Re: Google rejecting IPv6 mails
- On 10/7/2013 12:25 PM, Jim Reid wrote:
> On 7 Oct 2013, at 18:15, Erwan David <erwan@...> wrote:Agreed.
>> Google is really rejecting emails in IPv6 because of a lack of PTR...
> If that's the case, good. Just do The Right Thing and arrange a valid PTR for the IPv6 address that speaks SMTP. This should be simpler and less hassle than changing the postfix config. Or adding more workaround to that when someone finds yet more mail providers who reject connections from addresses with no reverse DNS.
> SMTP from an address with no reverse DNS is a fairly good indicator of a spam source. YMMV.
Postfix' reject_unknown_reverse_client_hostname is functionally
equivalent to what Google is doing here. And I'd guess everyone here
enables this restriction. And if not, they should. Hmm...that makes me
Since Postscreen stops bots without checking for existence of PTR, I'm
wondering if many folks have simply eliminated this restriction in
main.cf, and thus forgotten how critical PTR is as a first level of
trust evaluation of inbound SMTP connections.
Yesterday reject_unknown_reverse_client_hostname accounted for 45% of
rejected spam attempts here. I do not use Postscreen. And neither does
Google, and their MTA is self baked.
- On Sun, Oct 13, 2013 at 09:26:12PM +0200, Dominik George wrote:
> > There is, in fact, no reliable lsit of *all* mail hosts that willAmen. Along those lines, Postfix 2.11 will be the most important
> > ever (as in, for a long time in the future) be the sending MTAs
> > of Google-hosted domains.
> Apart from that, I am tired of implementing exceptions for each and
> every big proprietary mail provider out there. If a company desires
> to take part in federated e-mail communicaiton, I expect them to
> set up there stuff the way others expect it. If there setup is too
> huge to manage it without awkward tricks, like Google dynamically
> assigning roles to servers and not even reliably using subnets,
> whatever, for certain roles, then they are by definition not up to
> the task of operating it, be it for conceptional or personnel
> limitations. If we go ahead and teach all _other_ mail systems to
> fit their needs, we effectively do the work their customers pay
> them for.
> I am close to deciding not to opt-in to that and simply not
> accepting their mail if I can't using standard configurations.
minor version since the introduction of postscreen itself in 2.8. At
last we can have the benefits of postscreen zombie detection without
the pain of greylisting.
Gmail and just about every big proprietary mail provider out there
maintains lists of their hosts on dnswl.org. Postscreen with a
relatively simple DNSBL configuration, including a negative point
lookup for list.dnswl.org, will make this all very easy and low
maintenance. (Consider signing up for dnswl.org yourself; it costs
only a few minutes of your time.)
My postscreen page, not yet updated for 2.11:
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: