Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » REVERSE RESOLUTION
  •  
linuxbox

Messages: 139
Karma: 0
Send a private message to this user
why does the smtp server NOT block connections that don't reverse resolve??? the option on the "security options" tab lets you block if the senders domain wasn't found in the dns but how about the ip address of the spammer making the connection to the server??

there should be an option to block all mail from an IP that does not reverse resolve. nobody should be accepting email from IP's that don't resolve...basic fundamental rule.

the problem is that queue's get filled up with crap that shouldn't be there in the first place and it's all due to the mailserver accepting junk spam from IP addresses that have no reverse dns.
this should be changed ASAP.
  •  
silver02suby

Messages: 35

Karma: 1
Send a private message to this user
While you make a completely valid point, the problem with reverse DNS is that many ISPs refuse to offer this option at all. It's bad enough that Mac OS X Server requires it for their internal services, basically requiring an admin to run internal DNS, but getting an ISP to even provide reverse DNS, let alone a *configurable* one, is like pulling teeth.

  •  
linuxbox

Messages: 139
Karma: 0
Send a private message to this user
silver02suby wrote on Mon, 11 May 2009 14:41

While you make a completely valid point, the problem with reverse DNS is that many ISPs refuse to offer this option at all. It's bad enough that Mac OS X Server requires it for their internal services, basically requiring an admin to run internal DNS, but getting an ISP to even provide reverse DNS, let alone a *configurable* one, is like pulling teeth.





well, all i'm saying is that it should at least be an option.
The bottom line is if you are planning on running a valid non-spam smtp service, you are expected to provide reverse dns with your smtp server. it's been that way for a very long time and should still be that way. most other email server software allows the ability to reject smtp connects that don't reverse revolve and kerio should be no different. also, that forces people to get with the program and find a host that DOES provide proper reverse dns.
  •  
p0ddie

Messages: 242
Karma: -3
Send a private message to this user
while this would cut down on spam, yes, I imagine 90% of all Kerio users would not be able to deliver their mail anymore to hosts blocking non - rDNS - resolving machines.

At least here in Germany, most small/medium businesses use a DSL connection with a static IP. While their domain has correct MX entries, the rDNS of the IP still resolves to some 222-333-ee-dialin.provider.com.

It is almost impossible to have the rDNS entry changed to a correct value with these connections.
  •  
linuxbox

Messages: 139
Karma: 0
Send a private message to this user
p0ddie wrote on Mon, 11 May 2009 15:06

while this would cut down on spam, yes, I imagine 90% of all Kerio users would not be able to deliver their mail anymore to hosts blocking non - rDNS - resolving machines.

At least here in Germany, most small/medium businesses use a DSL connection with a static IP. While their domain has correct MX entries, the rDNS of the IP still resolves to some 222-333-ee-dialin.provider.com.

It is almost impossible to have the rDNS entry changed to a correct value with these connections.



what i'm saying is provide it as an option....for those of us who like to play by the normal rules and do provide reverse dns of our ip addresses and DO want to block those smtp servers that don't resolve like they are supposed to; be it business dsl customers or whatever. the bottom line is this, if you are running an email server properly, you have reverse dns setup..it's honestly that simple. if you don't have reverse dns, then you shouldn't be running an internet email server and need to outsource your email service to a provider who is setup properly to do so....hate to be so brutally honest but it's a fact.

and another thing, yes i understand what you are talking about the improper reverse resolution but at least it IS resolving to something.

SOMETHING ELSE: why not simply give the option to increase the spam score by whatever amount the admin wants if the IP doesn't resolve to a name??? i mean, that option is on other parts of kerio security so why not this? makes no sense to me.

this is how it SHOULD be:
http://www.altamente.com/do-not-use-maps-dul-dial-user-list- anatomy-smtp-connection

[Updated on: Mon, 11 May 2009 23:16]

  •  
sgongola

Messages: 109
Karma: 0
Send a private message to this user
You can try this:
http://www.uceprotect.net/en/index.php?m=3&s=3
It claims to block sites with reveres PTR issues. I don't know how well it works, but you never know till you try it.
  •  
linuxbox

Messages: 139
Karma: 0
Send a private message to this user
nice. i will try that and see how it goes. i'll go with level 2 for now and see if that helps.
thanks!
Previous Topic: Kerio
Next Topic: Public Contacts Not Appearing in Outlook 2007
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Nov 23 01:08:48 CET 2017

Total time taken to generate the page: 0.00440 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.