Loading ...
Sorry, an error occurred while loading the content.
 

Postfix and Generic rDNS

Expand Messages
  • Klaipedaville on Google
    Hello there, I have a quick question / request for clarification. I’ll try to be concise. My ISP has a generic rDNS. For clarity I’ll say that it is
    Message 1 of 10 , Jun 27, 2014
      Hello there,
       
      I have a quick question / request for clarification. I’ll try to be concise.
       
      My ISP has a generic rDNS. For clarity I’ll say that it is defined as follows, "Generic rDNS means that a DNS query on the IP address resolves to something like: 123-45-67-8.your.isp.com. The opposite of generic rDNS is a "unique reverse pointer" which is usually something like mail.your-domain.com."
       
      Now my postfix always warns me due to this generic rDNS of my ISP.
       
      Postfix says, "hostname verification errors in FCrDNS:
      Does not resolve to address
      123.45.67.8    123-45-67-8.my.isp.com”
       
      Any free FCrDNS online service also shows and says the same thing, that is that rDNS is not forward confirmed or PTR is generic. The IP address is static.
       
      Postfix is working OK but this warning is simply always there as I have no control over my ISP. Would appreciate any suggestions / advices / pointers on how do I fix it? Many thanks in advance!
       
      Regards,
      Dennis.
       
       
       
       
       
       
       
       
    • DTNX Postmaster
      ... First off, for the best assistance, post the actual log entries for the warning, instead of a generic description. Too much information tends to get lost
      Message 2 of 10 , Jun 27, 2014
        On 27 Jun 2014, at 10:53, Klaipedaville on Google <klaipedaville@...> wrote:

        > I have a quick question / request for clarification. I’ll try to be concise.
        >
        > My ISP has a generic rDNS. For clarity I’ll say that it is defined as follows, "Generic rDNS means that a DNS query on the IP address resolves to something like: 123-45-67-8.your.isp.com. The opposite of generic rDNS is a "unique reverse pointer" which is usually something like mail.your-domain.com."
        >
        > Now my postfix always warns me due to this generic rDNS of my ISP.
        >
        > Postfix says, "hostname verification errors in FCrDNS:
        > Does not resolve to address
        > 123.45.67.8 123-45-67-8.my.isp.com”
        >
        > Any free FCrDNS online service also shows and says the same thing, that is that rDNS is not forward confirmed or PTR is generic. The IP address is static.
        >
        > Postfix is working OK but this warning is simply always there as I have no control over my ISP. Would appreciate any suggestions / advices / pointers on how do I fix it? Many thanks in advance!

        First off, for the best assistance, post the actual log entries for the warning, instead of a generic description. Too much information tends to get lost if people 'translate' :-)

        And if you do use domain names in your examples, make sure they are the actual values, or something appropriate for example use, like 'example.com'. As documented here;

        http://tools.ietf.org/html/rfc2606#page-2

        As for a fix, check whether your ISP supports setting the reverse DNS for your IP address. This may be a feature that comes with a 'business' type account, or they may not support it at all. If it's not supported, the general advice is to send outgoing mail via the SMTP servers provided by your ISP, to avoid issues with delivery.

        Mvg,
        Joni
      • lists@rhsoft.net
        ... in general bad - i tend to block such PTR s because the postmaster finds not worth to care about a clean reputation and if i face too much spam from other
        Message 3 of 10 , Jun 27, 2014
          Am 27.06.2014 10:53, schrieb Klaipedaville on Google:
          > My ISP has a generic rDNS. For clarity I’ll say that it is defined as follows, "Generic rDNS means that a DNS query
          > on the IP address resolves to something like: 123-45-67-8.your.isp.com. The opposite of generic rDNS is a "unique
          > reverse pointer" which is usually something like mail.your-domain.com."

          in general bad - i tend to block such PTR's because the postmaster
          finds not worth to care about a clean reputation and if i face
          too much spam from other "*.your.isp.com", well you have to bite it

          if your IP is from a eastern country i don't hestitate a second
          and place the whole /16 subnet of your ISP on the RBL in case
          of spam delivery

          > Now my postfix always warns me due to this generic rDNS of my ISP.
          >
          > Postfix says, "hostname verification errors in FCrDNS:
          > Does not resolve to address
          > 123.45.67.8 123-45-67-8.my.isp.com”

          PTR and A don't match

          > Postfix is working OK but this warning is simply always there as
          > I have no control over my ISP

          then switch to a different ISP or move your mailserver
          somewhere in a datacenter (rootserver, VPS....)
        • Klaipedaville on Google
          Hello Joni, Thank you for your suggestion and quick reply. Well, my actual log entry has been posted in my first message. I only changed the actual IP address.
          Message 4 of 10 , Jun 27, 2014
            Hello Joni,
             
            Thank you for your suggestion and quick reply.
             
