Re: FEATURE(`require_rdns') : 451 reaction to FORGED [WHY?]

---

• From: Andrzej Adam Filip <anfi@xxxxxxx>
• Date: Sat, 24 Mar 2007 09:07:24 +0100

---

Neil W Rickert <rickert+nn@xxxxxxxxxx> writes:

Andrzej Adam Filip <anfi@xxxxxxx> writes:

Why the feature sends back *temporary* reject when forward and reverse
lookups do not match? [FORGED]

IMHO In such situation sendmail should send permanent reject.
Am I wrong? [Have I missed something important?]

On a dual hosted system, it sometimes happens that the forward
lookup only returns one IP, and it might not be the IP that was
being checked in the reverse lookup.

This can happen when the A records for the two IP addresses have
different TTLs. In turn, that can happen when one of those A-records
came from the correct DNS server for the domain, and the other came
as a glue record from the root dns servers.

I don't know whether they have corrected this, but the host template
used for setting up DNS only had space for one IP, so it was near
impossible to get both IPs of a dual hosted system into those
glue records.

(I know this from personal experience).

I think current versions of bind software are less susceptible to
this problem, but it probably still happens with other DNS software.
DJB always argued against the bind implementation changes that make
it less susceptible.

Oh, I see [Some "other soft implementation details" can be important]

Judging by your explanation giving 5?? reply on FORGED may be asking for
troubles in some pretty common situations.

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@xxxxxxxxxxxx : anfi@xxxxxxxx
Before You Ask: http://anfi.homeunix.net/sendmail/B4UAsk-Sendmail.html
http://anfi.homeunix.net/sendmail/ [orkut,linkedin,xing]
.

---

• References:
  • FEATURE(`require_rdns') : 451 reaction to FORGED [WHY?]
    • From: Andrzej Adam Filip
  • Re: FEATURE(`require_rdns') : 451 reaction to FORGED [WHY?]
    • From: Neil W Rickert

• Prev by Date: Re: FEATURE(`require_rdns') : 451 reaction to FORGED [WHY?]
• Next by Date: Move queue
• Previous by thread: Re: FEATURE(`require_rdns') : 451 reaction to FORGED [WHY?]
• Next by thread: TLS by Domain
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: FEATURE(`require_rdns) : 451 reaction to FORGED [WHY?] ... On a dual hosted system, it sometimes happens that the forward ... being checked in the reverse lookup. ... came from the correct DNS server for the domain, ... as a glue record from the root dns servers. ... (comp.mail.sendmail) RE: prisoner.iana.org ... recall that there are both forward lookup zones and reverse lookup ... On a forward lookup zone, you'd look up a host name and get an IP ... Because 2K and later systems try to register both their forward and reverse ... It does that by finding out which DNS server is the primary DNS ... (Incidents) Re: SOLVED -- Re: Problems with a BIND server ... The zone files there are built from scripts from a database, and there are problems with the SOA, NS, and MX records. ... I thought things worked correctly when you queried the DNS server for home.htt, and the problem was only when you queried the htt server. ... If you look at that TCPDUMP use see the first lookup of say, wiki.home.htt which returns the A record. ... (comp.protocols.dns.bind) Re: parent - child DNS in Active Directory ... This causes your lookups to ALWAYS append internaldomain.com to EVERY lookup. ... This, in turn, makes EVERY lookup go to your parent DNS server. ... (microsoft.public.windows.server.active_directory) Re: recursive query ... >> Have you tried giving the DNS server a forwarder? ... lookup, ... If ISA is in the mixed make sure the ISA has rules to support the type of ... (microsoft.public.win2000.dns)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

newsgroups.derkeiler.com  > Archive  > Comp  > comp.mail.sendmail  > 2007-03