Slashdot Mirror
Are PTR Records Important?
erfmuffin asks: "I work for a medium-sized regional ISP. Recently we configured our email gateway to refuse connections to IP addresses that do not resolve (ie no reverse DNS). I am amazed at how many legitimate domains use mail servers with no PTR record! At the same time, we have avoided a great deal of junk mail in one swoop. Wouldn't it be better for mankind if all mail servers refused mail from non-resolvable IPs? Should all legitimate mail servers have valid PTR records or has the world become too lazy to make email delivery, easier?"
They are certainly just as important as TPS reports, if not more so.
Have you sent a memo?
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
PTR records are not necessary. They are not required for the internet to work acceptably. But, PTR records do add considerable convenience to network operation and they are a part of the DNS standard specification so, they should be used.
The fact that mail systems that require PTR records before accepting mail significantly reduces spam is reason enough that PTR records should be required. I too experience a great deal of mail problems due to a lack of PTR records but, it is worth the effort to stick to this policy. If you don't have a PTR record, you can't send me mail!
If you refuse to accept mail without a valid PTR record, and that lowers your user's spam... I'd say PTR records are important. I know most systems I set up check that PTR and A/CNAME records match each other as a first step in determining whether the connection is trustworthy or not. Of course, if everyone did this we might see spammers/crackers setting up technically valid but wholly useless PTR records. At which point, who knows?
"America has done some terrible things. But I know that Americans don't cheer when innocents die." -Dave Barry
I host maybe 7 domains, an email server, and several other things from my dynamic-ip DSL connection. Have been maintaining it for over a year with reasonable uptimes. I cant have PTR records or reverse resolution to my domain... but I dont send spam.
Many cottage-industry websites will be closed and not everyone can afford professional hosting services that use Jboss, postgresql, php4, ldap etc. Least fan sites that can make no money, and homepages.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
There are a LOT of places though that don't set these records, and filtering out these sites will drop a LOT of emails that actually might be valid.
Wouldn't it be better for mankind if all mail servers refused mail from non-resolvable IPs?
No. Why? Let's look at this philosophically.
The purpose of email is to facilitate communication. That's it. One person sends an email to another with the intention that the message be received and read. The sender implicitly assumes that the message will, in fact, be received by the recipient, because the email system is based around that assumption. If the system works correctly, your mail will be delivered.
Any failure to deliver mail is a failure of the system. Period. The system exists to put mail in mailboxes, not to selectively put mail in mailboxes.
Now, spam. Spam is a problem, sure. It's not nearly as big a problem as a few people seem to think it is, but it's a problem. But the correct solution to the problem of nuisance mail is not to break the implied contract between the sender and the mail system as a whole. "Your mail will be delivered to its recipient." That's the implied contract. (I'm speaking metaphorically. There's no actual contract here, of course.) Anything that bolts on an "except" or "unless" to that implied contract is a bug, not a feature.
Now, in my opinion the correct way to deal with spam is to filter it on the receiving end. All mail should be delivered, but the recipient's automation may choose to flag some messages based on their content or their envelope or whatever. Some carriers don't like this idea because it requires them to deal with mail that people don't generally want to read, but choosing not to deal with certain pieces of mail is far worse.
That's the abstract argument. Here's the concrete one. If I send a piece of mail, I generally have no control whatsoever over, or even knowledge of, the bits and pieces that make up the delivery chain. My message leaves my computer and goes to an upstream server which then delivers it to another server, which then delivers it to the recipient. If that delivery process should fail because of the way the machines in the middle are configured, then that's going to be a problem for me. A very serious problem, over which I have absolutely no control.
Look at it this way. Let's say the postal service institutes a new regulation that no letters will be delivered if they're picked up by a mail carrier in brown shoes. Okay? Only white-shoe-wearing mail carriers are authorized to pick up mail. The mailman who serves my neighborhood forgets to wear his white shoes tomorrow when he picks up my outgoing mail. He gets to the post office and is told, summarily, that none of the letters in his bag will be accepted for processing because he's wearing the wrong color shoes.
How would I feel under those circumstances? Annoyed. Really annoyed. And so would all the other people on my block.
People who manage email servers really need to adopt the mailman's philosophy: we don't care what the mail is. We deliver it. No matter what, if it's got adequate postage on it (which doesn't apply to email), we deliver it. Neither rain, nor sleet, nor dark of night... and so on.
You have suggested limiting Mr. 31337's ability to send any email he wants from his ub3rb0x3n without doing any real setup, like getting a proper reverse lookup established.
FOR THE LOVE OF $DEITY MAN, DUCK AND COVER!
