider doing as part of the architecture. this would interact very badly with the mail rejection strategy outlined in the original post in this thread.
While I think it's pretty anal-retentive to require a mail sender to have a valid MX record, I don't see what would be so hard about setting up MX records for this scenario: inbound-mx01 IN A 192.168.1.98 inbound-mx02 IN A 192.168.1.99 outbound-01 IN A 192.168.1.100 IN MX 10 inbound-mx01 IN MX 20 inbound-mx02 Or am I missing something? -J -- Jeff Workman | jworkman@pimpworks.org | http://www.pimpworks.org
On Mon, 05 Apr 2004 20:03:58 -0400 Jeff Workman <jworkman@pimpworks.org> wrote:
--On Monday, April 05, 2004 5:48 PM -0400 Richard Welty <rwelty@averillpark.net> wrote:
for that matter, if i were running a very very large mail farm with high volume in one or both directions, separating the inbound mail handlers (MX hosts) from the outbound mail relays would be something that i'd seriously consider doing as part of the architecture. this would interact very badly with the mail rejection strategy outlined in the original post in this thread.
While I think it's pretty anal-retentive to require a mail sender to have a valid MX record, I don't see what would be so hard about setting up MX records for this scenario:
<snip>
Or am I missing something?
yes. what's hard about it is getting every single mail server on the public internet to suddenly be set up this way so that they can talk to one single mail server with a "novel" policy. ain't going to happen. false positive city. cheers, richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
participants (8)
-
Arnold Nipper -
Daniel Roesen -
Jeff Workman -
Jim Segrave -
Mike Walter -
Niels Bakker -
Richard Welty -
Valdis.Kletnieks@vt.edu