Are PTR Records Important?

erfmuffin asks: "I work for a medium-sized regional ISP. Recently we configured our email gateway to refuse connections to IP addresses that do not resolve (ie no reverse DNS). I am amazed at how many legitimate domains use mail servers with no PTR record! At the same time, we have avoided a great deal of junk mail in one swoop. Wouldn't it be better for mankind if all mail servers refused mail from non-resolvable IPs? Should all legitimate mail servers have valid PTR records or has the world become too lazy to make email delivery, easier?"

Yes and no.

[FreeLinux]

PTR records are not necessary. They are not required for the internet to work acceptably. But, PTR records do add considerable convenience to network operation and they are a part of the DNS standard specification so, they should be used.

The fact that mail systems that require PTR records before accepting mail significantly reduces spam is reason enough that PTR records should be required. I too experience a great deal of mail problems due to a lack of PTR records but, it is worth the effort to stick to this policy. If you don't have a PTR record, you can't send me mail!

Re:No it wouldnt be better

[Zeriel]

Doesn't your ISP have PTR records anyway, though? Even if it resolves to something like modem212-yourstate-yrcty.adelphia.com like my cable modem does, it's still a valid PTR record.

If your ISP doesn't do this, might I suggest shopping around for a new one?

I was under the impression the original question referred to completely nonexistent PTR records (that resolve to NXDOMAIN or similar).

The answer is "no"

Wouldn't it be better for mankind if all mail servers refused mail from non-resolvable IPs?

No. Why? Let's look at this philosophically.

The purpose of email is to facilitate communication. That's it. One person sends an email to another with the intention that the message be received and read. The sender implicitly assumes that the message will, in fact, be received by the recipient, because the email system is based around that assumption. If the system works correctly, your mail will be delivered.

Any failure to deliver mail is a failure of the system. Period. The system exists to put mail in mailboxes, not to selectively put mail in mailboxes.

Now, spam. Spam is a problem, sure. It's not nearly as big a problem as a few people seem to think it is, but it's a problem. But the correct solution to the problem of nuisance mail is not to break the implied contract between the sender and the mail system as a whole. "Your mail will be delivered to its recipient." That's the implied contract. (I'm speaking metaphorically. There's no actual contract here, of course.) Anything that bolts on an "except" or "unless" to that implied contract is a bug, not a feature.

Now, in my opinion the correct way to deal with spam is to filter it on the receiving end. All mail should be delivered, but the recipient's automation may choose to flag some messages based on their content or their envelope or whatever. Some carriers don't like this idea because it requires them to deal with mail that people don't generally want to read, but choosing not to deal with certain pieces of mail is far worse.

That's the abstract argument. Here's the concrete one. If I send a piece of mail, I generally have no control whatsoever over, or even knowledge of, the bits and pieces that make up the delivery chain. My message leaves my computer and goes to an upstream server which then delivers it to another server, which then delivers it to the recipient. If that delivery process should fail because of the way the machines in the middle are configured, then that's going to be a problem for me. A very serious problem, over which I have absolutely no control.

Look at it this way. Let's say the postal service institutes a new regulation that no letters will be delivered if they're picked up by a mail carrier in brown shoes. Okay? Only white-shoe-wearing mail carriers are authorized to pick up mail. The mailman who serves my neighborhood forgets to wear his white shoes tomorrow when he picks up my outgoing mail. He gets to the post office and is told, summarily, that none of the letters in his bag will be accepted for processing because he's wearing the wrong color shoes.

How would I feel under those circumstances? Annoyed. Really annoyed. And so would all the other people on my block.

People who manage email servers really need to adopt the mailman's philosophy: we don't care what the mail is. We deliver it. No matter what, if it's got adequate postage on it (which doesn't apply to email), we deliver it. Neither rain, nor sleet, nor dark of night... and so on.

DUCK! QUICKLY

[wowbagger]

You have suggested limiting Mr. 31337's ability to send any email he wants from his ub3rb0x3n without doing any real setup, like getting a proper reverse lookup established.

FOR THE LOVE OF $DEITY MAN, DUCK AND COVER!

You are about to be flamed by all the "How DARE you limit me! I have the $deity-given right to send email from ANYTHING, and YOU are wanting to RESTRICT IT! YOU BASTARD FACIST COMMIE!" types.

