Greylisting (WAS: gif attachments)

[John Rudd]

On Aug 23, 2006, at 16:28, Michele Neylon:: Blacknight.ie wrote:

> John Rudd wrote:
>>
>> a) had no PTR record,
>
> Reasonable enough
>
>> b) PTR and A record didn't match, or
>
> So what about shared hosting??
>


The PTR record doesn't have to reflect any of the virtual/hosted 
domains.  Assuming that the virtual/hosted domains are all sharing 1 IP 
address, instead of having virtual interfaces:

Lets say you have the machine's actual nodename foo.A.com
and it hosts mail with hostnames mail.B.com mail.C.com and mail.D.com

You can have records such as:

foo.A.com   IN A   W.X.Y.Z
mail.B.com  IN A   W.X.Y.Z
mail.C.com  IN A   W.X.Y.Z
mail.D.com  IN A   W.X.Y.Z

Z.X.Y.W.in-addr.arpa   IN PTR   foo.A.com.


Thus, the PTR record points to an A record which then matches the PTR 
record.  This satisfies what I think most people see as the intent of 
section 2.1 of RFC 1912 (the one which states that your PTR and A 
records should match).  The fact that there are other A records besides 
the one that matches the PTR record is ok.

The only problem you might have is if the receiving host is NOT RFC 
COMPLIANT and is rejecting sessions based upon the HELO/EHLO string.  
You can get around this if your helo string is always "foo.A.com" and 
not one of the mail.[B-D].com hostnames.  Or you can switch to using 
virutal network interfaces for each hosted domain.  Or you can decide 
not to care about recipients whose mail servers aren't RFC compliant.


As for me being the recipient and blocking if their PTR record doesn't 
lead to an A record which has an IP address that matches the machine 
connected to me ... if they aren't going to set up their DNS records 
like the above, then I'm not confident that they're a legitimate mail 
service.  And I give them an error which specifically says "you're not 
RFC 1912 compliant".