Forum OpenACS Q&A: re: reverse DNS for openacs.org
It appears that the notifications for openacs.org will not work properly due to an error in DNS for openforce.net (which hosts the openacs.org system).
The Postfix mail server error is:
postfix/smtpd: reject: RCPT from unknown[220.127.116.11]: 450 Client host rejected: cannot find your hostname, [18.104.22.168]; from=<mailto:firstname.lastname@example.org> to=<mailto:email@example.com>
Apparently the server advertises itself as being 22.214.171.124.openforce.net ; yet, if you try to ping this hostname you get a host unknown error.
From what I can tell, simply changing the DNS to add an A record for 126.96.36.199.openforce.net pointing to -> 188.8.131.52, will work. It seems that the reverse DNS is setup properly (PTR record), but not the A record.
Basically, your SMTPD is saying it couldn't do a reverse lookup on 184.108.40.206, which for me at the moment does resolve.
If you're trying to get Postfix to run in a chrooted environment, I hear you have to take extra steps to get reverse DNS lookup to work.
Also, be aware that if you reject mail from servers that don't have a reverse lookup in DNS you're going to reject a lot of legit email along with the SPAM. It's a sad fact that many networks have broken reverse DNS delegation.
Reverse lookup identifies 220.127.116.11 as 18.104.22.168.openforce.net
Forward lookup for 22.214.171.124.openforce.net fails to resolve.
Think of the situation where one IP address is virtually hosting 4 domains.
Each domain record will have an A record associated with it, all pointing to the same IP address. But, that IP address can only have one reverse record.
[root@ns1 named]# host openacs.org openacs.org has address 126.96.36.199And a PTR record:
[root@ns1 named]# host 188.8.131.52 184.108.40.206.in-addr.arpa domain name pointer 220.127.116.11.openforce.net.But there's no A record for the hostname returned by the PTR:
[root@ns1 named]# host 18.104.22.168.openforce.net Host 22.214.171.124.openforce.net not found: 3(NXDOMAIN)The real problem is the hostname returned by the PTR doesn't have an A record associated with it (as you say). But that's a common situation. Heck, my own DNS has some placeholder PTR records such as this.
I agree it's a good idea to have to have a match between the A record for the hostname returned by the PTR record. But in reality, if you're doing email verification checks by making sure the PTR matches the A (as resolved by the SMTPD HELO/EHLO) you're gonna reject a lot of legit email--lots of folks have broken reverse DNS.
It's a server side, open source, whitelist/blacklist solution (more whitelist than blacklist, but it's very clever in that there is an auto-whitelist facility).