forward and reverse DNS (was: Please, talk me down.)
mysidia at gmail.com
Tue Oct 23 04:17:22 UTC 2012
On 10/22/12, Joe Abley <jabley at hopcount.ca> wrote:
> I will further note that just because dnsop can't agree on something doesn't
> mean that it's not worth agreeing on.
Some of the IETF WGs' members wouldn't be able to agree what color
the sky appears to be on a clear sunny day.
But it is common MTAs, to be configured to perform a check for
Forward-Confirmed DNS, similar to the iprev authentication mechanism
mentioned in RFC5451, except this is mandatory, and they refuse
Many popular anti-spam solutions are implementing this out of the box,
and common MTAs provide documentation recommending configurations
that implement constraints such as these:
1. If a 'HELO' or 'EHLO' message is received, and there is no
argument, the SMTP server will respond with a 5xx reject, even though
it is technically allowed to have a HELO/EHLO without a hostnamr
2. If a 'HELO' or 'EHLO' message is received; the SMTP server
will begin a forward DNS lookup on the hostname presented in the
HELO/EHLO, and a Reverse DNS lookup on the connecting IP; it may
initiate an outgoing connection to port 113 auth (Ident) on the
connecting IP, in order to ask for a username to insert in message
a. If the forward DNS check on the HELO name, or the PTR query on the
connecting IP fails to get a response. HELO fails with a 4xx reject.
b. If either result in a NXDOMAIN response, HELO fails with a 5xx reject.
c. If both succeed, a forward DNS lookup is started for the name found
in the PTR response, and a 4xx reject upon lookup failure, or 5xx
reject upon a NXDOMAIN response, or forward lookup response not
matching the IP address of the client.
o The "SMTP reject" might instead trigger a tarpitting mechanism.
Some implementations currently accept the HELO and delay the SMTP
reject by default until a later stage, such as RCPT TO, and/or
cache the reject decision, to reduce the
impact of multiple connection attempts.
3. If a 'RCPT TO' message is received, a 5xx smtp error is sent,
unless a 'MAIL FROM' message has already been received and accepted,
and the mailbox is a known local mailbox.
4. If a 'MAIL FROM' message is received, a 5xx smtp error is sent,
unless a 'HELO' or 'EHLO' message has already been received and
accepted. If the address referenced is not <>, then A DNS
request is sent for forward lookup of the domain in the MAIL FROM,
and SPF query/policy test on the envelope from address. If there
is a SPF soft fail, a 4xx reject; SPF hard fail, or the domain does
not exist, a SMTP 5xx reject.
More information about the NANOG