            Well, my actual log entry has been posted in my first message. I only changed the actual IP address. The log is:
             
            Postfix says, "hostname verification errors in FCrDNS:
            Does not resolve to address
            123.45.67.8    123-45-67-8.my.isp.com”
             
            Now here is the exact copy-paste if it wasn’t really clear for you from the first time:
             
            ---------------Hostname verification errors (FCRDNS) ------------------
            Does not resolve to address
            123.45.67.8    123-45-67-8.my.isp.com
            ---------------------------------------------------------------------------------------
             
            The domain names were not required in my question therefore I did not use any of them such as example.com and so on so there isn’t much for you to translate Smile.
             
            I have a "business" type account and the reverse DNS is available. In fact, It even works OK but only one way. The thing that is not working as per my log entry is the other way around, that is the FCrDNS. I’ll double-check it with my ISP one more time on that though.
             
            However, my question was if I could possibly solve it using only postfix without getting my ISP involved because as I have already said in my previous message Postfix has been working absolutely fine without any problems with delivery or anything else. I’ve been trying to fix it using check_reverse_client_hostname_access but this does not seem to solve the issue.
             
            Would highly appreciate any other / more options, comments, assistance. Many thanks!
             
            Regards,
            Dennis.
             
             
            >
            >
            >First
            off, for the best assistance, post the actual log entries for the warning, instead of a generic description. Too much information tends to get lost if people 'translate' :-)
            >
            >And if you do use domain names in your
            examples, make sure they are the actual values, or something appropriate for example use, like 'example.com'. As documented here;
            >
            >http://tools.ietf.org/html/rfc2606#page-2
            >
            >As
            for a fix, check whether your ISP supports setting the reverse DNS for your IP address. This may be a feature that comes with a 'business' type account, or they may not support it at all. If it's not supported, the general >advice is to send outgoing mail via the SMTP servers provided by your ISP, to avoid issues with delivery.
            >
            >Mvg,
            >Joni

             
            Sent: Friday, June 27, 2014 12:12
            Subject: Re: Postfix and Generic rDNS
             
            On 27 Jun 2014, at 10:53, Klaipedaville on Google <klaipedaville@...> wrote:

            > I
            have a quick question / request for clarification. I’ll try to be concise.

            > My ISP has a generic rDNS. For clarity I’ll say
            that it is defined as follows, "Generic rDNS means that a DNS query on the IP address resolves to something like: 123-45-67-8.your.isp.com. The opposite of generic rDNS is a "unique reverse pointer" which is usually something like mail.your-domain.com."

            > Now my postfix always warns me due
            to this generic rDNS of my ISP.

            > Postfix says, "hostname
            verification errors in FCrDNS:
            > Does not resolve to address
            >
            123.45.67.8    123-45-67-8.my.isp.com”

            > Any
            free FCrDNS online service also shows and says the same thing, that is that rDNS is not forward confirmed or PTR is generic. The IP address is static.

            > Postfix is working OK but this warning is simply
            always there as I have no control over my ISP. Would appreciate any suggestions / advices / pointers on how do I fix it? Many thanks in advance!
          • lists@rhsoft.net
            ... well, with I only changed the actual IP address and isnÆt much for you to translate why don t you just leaves us in peace and solve your problem for
            Message 5 of 10 , Jun 27, 2014
              Am 27.06.2014 11:52, schrieb Klaipedaville on Google:
              > Thank you for your suggestion and quick reply.
              >
              > Well, my actual log entry has been posted in my first message. I only changed the actual IP address. The log is:
              >
              > Postfix says, "hostname verification errors in FCrDNS:
              > Does not resolve to address
              > 123.45.67.8 123-45-67-8.my.isp.com”
              >
              > Now here is the exact copy-paste if it wasn’t really clear for you from the first time:
              >
              > ---------------Hostname verification errors (FCRDNS) ------------------
              > Does not resolve to address
              > 123.45.67.8 123-45-67-8.my.isp.com
              > ---------------------------------------------------------------------------------------
              >
              > The domain names were not required in my question therefore I did not use any of them such as
              > example.com and so on so there isn’t much for you to translate Smile.

              well, with "I only changed the actual IP address" and "isn’t much for you to translate"
              why don't you just leaves us in peace and solve your problem for your own - nobody
              can take a look on DNS relevant things if you mask the IP
            • Klaipedaville on Google
              Than you for your message. Well, this is all true to the fact. I agree with you almost 100%. ... They actually do because it resolves OK one way, it does not
              Message 6 of 10 , Jun 27, 2014
                Than you for your message.
                 
                Well, this is all true to the fact. I agree with you almost 100%.
                 
                >PTR and A don't match.
                They actually do because it resolves OK one way, it does not resolve the other way around FCrDNS (forward confirmed DNS) because it’s generic PTR...
                >then switch to a different ISP or move your mailserver
                >somewhere in a
                datacenter (rootserver, VPS....)
                There are not too many providers to choose from where I am at. Then again if I moved to a datacenter then I would need my "first point of access" to be made through the same local two ISPs (only two of them here)...
                It’s a virtual server.
                 


                Am 27.06.2014 10:53, schrieb Klaipedaville on Google:
                > My ISP has a generic
                rDNS. For clarity I’ll say that it is defined as follows, "Generic rDNS means that a DNS query
                > on the IP address resolves to something like:
                123-45-67-8.your.isp.com. The opposite of generic rDNS is a "unique
                >
                reverse pointer" which is usually something like mail.your-domain.com."

                in general bad - i tend to block such PTR's because the postmaster
                finds not worth to care about a clean reputation and if i face
                too much spam from other "*.your.isp.com", well you have to bite it

                if your IP is from a eastern country i don't hestitate a second
                and place the whole /16 subnet of your ISP on the RBL in case
                of spam delivery

                > Now my postfix always warns me due to this generic rDNS of
                my ISP.

                > Postfix says, "hostname verification errors in
                FCrDNS:
                > Does not resolve to address
                >
                123.45.67.8    123-45-67-8.my.isp.com”

                PTR and A don't match

                > Postfix is working OK but this warning is simply always there
                as
                > I have no control over my ISP

                then switch to a different ISP or move your mailserver
                somewhere in a datacenter (rootserver, VPS....)
              • lists@rhsoft.net
                first: * don t post HTML * don t reply-all on mailing-lists ... than they don t - period ... don t matter, call your ISP names - as you can see it s possible:
                Message 7 of 10 , Jun 27, 2014
                  first:

                  * don't post HTML
                  * don't reply-all on mailing-lists

                  Am 27.06.2014 12:15, schrieb Klaipedaville on Google:
                  > Than you for your message.
                  >
                  > Well, this is all true to the fact. I agree with you almost 100%.
                  >
                  >>PTR and A don't match
                  >
                  > They actually do because it resolves OK one way, it does not resolve the
                  > other way around FCrDNS (forward confirmed DNS)

                  than they don't - period

                  > because it’s generic PTR...

                  don't matter, call your ISP names - as you can see it's possible:
                  85.103.178.62.in-addr.arpa. 1849 IN PTR chello062178103085.7.12.vie.surfer.at.
                  chello062178103085.7.12.vie.surfer.at. 3600 IN A 62.178.103.85

                  at that is a homeinternet access and has FCrDNS
                  frankly even my home guest-range has FCrDNS

                  >>then switch to a different ISP or move your mailserver
                  >>somewhere in a datacenter (rootserver, VPS....)
                  > There are _not_ too many providers to choose from where I am at.

                  then fight with them - they control the in-addr.arpa. and they
                  *can* set a PTR, they only don't care

                  > Then again if I moved to a datacenter then I would
                  > need my "first point of access" to be made through the same
                  > local two ISPs (only two of them here)... It’s a virtual server

                  the difference is that datacenter IP's have a sane PTR
                  what you are talking about the whole time looks like
                  a home-IP and will get treatet by other mailservers
                  like that -> reject
                • DTNX Postmaster
                  ... Please do not top-post, and try to avoid HTML messages. As for what you supplied as an error message; perhaps you copied it from a bounce message, or from
                  Message 8 of 10 , Jun 27, 2014
                    On 27 Jun 2014, at 11:52, Klaipedaville on Google <klaipedaville@...> wrote:

