Forum OpenACS Q&A: re: reverse DNS for

Today I spent some time locking down my mail servers even further in an attempt to cut down on spam.

It appears that the notifications for will not work properly due to an error in DNS for (which hosts the system).

The Postfix mail server error is:

postfix/smtpd[9169]: reject: RCPT from unknown[]: 450 Client host rejected: cannot find your hostname, []; from=<> to=<>

Apparently the server advertises itself as being ; yet, if you try to ping this hostname you get a host unknown error.

From what I can tell, simply changing the DNS to add an A record for pointing to ->, will work.  It seems that the reverse DNS is setup properly (PTR record), but not the A record.

Posted by Mike Sisk on
It's possible Openforce fixed the problem, but it looks like a DNS resolution error on your end.

Basically, your SMTPD is saying it couldn't do a reverse lookup on, which for me at the moment does resolve.

If you're trying to get Postfix to run in a chrooted environment, I hear you have to take extra steps to get reverse DNS lookup to work.

Also, be aware that if you reject mail from servers that don't have a reverse lookup in DNS you're going to reject a lot of legit email along with the SPAM. It's a sad fact that many networks have broken reverse DNS delegation.

Posted by David Walker on
I am seeing the same problem.

Reverse lookup identifies as

Forward lookup for fails to resolve.

Posted by Mike Sisk on
A forward record and a reverse record don't have to match.

Think of the situation where one IP address is virtually hosting 4 domains.

Each domain record will have an A record associated with it, all pointing to the same IP address. But, that IP address can only have one reverse record.

Posted by Jim Lynch on
But that's not what this problem is... the problem here is lack of an A record, which you probably should have.
Posted by Mike Sisk on
Actually, there is an A record:
[root@ns1 named]# host has address
And a PTR record:
[root@ns1 named]# host domain name pointer
But there's no A record for the hostname returned by the PTR:
[root@ns1 named]# host
Host not found: 3(NXDOMAIN)
The real problem is the hostname returned by the PTR doesn't have an A record associated with it (as you say). But that's a common situation. Heck, my own DNS has some placeholder PTR records such as this.

I agree it's a good idea to have to have a match between the A record for the hostname returned by the PTR record. But in reality, if you're doing email verification checks by making sure the PTR matches the A (as resolved by the SMTPD HELO/EHLO) you're gonna reject a lot of legit email--lots of folks have broken reverse DNS.

Posted by Jade Rubick on
Patrick, if you're interested in reducing spam, I recommend TMDA:

It's a server side, open source, whitelist/blacklist solution (more whitelist than blacklist, but it's very clever in that there is an auto-whitelist facility).