AOL blocking MailScanner messages!
John Rudd
jrudd at UCSC.EDU
Fri Dec 5 07:36:24 GMT 2003
1) So why can't you route all of your outgoing mail through your ISP?
(I know, some people do, and some people don't ... I don't, but my
reverse DNS works, so I don't need to ... but, that IS what you're
supposed to be doing, so if you're having problems, why not do what
you're supposed to be doing instead?)
2) If you don't control the in-addr for your IP block, then presumably
it's your ISP's -- so make them fix their in-addr allocation. The
problem isn't that the in-addr information has to match your mail
domain, it just has to _exist_ (mail always comes from hosts that don't
match the mail domain indicated). If it doesn't, and it's not your
block to host on your DNS server, then your ISP isn't doing their job.
Make them fix it, or switch to an ISP that isn't broken.
3) If they wont fix it, then ask them to delegate those addresses to
you with NS records (which can be done on a per-IP addr basis, it
doesn't have to be done in full class-C blocks).
On Dec 4, 2003, at 5:01 PM, Steve Thomas wrote:
>
> On Thu, Dec 04, 2003 at 06:37:34PM -0600, Mike Kercher is rumored to
> have said:
>>
>> If not, admins on the other end need to get off their ass and make
>> their
>> networking correct, complete and in compliance with the RFC's.
>
> I've only been skimming this thread, so this may have been stated
> already. If so, I apologize...
>
> You're forgetting that reverse dns is a totally different animal than
> forward, and that just about anyone with less than a /24 (and many
> with a /24 or larger) don't have the reverse zones delegated to their
> servers. If I own foo.com, I can easily create any forward entry in
> the foo.com domain, but making something in the in-addr.arpa domain
> point to mailserver.foo.com is not nearly as easy.
>
> As a for instance, the machine I'm sending this message from is on a
> RoadRunner network. We've got a block of addresses allocated to us and
> despite repeated assurances that they would delegate the in-addr.arpa
> zone for our netblock to our dns server, it's never happened. Now if
> RR managed to have a corrupt zone file, forgot to generate PTR records
> for our netblock or for some other reason wasn't on the ball, I'd be
> "an admin who was sitting on my ass not making my network correct"? I
> think not. My dns server is properly configured to serve requests for
> the /28 we've been allocated but RR is still in control of the zone.
>
> Then there's network outages, software failures, fiber cuts, DDoS
> attacks, etc, etc to consider. You'll reject mail just because the DNS
> server serving the in-addr.arpa zone for the connecting machine is
> unreachable?
>
> I can see adding a warning header or something innocuous like that,
> but outright rejecting mail from machines without RDNS properly
> configured is overkill, IMHO.
>
>
> Steve
>
>
> --
> "Blessed is the man, who having nothing to say, abstains from giving
> wordy evidence of the fact."
> - George Eliot (1819-1880)
More information about the MailScanner
mailing list