Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Client IPs with no PTR record (Setting causes complaints from clients)
  •  
MacLab

Messages: 224
Karma: 14
Send a private message to this user
Under smtp security options "Block if Client IP has no reverse entry (PTR)":

This setting has been causing some problems as clients send from everywhere including incorrectly configured network IP addresses without a PTR record. Then they complain they cannot connect. What are others' experience?

MacLab, Inc.
Kerio Certified Partner, Reseller, Hosting Provider, Kerio Connect Certified.
http://maclaboratory.com
  •  
Bud Durland

Messages: 395
Karma: 43
Send a private message to this user
Hopefully, they are sending through their e-mail server, not directly from their machine to your mail server. They really should have their IT department set up a proper PTR record. There are many organizations that will block mail coming from a source without one.

Of you should make sure that the DNS server used by the KC server is working properly as well. There are many web sites that can be used a reality check to see if the results from your DNS server are correct.
  •  
MacLab

Messages: 224
Karma: 14
Send a private message to this user
Thanks. They are using our servers directly and authenticating so there is no additional mail server involved. The problem is it could be a mobile phone etc and the IP they have at the moment happens to have no PTR record. Not easy to talk to IT when it is T-Mobile or you are a guest on a campus. It is rare but it happens enough for customers to complain.

I would wish that Kerio would accept authentication but it seems to look first at the IP that has no PTR record and reject. As far as DNS lookups being wrong, I have verified the IPs as not having a PTR record and Kerio was correct.

MacLab, Inc.
Kerio Certified Partner, Reseller, Hosting Provider, Kerio Connect Certified.
http://maclaboratory.com
  •  
j.a.duke

Messages: 356
Karma: 14
Send a private message to this user
MacLab wrote on Thu, 30 January 2014 13:17
Thanks. They are using our servers directly and authenticating so there is no additional mail server involved. The problem is it could be a mobile phone etc and the IP they have at the moment happens to have no PTR record. Not easy to talk to IT when it is T-Mobile or you are a guest on a campus. It is rare but it happens enough for customers to complain.

I would wish that Kerio would accept authentication but it seems to look first at the IP that has no PTR record and reject. As far as DNS lookups being wrong, I have verified the IPs as not having a PTR record and Kerio was correct.



What options do you have checked on the Relay Control tab?

I've got numerous mobile users and have Block if no PTR enabled, yet I have yet to receive a single complaint over the last 6 years using Kerio.

Thanks.

Cheers,
Jon
  •  
MacLab

Messages: 224
Karma: 14
Send a private message to this user
Most mobile users are fine and in fact probably 98% of users are fine. It's the 2% that aren't fine and then, it's only 5% of the time. Sad

Standard stuff in the relay. Local clients allowed, everything else allowed except no open relay of course.

[Updated on: Thu, 30 January 2014 19:39]


MacLab, Inc.
Kerio Certified Partner, Reseller, Hosting Provider, Kerio Connect Certified.
http://maclaboratory.com
  •  
Vet_80

Messages: 3
Karma: -8
Send a private message to this user
Confirm. PTR check from Kerio is total shit:
1. Instead of check for proper PTR only for unauthenticated connections, it checks every incoming connection.
2. Even cheeked PTR-record is not compared with host name announced by external sending-host during connection in SMTP dialog.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Please, watch your mouth.

1. Of course it does. Clients should use port 587 for sending emails, not 25. SMTP Submission port requires authentication and is not subject to PTR DNS check.

2. Matching PTR record to announced hostname does not decrease spam probability.
  •  
Vet_80

Messages: 3
Karma: -8
Send a private message to this user
Pavel Dobry (Kerio) wrote on Thu, 05 February 2015 22:27

2. Matching PTR record to announced hostname does not decrease spam probability.

2. Really? Have you read carefully about topicstarters issue connected with no ptr record on some clients IP-addresses:

MacLab wrote on Thu, 30 January 2014 19:39
Most mobile users are fine and in fact probably 98% of users are fine...
I hope hint is obvious.. If not, don't try to think, simply follow the best practices.. (for example from gmail guys). Wink

Pavel Dobry (Kerio) wrote on Thu, 05 February 2015 22:27
..
1. Of course it does. Clients should use port 587 for sending emails, not 25. SMTP Submission port requires authentication and is not subject to PTR DNS check..


1. Nice try. Then I assume you should tell it to all email-client programs producers. Then they will set 587 as a default connectivity port for SMTP instead of 25. Or you can open separate hot line for end-users, to explain them, why they can't send an e-mails from theirs brand new gadgets. Be sure, they remember the server address and of course properly typed login and password.. Wink

P.S. Nothing personal, but sometimes truth could be painful.. Smile

[Updated on: Fri, 06 February 2015 06:00]

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Vet_80 wrote on Fri, 06 February 2015 05:37
I hope hint is obvious.. If not, don't try to think, simply follow the best practices.. (for example from gmail guys). Wink

Yes, I have read it carefully. Please read my previous post carefully too. I was answering your objection about missing PTR record matching with hostname. Not about non-existing PTR.

Quote:

1. Nice try. Then I assume you should tell it to all email-client programs producers. Then they will set 587 as a default connectivity port for SMTP instead of 25. Or you can open separate hot line for end-users, to explain them, why they can't send an e-mails from theirs brand new gadgets. Be sure, they remember the server address and of course properly typed login and password.. Wink


Most of them do. Apple Mail, Thunderbird. You tell your users what username they need to use, what server hostname they need to use, what protocol (account) they need to set up in their email clients. So telling them to use port 587 for sending emails is a natural part of initial configuration data you provide to them. Outgoing SMTP on port 25 is blocked in many hotels or wifi networks. So using 587 is necessary anyway (unless you have own VPN).
  •  
Vet_80

Messages: 3
Karma: -8
Send a private message to this user
So, probably you'll agree, that because of almost everybody now gets a PTR record automatically from ISP, PTR spam protection you have provide in Kerio protects from nothing at all.

Then another hint: automatically assigned PTR-records looks like "x.x.x.x.domainname.com" or "x-x-x-x.domainname.com". Connect it with a couple of custom rules in spam filters, using ".??.??.", "-???-???-" etc. as a condition in filed "Received" to decline incoming massages and finally you will get a profit from PTR checking.. Wink

Concerning port range: actually its more about 465 port, which is used for secure client connection by e-mail client software and it is never blocked by anybody.. anybody except Kerio PTR record check system.. which, as we find out earlier, in addition protects from nothing.

Now you see, I was not impolite, simply named things as they are... Smile

P.S. Own e-mail address and chosen by himself password is a headache of the user. Company's mail host is also not a mystery. IMAP or POP for administrator doesn't meter at all. But input of special port becomes a problem, which I can describe by next sentences: "I have successfully adjusted by a couple of steps my Yahoo or Gmail mailbox, what's wrong with our corporate one. Why it so complicated?"
Previous Topic: SSL Certificate
Next Topic: Multiple Out-of-Office
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Oct 19 20:11:50 CEST 2017

Total time taken to generate the page: 0.00458 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.