Are PTR Records Important?

erfmuffin asks: "I work for a medium-sized regional ISP. Recently we configured our email gateway to refuse connections to IP addresses that do not resolve (ie no reverse DNS). I am amazed at how many legitimate domains use mail servers with no PTR record! At the same time, we have avoided a great deal of junk mail in one swoop. Wouldn't it be better for mankind if all mail servers refused mail from non-resolvable IPs? Should all legitimate mail servers have valid PTR records or has the world become too lazy to make email delivery, easier?"

The answer is "no"

Wouldn't it be better for mankind if all mail servers refused mail from non-resolvable IPs?

No. Why? Let's look at this philosophically.

The purpose of email is to facilitate communication. That's it. One person sends an email to another with the intention that the message be received and read. The sender implicitly assumes that the message will, in fact, be received by the recipient, because the email system is based around that assumption. If the system works correctly, your mail will be delivered.

Any failure to deliver mail is a failure of the system. Period. The system exists to put mail in mailboxes, not to selectively put mail in mailboxes.

Now, spam. Spam is a problem, sure. It's not nearly as big a problem as a few people seem to think it is, but it's a problem. But the correct solution to the problem of nuisance mail is not to break the implied contract between the sender and the mail system as a whole. "Your mail will be delivered to its recipient." That's the implied contract. (I'm speaking metaphorically. There's no actual contract here, of course.) Anything that bolts on an "except" or "unless" to that implied contract is a bug, not a feature.

Now, in my opinion the correct way to deal with spam is to filter it on the receiving end. All mail should be delivered, but the recipient's automation may choose to flag some messages based on their content or their envelope or whatever. Some carriers don't like this idea because it requires them to deal with mail that people don't generally want to read, but choosing not to deal with certain pieces of mail is far worse.

That's the abstract argument. Here's the concrete one. If I send a piece of mail, I generally have no control whatsoever over, or even knowledge of, the bits and pieces that make up the delivery chain. My message leaves my computer and goes to an upstream server which then delivers it to another server, which then delivers it to the recipient. If that delivery process should fail because of the way the machines in the middle are configured, then that's going to be a problem for me. A very serious problem, over which I have absolutely no control.

Look at it this way. Let's say the postal service institutes a new regulation that no letters will be delivered if they're picked up by a mail carrier in brown shoes. Okay? Only white-shoe-wearing mail carriers are authorized to pick up mail. The mailman who serves my neighborhood forgets to wear his white shoes tomorrow when he picks up my outgoing mail. He gets to the post office and is told, summarily, that none of the letters in his bag will be accepted for processing because he's wearing the wrong color shoes.

How would I feel under those circumstances? Annoyed. Really annoyed. And so would all the other people on my block.

People who manage email servers really need to adopt the mailman's philosophy: we don't care what the mail is. We deliver it. No matter what, if it's got adequate postage on it (which doesn't apply to email), we deliver it. Neither rain, nor sleet, nor dark of night... and so on.

Re:The answer is "no"

The same was once thought of having open relays, too. See how we changed out behavior with those?

Yes, and I think that's a giant step backwards. I'll give you an example. A coworker of mine used to carry a laptop. While at home, he would dial in to the Internet through Earthlink and send and receive email. In those cases, he had to send email through the Earthlink SMTP server, because outgoing SMTP connections from Earthlink were blocked. He couldn't connect to the company's SMTP server at all from his house.

Back at the office, though, he was unable to send email through Earthlink's SMTP server, because it was set to reject any connection from outside the Earthlink network.

So the net result is that my coworker had to go in to twiddle with his email settings every time he came into the office and every time he went home.

Now, sure, it would be nice if the OS provided a facility for doing this for him. I think Mac OS X's Locations feature allows you to do this, but since I'm not laptop-enabled these days I don't know for sure, and I have no idea whether it's possible on Windows or not. But in a perfect world, it shouldn't even be necessary.

It all goes back to that philosophy thing I talked about in my last post. The purpose of the email system is to DELIVER the mail, not to selectively reject mail based on various criteria that the sender usually has no control over. Filtering should only be done at the receiving end. In other words, the transport should be guaranteed to be reliable.