                    > Thank you for your suggestion and quick reply.
                    >
                    > Well, my actual log entry has been posted in my first message. I only changed the actual IP address. The log is:
                    >
                    > Postfix says, "hostname verification errors in FCrDNS:
                    > Does not resolve to address
                    > 123.45.67.8 123-45-67-8.my.isp.com”
                    >
                    > Now here is the exact copy-paste if it wasn’t really clear for you from the first time:
                    >
                    > ---------------Hostname verification errors (FCRDNS) ------------------
                    > Does not resolve to address
                    > 123.45.67.8 123-45-67-8.my.isp.com
                    > ---------------------------------------------------------------------------------------
                    >
                    > The domain names were not required in my question therefore I did not use any of them such as example.com and so on so there isn’t much for you to translate <wlEmoticon-smile[1].png>.
                    >
                    > I have a "business" type account and the reverse DNS is available. In fact, It even works OK but only one way. The thing that is not working as per my log entry is the other way around, that is the FCrDNS. I’ll double-check it with my ISP one more time on that though.
                    >
                    > However, my question was if I could possibly solve it using only postfix without getting my ISP involved because as I have already said in my previous message Postfix has been working absolutely fine without any problems with delivery or anything else. I’ve been trying to fix it using check_reverse_client_hostname_access but this does not seem to solve the issue.

                    Please do not top-post, and try to avoid HTML messages.

                    As for what you supplied as an error message; perhaps you copied it from a bounce message, or from some online testing tool, but it is not from the Postfix logs. If you want help with Postfix, follow the instructions here;

                    http://www.postfix.org/DEBUG_README.html

                    Show us the problem that you are trying to solve. If you do not provide actual, real-world logs, with data that can be tested by people on this list, don't expect much more help.

                    Mvg,
                    Joni
                  • Stan Hoeppner
                    On 6/27/2014 3:53 AM, Klaipedaville on Google wrote: ... You should only see these warnings for mismatched hosts that connect to your Postfix SMTPD server. Do
                    Message 9 of 10 , Jun 27, 2014
                      On 6/27/2014 3:53 AM, Klaipedaville on Google wrote:
                      ...
                      > Now my postfix always warns me due to this generic rDNS of my ISP.
                      >
                      > Postfix says, "hostname verification errors in FCrDNS:
                      > Does not resolve to address
                      > 123.45.67.8 123-45-67-8.my.isp.com

                      You should only see these warnings for mismatched hosts that connect to
                      your Postfix SMTPD server. Do you have a NAT router in front of the
                      Postfix server? Do your logs show all inbound connections coming from
                      only one IP, your public IP address? Do you get this warning for every
                      connection? If so you might try setting

                      http://www.postfix.org/postconf.5.html#proxy_interfaces

                      If all connections are from that one IP, get a different NAT router that
                      doesn't rewrite the source address.

                      Cheers,

                      Stan
                    • Bill Cole
                      ... There is no reason to do that, which makes it impossible for us to figure out precisely what your problem is. Your problem seems to be entirely distinct
                      Message 10 of 10 , Jun 27, 2014
                        On 27 Jun 2014, at 5:52, Klaipedaville on Google wrote:

                        > Hello Joni,
                        >
                        > Thank you for your suggestion and quick reply.
                        >
                        > Well, my actual log entry has been posted in my first message. I only
                        > changed the actual IP address.

                        There is no reason to do that, which makes it impossible for us to
                        figure out precisely what your problem is. Your problem seems to be
                        entirely distinct from the use of "generic" rDNS records, but your
                        obfuscation of the specific details makes that hard to state with
                        certainty.

                        > The log is:
                        >
                        > Postfix says, "hostname verification errors in FCrDNS:
                        > Does not resolve to address
                        > 123.45.67.8 123-45-67-8.my.isp.com”
                        >
                        >
                        > Now here is the exact copy-paste if it wasn’t really clear for you
                        > from the first time:
                        >
                        > ---------------Hostname verification errors (FCRDNS)
                        > ------------------
                        > Does not resolve to address
                        > 123.45.67.8 123-45-67-8.my.isp.com
                        > ---------------------------------------------------------------------------------------

                        Postfix generates no messages in any form like that. It does sometimes
                        generate log entries like this:

                        Jun 17 12:44:39 toaster postfix/smtpd[11867]: warning: hostname
                        br16.srvmatrix.info does not resolve to address 177.11.51.78: nodename
                        nor servname provided, or not known

                        That was the result of some spammer using 177.11.51.78 trying to relay
                        through my server. The same warning would have been generated if they
                        had been trying to send mail to me. There'sa PTR record for
                        177.11.51.78 pointing to br16.srvmatrix.info but there's no A or CNAME
                        record for br16.srvmatrix.info. That DNS error is common enough that it
                        would be unsafe to have Postfix do anything more that warn about it, but
                        the warning is good to have in the log because it illuminates why
                        related log messages refer to the client as "unknown".

                        It requires no effort on my part to avoid seeing such log messages when
                        I don't want to, because I don't normally look for them. Whatever is
                        translating the messages in your Postfix logs into messages like the one
                        you've included is causing pointless worry.

                        > The domain names were not required in my question therefore I did not
                        > use any of them such as example.com and so on so there isn’t much
                        > for you to translate .

                        Not so. If you had included an actual Postfix log entry, it would have
                        been much more clear what your difficulty is.

                        > I have a "business" type account and the reverse DNS is available. In
                        > fact, It even works OK but only one way. The thing that is not working
                        > as per my log entry is the other way around, that is the FCrDNS.
                        > I’ll double-check it with my ISP one more time on that though.

                        Here's an example of a not-so-random real case of bad DNS that might be
                        very similar to whatever problem you are trying to solve. First a
                        "reverse" resolution of an IP address to a name:

                        # dig +noauth +noadd +nocmd +nostats -x 86.100.96.251
                        ;; Got answer:
                        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18478
                        ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

                        ;; OPT PSEUDOSECTION:
                        ; EDNS: version: 0, flags:; udp: 4096
                        ;; QUESTION SECTION:
                        ;251.96.100.86.in-addr.arpa. IN PTR

                        ;; ANSWER SECTION:
                        251.96.100.86.in-addr.arpa. 31261 IN PTR
                        86-100-96-251.klp.balticum.lt.

                        That's "generic" rDNS: a PTR whose value is clearly derived from the IP
                        address. Nothing wrong with that, if the only rational alternative is no
                        PTR at all. However, any name used as a PTR value should have forward (A
                        or CNAME) resolution, but this generic name does not:

                        # dig +noadd +nocmd +nostats 86-100-96-251.klp.balticum.lt.
                        ;; Got answer:
                        ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46734
                        ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

                        ;; OPT PSEUDOSECTION:
                        ; EDNS: version: 0, flags:; udp: 4096
                        ;; QUESTION SECTION:
                        ;86-100-96-251.klp.balticum.lt. IN A

                        ;; AUTHORITY SECTION:
                        balticum.lt. 6016 IN SOA ns1.balticum.lt.
                        hostmaster.balticum-tv.lt. 2014050801 10800 1800 604800 86400


                        And who runs the reverse DNS?

                        # dig +short 96.100.86.in-addr.arpa. SOA
                        ns1.balticum.lt. hostmaster.balticum-tv.lt. 2011021402 43200 7200
                        1728000 7200

                        The same entity that is running the forward DNS. So this isn't
                        miscommunication between an ISP and customer, this is an ISP that is
                        simply incompetent. They could make the generic rDNS name resolve, but
                        they don't. Simple stupidity, and entirely outside what anyone else can
                        fix, even the unfortunate person using 86.100.96.251.

                        > However, my question was if I could possibly solve it using only
                        > postfix without getting my ISP involved because as I have already said
                        > in my previous message Postfix has been working absolutely fine
                        > without any problems with delivery or anything else. I’ve been
                        > trying to fix it using check_reverse_client_hostname_access but this
                        > does not seem to solve the issue.
                        >
                        > Would highly appreciate any other / more options, comments,
                        > assistance. Many thanks!

                        If the problem is only with one address, you might be able to quiet the
                        noise with an entry in your /etc/hosts file to create the missing
                        IP<->name mapping symmetrically. Most (but not all) systems still check
                        there first before or in addition to DNS. That will hide the bad DNS
                        from Postfix.
                      Your message has been successfully submitted and would be delivered to recipients shortly.