You are about to be flamed by all the "How DARE you limit me! I have the $deity-given right to send email from ANYTHING, and YOU are wanting to RESTRICT IT! YOU BASTARD FACIST COMMIE!" types.
Personally, I would want my mail server configured to do something like this:
Get Host's name as given in EHLO.
Look that name up.
if (IP address from DNS != IP address talking to me)
Bugger off spammer
endif
reverse look up IP address talking to me
if (name from DNS != name from EHLO)
Look up name from DNS
if (ip address from lookup != IP address talking to me)
Bugger off spammer
endif
endif
Accept mail.
(It is assumed the "bugger off spammer" state is a terminal state).
This way, even if your box's reverse lookup is foo.bar.baz.adsl.example.com rather than mybox.example.com, so long as foo.bar.baz.adsl.example.com resolves to your IP address you wouldn't be rejected.
www.eFax.com are spammers
I don't know of any specific RFC that requires reverse DNS for SMTP but the RFCs do require that the HELO/EHLO be 1) fully qualified and 2) resolvable.
I strongly recommend enforcing that rule even though you will be amazed at the number of mailservers that are not configured properly to follow this basic requirement of RFC2821.
Naturally it's not a bad idea to then look up the EHLO domain and make sure it resolves back to the connecting IP. Something like 25% of the mail I reject is rejected for greeting me with my own IP or hostname.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
Both have valid points.
I once tried this restriction with my employer's email server (we host a handful of university domains). It was a complete failure. Not because it didn't stop spam (I was finding several thousand spams per day rejected -- a 75% reduction of mail let through!), but because there were so damned many legit domains that didn't play by these common sense rules which you seek to enforce.
The overheard of me fielding complaints from my users was just too much. You'd think that the bloody sender would get the clue that it was a problem at his end (due to the bounce messages provided by postfix), but that just wasn't the case.
So I turned off the rules. I did come up with a compromize (I use postfix, btw). For major domains that should know better, and are in fact configured correctly (aol, hotmail, msn, etc.), I add a line like "earthlink.com reject_unknown_client" in my file pointed to by the check_sender_access line in my main.cf file.
Also, when I receive a piece of spam that gets through, I add the forged From: domain to that list if the connecting client was "unknown". I then add the "reject_unknown_client" restriction to the offending class-C in my check_client_access file in main.cf.
This method catches quite a few (maybe 50%). I use a few free RBLs to catch maybe 45% more spams. That other 5% gets through, but I haven't had a single complaint from my users since beginning this practice. So we're all smiles here now.
If and when I ever run my own email domains (business and personal), I will use all the rules postfix can enforce.
Method of processing duck feet
The fact that mail systems that require PTR records before accepting mail significantly reduces spam is reason enough that PTR records should be required.
And this is a short-term fix which produces long-term issues. You reduce spam for eighteen months, spammers start just going through PTR-listed servers, and you're back to square one...except now you're using a broken mail system. Or spammers buy a throwaway domain -- they buy throwaway accounts, and a throwaway domain is no more trouble.
I personally run a mail server on my computer, and don't gateway mail it sends. That's the way email was designed to work, and still the way it works best. I think that's pretty legitimate. I get an immediate response when mail delivery fails, can set how long I want resends to be done, and don't have to remember to change my gateway when I move from home to college and back. I have no reason to run out and buy a domain -- I don't have any reason to present a domain to the world.
People requiring PTR records are running broken name servers. Most people that like this mindset -- restrict users for a short term gain -- have in my experience been fairly technically incompetent admins. Block everything except 80 TCP outbound, plop transparent proxies all over, try to convince people to use webmail, block mailservers...they see a short term gain. They aren't engineers, so to them, they've just "solved the problem". Then they wait a year, run into problems (people tunneling everything over 80 or setting up their own VPNs to get reasonable functionality, FTP to a similarly crippled site not working, etc), and try to find a policy-based, rather than a technical, solution. For the rest of the world, they're jerks with a bit of administrative power to abuse. IT people like this are easy to find -- they're the ones that the users resent, the ones that are making tasks more of a pain in the ass for core users, rather than easier.
Just my two cents.
May we never see th
I think you just have to make sure the ptr record resolves to SOMETHING, not necessarily the same thing as the A record.
By this I mean:
1) your company is called company.com and sends mail from either your old mailserver 4.5.6.7 or your new mailserver 1.2.3.4
2) your shiny new mailserver's ip address may reverse lookup from 1.2.3.4 to t1-65.gateway4.myisp.com.
Your ISP probably does this for you already.
3) you could have t1-65.gateway4.myisp.com resolve to 1.2.3.4.
I don't even know if 3 matching 2 is necessary.