Now, if you want to somehow modify the SMTP protocol itself so all connections have to be authenticated, then that's fine. But arbitrarily accepting or rejecting connections based on topology is a lousy idea.

DUCK! QUICKLY

[wowbagger]

You have suggested limiting Mr. 31337's ability to send any email he wants from his ub3rb0x3n without doing any real setup, like getting a proper reverse lookup established.

FOR THE LOVE OF $DEITY MAN, DUCK AND COVER!

You are about to be flamed by all the "How DARE you limit me! I have the $deity-given right to send email from ANYTHING, and YOU are wanting to RESTRICT IT! YOU BASTARD FACIST COMMIE!" types.

Personally, I would want my mail server configured to do something like this:

Get Host's name as given in EHLO.
Look that name up.
if (IP address from DNS != IP address talking to me)
Bugger off spammer
endif
reverse look up IP address talking to me
if (name from DNS != name from EHLO)
Look up name from DNS
if (ip address from lookup != IP address talking to me)
Bugger off spammer
endif
endif
Accept mail.


(It is assumed the "bugger off spammer" state is a terminal state).

This way, even if your box's reverse lookup is foo.bar.baz.adsl.example.com rather than mybox.example.com, so long as foo.bar.baz.adsl.example.com resolves to your IP address you wouldn't be rejected.

I agree in theory.

[Deagol]

This topic has sparked much heated debate in the postfix mailing list. Two camps exist. The first is the stop-spam-at-all-costs group, and then there's the you-evil-bastard-that's-not-mandated-by-rfc crowd.

Both have valid points.

I once tried this restriction with my employer's email server (we host a handful of university domains). It was a complete failure. Not because it didn't stop spam (I was finding several thousand spams per day rejected -- a 75% reduction of mail let through!), but because there were so damned many legit domains that didn't play by these common sense rules which you seek to enforce.

The overheard of me fielding complaints from my users was just too much. You'd think that the bloody sender would get the clue that it was a problem at his end (due to the bounce messages provided by postfix), but that just wasn't the case.

So I turned off the rules. I did come up with a compromize (I use postfix, btw). For major domains that should know better, and are in fact configured correctly (aol, hotmail, msn, etc.), I add a line like "earthlink.com reject_unknown_client" in my file pointed to by the check_sender_access line in my main.cf file.

Also, when I receive a piece of spam that gets through, I add the forged From: domain to that list if the connecting client was "unknown". I then add the "reject_unknown_client" restriction to the offending class-C in my check_client_access file in main.cf.

This method catches quite a few (maybe 50%). I use a few free RBLs to catch maybe 45% more spams. That other 5% gets through, but I haven't had a single complaint from my users since beginning this practice. So we're all smiles here now.

If and when I ever run my own email domains (business and personal), I will use all the rules postfix can enforce.

Re:Your analogy is flawed

"What if the post office refused to deliver any mail that did not have a correct return address on it."

If we were talking about valid return addresses, that would be fine. But we're not. We're talking about IP-address-to-name mappings, a feature of the IP system that computers themselves were never intended to make any real use of in the first place.

Now, to extend the analogy to the breaking point, the post office does not verify that your return address is actually correct when it accepts your mail. It just requires that you have one. Of course, in the computer world we're not required to live with that limitation. If SMTP had a facility whereby senders' addresses were verified before mail was accepted, that would be just fine.

Say I have a mail account, "foo@example.com." When I send an email, the conversation starts with MAIL FROM. At that point, the mail server (be it a relay or the destination itself) contacts example.com and asks if "foo@example.com" has an account there. If example.com says yes, the server accepts the message. If it says no, the message is rejected. If the server fails to contact example.com, it says "try again later."

