OT: Reverse Lookup Records for Mail Server

Glenn Steen glenn.steen at gmail.com
Mon Oct 9 16:06:28 IST 2006

On 09/10/06, Billy A. Pumphrey <bpumphrey at woodmclaw.com> wrote:
> In the WIKI
> http://wiki.mailscanner.info/doku.php?id=best_practices&s=trusted
> The below is written.  I have known this to be a good practice for
> sometime, but DNS gets a little confusing for me sometimes.  I apologize
> for all of the OT that I do, but just searching the internet does not
> give suggestions.
> Have a reverse lookup that matches your HELO/EHLO.
> Many of these policies stem from the fact that spammers will forge
> addresses. When you send mail to a system that doesn't know you, you've
> become a potential spammer. You must show that you can be trusted before
> you will be trusted, and one way of doing that is to have a reverse
> lookup that matches what your system says it is. Unfortunately, this may
> be a problem in virtual hosting situations. At the very least make sure
> that your MX is listed in DNS as the name that will respond to the HELO.
> See RFC 2821 for more information on the SMTP command HELO.

What this means is that if your host says it is host.example.net,
looking up the IP address you are connecting as should lead to that
name (and if that's not possible, for some unknowable reason... The MX
pointed to for example.net should be the hostnme you helo as...).

> If the MailScanner machine is on the internal network, as in not in a
> DMZ, and host name ends not in the domain name, how does one set it up?
> Host names ends in host.domain.local.

Thing is  that .local isn't a top level domain that you should
"spread" to the internet. If one were to try reach your host from the
internet, one would look up the MX for your domain, and go to that
address... What that host "thinks" it is named is pretty irrelevant,
as long as it answers in accordance to the _public_ DNS settings. So
in your case, you have a _private_ DNS setup that is geared toward a
(broken IMO) AD setup (the gospel according to M$... Sigh), and a
_public_ DNS entry for your MX gateway. This type of "split view" is
rather common. One might opt for not confusing oneself by not having
two separate naming spaces, but rather the same names, but different
views instead (much better:-).

> Does the host name just need to be changed to host.domaain.com?  That
> would seemingly cause problems communicating with the internal machines,
> or would it?

Not really, no. It all depends on how you do things:-). As long as you
can find your way to MS-exchange.example.local (and the other way
around) and you have setup trusts etc, you should be fine.

> So if the host name is mailscanner.domain.com, Then the reverse dns
> should be mailscanner.domain.com right?  Sounds right to me.
> What happens when the reverse DNS is mailscanner.domain.com but the
> actual host name is mailscanner.domain.local?

As long as you set it up to accept for the domains involved, I see no
real problem. Handling a true split view DNS setup is rather more easy
than the .local idiocy... At least to my eyes:-).

-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list