Personally, I would want my mail server configured to do something like this:

Get Host's name as given in EHLO.
Look that name up.
if (IP address from DNS != IP address talking to me)
Bugger off spammer
endif
reverse look up IP address talking to me
if (name from DNS != name from EHLO)
Look up name from DNS
if (ip address from lookup != IP address talking to me)
Bugger off spammer
endif
endif
Accept mail.


(It is assumed the "bugger off spammer" state is a terminal state).

This way, even if your box's reverse lookup is foo.bar.baz.adsl.example.com rather than mybox.example.com, so long as foo.bar.baz.adsl.example.com resolves to your IP address you wouldn't be rejected.

Yes, it has

[linuxwrangler]

...has the world become too lazy to make email delivery, easier?

I don't know of any specific RFC that requires reverse DNS for SMTP but the RFCs do require that the HELO/EHLO be 1) fully qualified and 2) resolvable.

I strongly recommend enforcing that rule even though you will be amazed at the number of mailservers that are not configured properly to follow this basic requirement of RFC2821.

Naturally it's not a bad idea to then look up the EHLO domain and make sure it resolves back to the connecting IP. Something like 25% of the mail I reject is rejected for greeting me with my own IP or hostname.

I agree in theory.

[Deagol]

This topic has sparked much heated debate in the postfix mailing list. Two camps exist. The first is the stop-spam-at-all-costs group, and then there's the you-evil-bastard-that's-not-mandated-by-rfc crowd.

Both have valid points.

I once tried this restriction with my employer's email server (we host a handful of university domains). It was a complete failure. Not because it didn't stop spam (I was finding several thousand spams per day rejected -- a 75% reduction of mail let through!), but because there were so damned many legit domains that didn't play by these common sense rules which you seek to enforce.

The overheard of me fielding complaints from my users was just too much. You'd think that the bloody sender would get the clue that it was a problem at his end (due to the bounce messages provided by postfix), but that just wasn't the case.

So I turned off the rules. I did come up with a compromize (I use postfix, btw). For major domains that should know better, and are in fact configured correctly (aol, hotmail, msn, etc.), I add a line like "earthlink.com reject_unknown_client" in my file pointed to by the check_sender_access line in my main.cf file.

Also, when I receive a piece of spam that gets through, I add the forged From: domain to that list if the connecting client was "unknown". I then add the "reject_unknown_client" restriction to the offending class-C in my check_client_access file in main.cf.

This method catches quite a few (maybe 50%). I use a few free RBLs to catch maybe 45% more spams. That other 5% gets through, but I haven't had a single complaint from my users since beginning this practice. So we're all smiles here now.

If and when I ever run my own email domains (business and personal), I will use all the rules postfix can enforce.

Re:No it wouldnt be better

[Harik]

People choose their ISP's for various reasons: price, quality of service, convenience. What kind of drangles they use on their gimlets should not be one of them.

Quite right! Who cares about standard things like DNS when you can just use WINS! Send packets to the broadcast address and hope the right machine responds.

Hell, people who want their ISP to support PPP or IPv4 are just being bitchy. Nobody needs more then IPX over SLIP anyway.

--Dan

Here's an even BETTER idea!

[Ashurbanipal]

Why not just refuse all messages that come from IP addresses that include the number 68?

I have analyzed the vast body of spam (for Bayes purposes) that has come through my mailservers over the last year or so, and I find that a lot of spam is sourced from IP addresses that include this number.

Sometimes it's x.x.68.x, sometimes it's x.n68.x.x, but that evil little 68 just keeps popping up!

According to my numbers, a greater amount of spam comes from IPs containing 68 or 24 than comes from domains with inconsistent PTRs.

So, using your own logic, I should just ban all IPs with 68 in them, and tell people with legitimate Email needs that they will have to find a new ISP.

To paraphrase a previous poster, "The fact that discarding mail from addresses containing the number 68 significantly reduces spam is reason enough that everyone should do so. I too will have to stop using a bunch of numbers I own but, it is worth the effort to stick to this policy. If you have a 68 in your IP, you can't send me mail!"

Note to moderators: Irony is not the same thing as flamebait...