Now, that's not foolproof. It merely guarantees that mail can't be sent unless the return address actually exists; it doesn't promise that the mail being sent is actually from the address it purports to be from. There are ways around that, too. When I send an email, my mail program on my computer starts by contacting example.com via an authenticated connection and telling it that I'm about to send a message with this message digest: blah blah blah. It then contacts whatever upstream mail server I'm using (example.com or otherwise) and says, "MAIL FROM foo@example.com DIGEST blah blah blah" or whatever. The server (if it's not example.com itself) contacts example.com and says, "Did foo@example.com send a message with digest blah blah blah?" Example.com then checks its records and says, "Yup. Sure did." If the mail server is the destination server for the message, it then tells example.com, "Okay, I'm the recipient for this message. Delete your record of this message digest," and accepts the mail.

This system would work far better than the proposed solutions because it would actually verify what we really care about: did the message come from who it purports to come from?

Re:No it wouldnt be better

Your response appears to be "Everyone should go out of their way to not need (X) anymore".

Yes, that's mostly right. But rather than saying, "everyone should go out of his way not to need X any more," I'm saying, "no one should go out of his way to require X." See the difference?

No one should be required to change ISP's because somebody else set up a mail relay in such a way that it arbitrarily rejects messages based on PTR records.

Re:The answer is "dumbass"

[Harik]

When you say, "I only accept mail from properly configured mailservers," what you're really saying is, "I only accept mail from mailservers that are configured in the way that I want them to be." There's no spec that says that mail servers shouldn't accept and relay mail. There's no spec that says mail servers must be resolveable by reverse DNS.

You're right, I just pulled this right out of my ass as well. Nobody would bother to draft a best-current-practices about spam. And besides, it's only a request for comments, nobody needs to follow it.

These are things that, while they may or may not be wise or even reasonable, you just made up arbitrarily. Which is counter-productive and harmful.

Ye gods. Yes, now following best practices is considered counter-productive and harmful. Are you SURE you're not a spammer or an idiot?

This isn't the wild west. You don't just pick an IP address out of your ass, and twiddle random bits in packets and say "Hi! I'm sending email you must accept it because I'm so COOL!". There's a number of things you have to do, and it's all about being a responsible member of the internet community. As times change, so do the accepted best practices. This is why we don't relay mail for anyone anymore, because it's considered rude to let thugs use your house as a base to rob others.

Oh, blow it out your ass. The whole "if you don't agree with me then you're either stupid or you have an agenda" thing is unbelievably childish. Accept, instead, that I'm simply a guy with a different opinion from yours.

No, you're someone who dosn't even respect his own position enough to commit his name to it. This just stinks of spammers, who hardly ever use their real name. The only reason I'm even replying is that you have some grasp of the english language, which most ACs do not.

Well, two things. First, spam doesn't drown anybody out. All emails get the exact same attention when you read them. And secondly: huh? You have a... unique interpretation of freedom of speech.

Not really. It's the difference between being allowed to talk to yourself in a closet and stand on common ground and tell other people what you believe. If we said "you can say anything you want, as long as nobody can hear you." how free is that? Either way, it's a side issue. The government isn't involved in this (yet).

Dude, why aren't you reading what I write? YES. Spam is a problem. It's just that blocking connections for reasons that are only circumstantially and tangentially related to spam is a WORSE problem. I really don't understand why you're not getting this. It's one thing for you to disagree with me. It's another thing entirely for you to completely misunderstand me. Get it?

I get what you're saying, it's just wrong. See, most spam comes from open relays or proxies. People who run those servers are directly contributing to spam. Why should I accept mail from a willing spammer accomplice? It's not THAT hard to lock down open relays. I've even got a box on my network that has to exist that has no anti-relay capabilities (UGH).... So I divert all inbound 25 traffic through a sendmail box first.

If someone isn't willing to do their part to keep email a viable medium for communications, I'm not willing to listen to them. Is it such a hard concept?

As for valid email from proxies/relays: No email should be coming out of a proxy server, open or otherwise. It's a hardware box, no mail queue, designed to cache webpages. Any email coming out of it is spam, period. For relays: While someone may be using the mailserver for legit mail, trust me. Once the spammers find it that box is so slammed with spam it crashes and takes out any real email that would be going through it.