OT: Reverse Lookup Records for Mail Server
Billy A. Pumphrey
bpumphrey at woodmclaw.com
Mon Oct 9 19:35:06 IST 2006
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Glenn Steen
> Sent: Monday, October 09, 2006 11:06 AM
> To: MailScanner discussion
> Subject: Re: OT: Reverse Lookup Records for Mail Server
>
> On 09/10/06, Billy A. Pumphrey <bpumphrey at woodmclaw.com> wrote:
> > In the WIKI
> > http://wiki.mailscanner.info/doku.php?id=best_practices&s=trusted
> >
> > The below is written. I have known this to be a good practice for
> > sometime, but DNS gets a little confusing for me sometimes. I
apologize
> > for all of the OT that I do, but just searching the internet does
not
> > give suggestions.
> >
> > Have a reverse lookup that matches your HELO/EHLO.
> > Many of these policies stem from the fact that spammers will forge
> > addresses. When you send mail to a system that doesn't know you,
you've
> > become a potential spammer. You must show that you can be trusted
before
> > you will be trusted, and one way of doing that is to have a reverse
> > lookup that matches what your system says it is. Unfortunately, this
may
> > be a problem in virtual hosting situations. At the very least make
sure
> > that your MX is listed in DNS as the name that will respond to the
HELO.
> > See RFC 2821 for more information on the SMTP command HELO.
>
> What this means is that if your host says it is host.example.net,
> looking up the IP address you are connecting as should lead to that
> name (and if that's not possible, for some unknowable reason... The MX
> pointed to for example.net should be the hostnme you helo as...).
>
> > If the MailScanner machine is on the internal network, as in not in
a
> > DMZ, and host name ends not in the domain name, how does one set it
up?
> > Host names ends in host.domain.local.
>
> Thing is that .local isn't a top level domain that you should
> "spread" to the internet. If one were to try reach your host from the
> internet, one would look up the MX for your domain, and go to that
> address... What that host "thinks" it is named is pretty irrelevant,
> as long as it answers in accordance to the _public_ DNS settings. So
> in your case, you have a _private_ DNS setup that is geared toward a
> (broken IMO) AD setup (the gospel according to M$... Sigh), and a
> _public_ DNS entry for your MX gateway. This type of "split view" is
> rather common. One might opt for not confusing oneself by not having
> two separate naming spaces, but rather the same names, but different
> views instead (much better:-).
>
> > Does the host name just need to be changed to host.domaain.com?
That
> > would seemingly cause problems communicating with the internal
machines,
> > or would it?
>
> Not really, no. It all depends on how you do things:-). As long as you
> can find your way to MS-exchange.example.local (and the other way
> around) and you have setup trusts etc, you should be fine.
>
> > So if the host name is mailscanner.domain.com, Then the reverse dns
> > should be mailscanner.domain.com right? Sounds right to me.
> >
> > What happens when the reverse DNS is mailscanner.domain.com but the
> > actual host name is mailscanner.domain.local?
>
> As long as you set it up to accept for the domains involved, I see no
> real problem. Handling a true split view DNS setup is rather more easy
> than the .local idiocy... At least to my eyes:-).
>
> --
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se
> --
Ok, thank you for the answer. One more thing and it will be clear to me
I believe. Is it best practice then to have all internal host that is
behind the firewall to be something like:
XPclient1.domain.com
XPclient2.domain.com
Etc.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list