Forum OpenACS Q&A: re: reverse DNS for openacs.org

Collapse
1: re: reverse DNS for openacs.org
Posted by Patrick Giagnocavo on 03/19/03 07:37 AM
Today I spent some time locking down my mail servers even further in an attempt to cut down on spam.

It appears that the notifications for openacs.org will not work properly due to an error in DNS for openforce.net (which hosts the openacs.org system).

The Postfix mail server error is:

postfix/smtpd[9169]: reject: RCPT from unknown[208.184.248.88]: 450 Client host rejected: cannot find your hostname, [208.184.248.88]; from=<mailto:bounce-87459-2960@openacs.org> to=<mailto:patrick@zill.net>

Apparently the server advertises itself as being 208.184.248.88.openforce.net ; yet, if you try to ping this hostname you get a host unknown error.

From what I can tell, simply changing the DNS to add an A record for 208.184.248.88.openforce.net pointing to -> 208.184.248.88, will work.  It seems that the reverse DNS is setup properly (PTR record), but not the A record.

Collapse
2: Re: re: reverse DNS for openacs.org (response to 1)
Posted by Mike Sisk on 03/19/03 04:30 PM
It's possible Openforce fixed the problem, but it looks like a DNS resolution error on your end.

Basically, your SMTPD is saying it couldn't do a reverse lookup on 208.184.248.88, which for me at the moment does resolve.

If you're trying to get Postfix to run in a chrooted environment, I hear you have to take extra steps to get reverse DNS lookup to work.

Also, be aware that if you reject mail from servers that don't have a reverse lookup in DNS you're going to reject a lot of legit email along with the SPAM. It's a sad fact that many networks have broken reverse DNS delegation.

Collapse
3: Re: re: reverse DNS for openacs.org (response to 1)
Posted by David Walker on 03/19/03 05:12 PM
I am seeing the same problem.

Reverse lookup identifies 208.184.248.88 as 208.184.248.88.openforce.net

Forward lookup for 208.184.248.88.openforce.net fails to resolve.

Collapse
4: Re: re: reverse DNS for openacs.org (response to 1)
Posted by Mike Sisk on 03/19/03 10:20 PM
A forward record and a reverse record don't have to match.

Think of the situation where one IP address is virtually hosting 4 domains.

Each domain record will have an A record associated with it, all pointing to the same IP address. But, that IP address can only have one reverse record.

Collapse
5: Re: re: reverse DNS for openacs.org (response to 4)
Posted by Jim Lynch on 03/19/03 11:02 PM
But that's not what this problem is... the problem here is lack of an A record, which you probably should have.
Collapse
6: Re: re: reverse DNS for openacs.org (response to 1)
Posted by Mike Sisk on 03/20/03 02:03 AM
Actually, there is an A record: 
[root@ns1 named]# host openacs.org
openacs.org has address 208.184.248.88
And a PTR record: 
[root@ns1 named]# host 208.184.248.88
88.248.184.208.in-addr.arpa domain name pointer 208.184.248.88.openforce.net.
But there's no A record for the hostname returned by the PTR: 
[root@ns1 named]# host 208.184.248.88.openforce.net
Host 208.184.248.88.openforce.net not found: 3(NXDOMAIN)
The real problem is the hostname returned by the PTR doesn't have an A record associated with it (as you say). But that's a common situation. Heck, my own DNS has some placeholder PTR records such as this.

I agree it's a good idea to have to have a match between the A record for the hostname returned by the PTR record. But in reality, if you're doing email verification checks by making sure the PTR matches the A (as resolved by the SMTPD HELO/EHLO) you're gonna reject a lot of legit email--lots of folks have broken reverse DNS.

Collapse
7: Re: re: reverse DNS for openacs.org (response to 1)
Posted by Jade Rubick on 03/20/03 07:30 PM
Patrick, if you're interested in reducing spam, I recommend TMDA:

http://www.tmda.net

It's a server side, open source, whitelist/blacklist solution (more whitelist than blacklist, but it's very clever in that there is an auto-whitelist facility).