From: Steven F Siirila (sfstc.umn.edu)
Date: Tue Jul 03 2007 - 20:38:59 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jul 03, 2007 at 06:24:47PM -0700, David H. Wolfskill wrote:
> On Tue, Jul 03, 2007 at 09:06:55PM -0400, Brock Palen wrote:
> >....
> >How much trouble will I have that the MX record for domain2.com point
> >to a A record and the reverse for that same ip be a different name.
> >Does this reak of spoofing?
> >
> >I have had no complaints for lost mail or users mail being rejected
> >(or just disappearing) Per the comment about 'you have to play with
> >the big guys' Last thing i want to do is upset my users. Your much
> >more experienced input is requested.
> >Thank-you in advance.
>
> This may not qualify as relevant to "playing with the big guys," but one
> of my other roles is postmasterFreeBSD.org, which uses Postfix in its
> email infrastructure.
>
> The salient requirements in place for mail to be accepted by
> mx1.freebsd.org are:
>
> * the IP address of the SMTP client must "reverse-resolve" to a
> hostname and
>
> * the hostname thus obtained must resolve to a set of IP addresses,
> one of which must match the IP address currently being used by
> the SMTP client and

The University of Minnesota requires the above two bullets as well, and
has done so since 2003. However, two points:

 1) We return an encrypted URL to blocked originators to allow them to:
    a) determine why they were blocked and how they can get unblocked, and
    b) request a user-maintained whitelist entry from intended recipient
 2) We maintain a systemwide whitelist, which in many cases is automatically
    updated by a pair of users (originator/recipient) who participate in a
    two-way exchange (1b above)

> * the (fully-qualified) hostname given in the SMTP conversation
> (either HELO or EHLO) must resolve a set of IP addresses, one of
> which must match the IP address of the client.

We do not currently do this, but do other checks on the HELO (such as
examining the character set, checking for an FQDN, etc.)

> Note that this permits mail to be accepted even if the PTR record in
> the in-addr.arpa zone yields a hostname other than the one used by the
> SMTP client -- as long as the hostname obtained via the PTR record has
> an A record that is consistent with the PTR record, and as long as the
> SMTP client is reasonable about the hostname it announces in EHLO/HELO.
>
> [No, I can't claim credit for setting this up; that was done prior to
> my tenure with the FreeBSD project.]
>
> Peace,
> david (not writing on behalf of Trend Micro or anyone else)
> --
> David Wolfskill Trend Micro San Jose dhwmail-abuse.org
> cell: (650) 400-2312 office: (408) 625-1076 or (408) 453-6277 x124

--

Steven F. Siirila Office: Lind Hall, Room 130B
Internet Services E-mail: sfsumn.edu
Office of Information Technology Voice: (612) 626-0244
University of Minnesota Fax: (612) 626-7593

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]