The IP address of "company.com" doesn't have to be associated with 4.5.6.7 or 1.2.3.4.
However, if your mail server 1.2.3.4 is sending mail to someone, they should be able to reverse lookup 1.2.3.4 and get something.
If they take it one additional step, the something might need to forward lookup to 1.2.3.4.
Also, the sample configs provided in the postfix distribution are a great resource. I haven't found a good definitive list of all postfix parameters and what they do in an easy-to-browse form. For now, we're stuck with trudging through the postfix documentation.
Method of processing duck feet
Why not just refuse all messages that come from IP addresses that include the number 68?
I have analyzed the vast body of spam (for Bayes purposes) that has come through my mailservers over the last year or so, and I find that a lot of spam is sourced from IP addresses that include this number.
Sometimes it's x.x.68.x, sometimes it's x.n68.x.x, but that evil little 68 just keeps popping up!
According to my numbers, a greater amount of spam comes from IPs containing 68 or 24 than comes from domains with inconsistent PTRs.
So, using your own logic, I should just ban all IPs with 68 in them, and tell people with legitimate Email needs that they will have to find a new ISP.
To paraphrase a previous poster, "The fact that discarding mail from addresses containing the number 68 significantly reduces spam is reason enough that everyone should do so. I too will have to stop using a bunch of numbers I own but, it is worth the effort to stick to this policy. If you have a 68 in your IP, you can't send me mail!"
Note to moderators: Irony is not the same thing as flamebait...
This isn't an all-inclusive list of reasons for people's DNS habits, but in my experience these factors seem to be among the most prominent.
1) DNS management is often delegated to the ISP. If that ISP develops such bad habits as ignoring customers' reverse DNS when making updates to forwards, they have a fleet of Internet users with no reverse DNS.
2) IT personnel often don't have DNS authority for their IP addresses because its not worth the hassle for ISPs to give their customers reverse authority for only a few IPs in a subnet. ISPs have varying degrees of friendliness for managing reverse DNS through customer support personnel or a website. For organizations that update DNS often, sometimes it isn't worth the hassle of dealing with the ISP at all.
3) People are lazy and stupid, and reverse DNS doesn't typically affect our daily lives. Most yahoos barely understand DNS beyond pointing and clicking in the Microsoft DNS Server Console (which, ironically, will automatically update PTRs when you make changes to forwards if you so desire). These would be the same schmucks who list CNAMEs as mail exchangers.
The moral of the story is: The number of legitimate email providers with invalid reverse DNS far outnumbers the number of spammers. This is ample reason to NOT refuse to accept mail that has inconsistent forward and reverse mappings.
Consider your business customers; are they going to care about fighting spam when they can't receive email from contacts at other companies? Are they going to want to hear, 'Well tell the person that's trying to email you to fix their server'? I think not.
It would be much different if you weren't an ISP, but I don't feel that the annoyance presented by spam is sufficient reason to effectively tell your customers that they can no longer receive email from a fair percentage of Internet hosts because there's a small chance that they might be spammers. There are effective ways to fight spam that don't inhibit the users' ability to receive legitimate email.
-Nick
This isn't the wild west. You don't just pick an IP address out of your ass, and twiddle random bits in packets and say "Hi! I'm sending email you must accept it because I'm so COOL!". There's a number of things you have to do, and it's all about being a responsible member of the internet community. As times change, so do the accepted best practices. This is why we don't relay mail for anyone anymore, because it's considered rude to let thugs use your house as a base to rob others.
No, you're someone who dosn't even respect his own position enough to commit his name to it. This just stinks of spammers, who hardly ever use their real name. The only reason I'm even replying is that you have some grasp of the english language, which most ACs do not. Not really. It's the difference between being allowed to talk to yourself in a closet and stand on common ground and tell other people what you believe. If we said "you can say anything you want, as long as nobody can hear you." how free is that? Either way, it's a side issue. The government isn't involved in this (yet).I get what you're saying, it's just wrong. See, most spam comes from open relays or proxies. People who run those servers are directly contributing to spam. Why should I accept mail from a willing spammer accomplice? It's not THAT hard to lock down open relays. I've even got a box on my network that has to exist that has no anti-relay capabilities (UGH).... So I divert all inbound 25 traffic through a sendmail box first.
If someone isn't willing to do their part to keep email a viable medium for communications, I'm not willing to listen to them. Is it such a hard concept?
As for valid email from proxies/relays: No email should be coming out of a proxy server, open or otherwise. It's a hardware box, no mail queue, designed to cache webpages. Any email coming out of it is spam, period. For relays: While someone may be using the mailserver for legit mail, trust me. Once the spammers find it that box is so slammed with spam it crashes and takes out any real email that would be going through it.