On 05/10/2011 16:28, Storz, Michael wrote:
Another name for the iprev test is "Forward Confirmed reverse DNS" (FCrDNS).
With Postfix you configure it with the two commands
reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
We use this check since years as our first defense against botnet spam with
great success. In the last 7 days we rejected emails for nearly 22.000.000
recipients. 49% did not have a PTR record, 29% did not have a matching A record.
Where does RFC 5321 say that a sending MTA needs a PTR record? (or even
an A record?)
If it doesn't, then the lack of a PTR record does not indicate that the
MTA is 'wrongly configured'.
Failing FCrDNS shouldn't be sufficient to reject mail. Lots of MTAs
can't have a 'correct' reverse DNS entry, even if they have one at all.
Use valid FCrDNS as a way of validating whitelist entries, but surely
not for more than that.