[67342] in North American Network Operators' Group
Re: question on ptr rr
daemon@ATHENA.MIT.EDU (Andrew - Supernews)
Sun Feb 8 17:48:18 2004
To: nanog@merit.edu
In-Reply-To: <20040208215943.GB1381295@hiwaay.net> (Chris Adams's message of
"Sun, 8 Feb 2004 15:59:43 -0600")
Date: Sun, 08 Feb 2004 22:44:15 +0000
From: "Andrew - Supernews" <andrew@supernews.net>
Errors-To: owner-nanog-outgoing@merit.edu
>>>>> "Chris" == Chris Adams <cmadams@hiwaay.net> writes:
> Once upon a time, Andrew - Supernews <andrew@supernews.net> said:
>> If you're going to get picky about HELO names, then it's better to
>> require that the HELO has an A record pointing to the connecting IP,
>> rather than look at PTR.
Chris> That isn't necessarily a good test;
There _is_ no good test, which is one reason why the RFC says
unequivocally "don't do that".
Chris> for example, we've got a couple of servers in a cluster. One
Chris> IP pointed at the cluster is mail.hiwaay.net, and that is what
Chris> is used in HELO/EHLO when making outbound connections, but the
Chris> connections don't come from that IP. They come from the
Chris> cluster member's IP so that when we get a complaint with
Chris> sending IP, we don't have to look through the logs for the
Chris> whole cluster to find the offender.
In that case you'll fail _any_ sort of verification on the HELO, so
it doesn't really matter whether the recipient uses the PTR or the A
record.
--
Andrew, Supernews
http://www.supernews.com
