Link to home
Start Free TrialLog in
Avatar of Martin Radbo
Martin RadboFlag for Sweden

asked on

Client host rejected: cannot find your hostname stop a lot of spam but also some "good guys"

How do you handle all of theese email servers for real companies which does not have a reverse lookup for their IP ?    
We check all incoming email to our server and too many "wanted" emails are bounced due to this ("Client host rejected: cannot find your hostname")

More info:
Email server with Ubuntu Linux and Postfix.
Accordning to official RFC:s all email servers sending mail should have a reverse lookup and preferably also the same forward lookup for that IP.

I know we can make a list of the IP-numbers we want to let throw, and we do whenever we find any rejected email that we would have wanted, but with many customers this is too manually to be good.

How do you handle this delicate problem?
Avatar of DonConsolio
DonConsolio
Flag of Austria image

- use whitelists (whitelist sender IPs and sender mail addresses) to unblock your "good guys"
- use the missing RDNS to greylist the offending server
Avatar of Martin Radbo

ASKER

* Whitelists is OK but lot of manual work with checking log files and it will never end...

* "use the missing RDNS to greylist the offending server ". Do you mean that a missing reverse lookup always would result in a greylisting and at second attempt we should accept it?
Depending upon anti-spam system in use reduce the penalty/score of having no reverse lookup so that the system has to have this plus other dns query, uri or domain hit to really classify them as spam.

There are a number of good public whitelist servers that hold known good IP's that may not have a reverse lookup and are checked regularly.

>> How do you handle all of these email servers for real companies which does not have a reverse lookup for their IP <<

The way I handle them is to reject them.  If they are not RFC compliant, then they get rejected pure and simple.

The vast majority of servers are configured properly, but there are a handful that aren't.  Those that aren't, don't get to deliver their emails to my servers until they are RFC compliant.  It's not that complicated to get RFC compliant and I am more than happy to advise companies that they are not and need to be.

Alan
I would like to reject them as I do now, but then our customer tells me that "when we used another ISP for our email traffic it used to work" and that is quite annoying. Loosing an importante customer just because we follow the RFC...
ASKER CERTIFIED SOLUTION
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I think you missunderstood a bit. We have a customer (company A) and they have all their email accounts at our server. Company A has a lot of customers trying to email to them (i.e. to our server). Some of their customers have not configured their reverse IP and therefor OUR server rejects the incoming email.

I think company A hade another ISP for their own email accounts before with other safety regulations and therefor maybe less problem.
That does not matter now, I just want some propositions for how to best configure OUR server.
I understand your issue - but the question is - how much spam do you want your customers to receive?

You can't whitelist mail servers one by one - that would be a nightmare and I personally refuse to whitelist a server that isn't configured properly.

My $0.02 worth - keep rejecting and advise your customers customers to get their house in order then they won't have any problems.  If they don't hear it from you - they will hear it from someone else until they get their acts together.
"My $0.02 worth - keep rejecting and advise your customers customers to get their house in order then they won't have any problems.  If they don't hear it from you - they will hear it from someone else until they get their acts together. "

True! I think the mentality here in Sweden are to accept even non-RFC things, to get the email to arrive, rather than take the hassle with rejecting.
This mean that they are able to send their emails to many other servers who acccept them (against the RFC) but not to our server.

One detail: do you give 400 or 500-messages back? Temporary or permament bounce?  With continues 400-messages the sender will never be noticed about his errors.
Well - in the past 93 days - we have received 404,267 emails and blacklisted 148,762 of them.

My approach may not be the norm with other companies / Exchange Administrators and I appreciate that at the end of the day all we want is the good mail and to reject the bad mail, but that's the problem - how to tell the good from the bad.

You may as well not spam filter if you just want the mail in and not worry about being RFC compliant.

If you liken it to passport control at a countries borders - if someone comes up to the control with a forged passport or a passport that is expired, or one that shows a different photograph to the person carrying the passport - do you let them in the country or turn they around and send them back home?

I know what I would do!
Thank you all. We have found that the only possible solution in our case is to turn off the reverse checking of IP:n.

But, we will anyway give a certain amount of points to the email because of the lack of reverse lookup, so we do not negliate it.
Oh well - not to worry.  As long as you don't get spam and your good mail arrives - that's the important part.

Alan
"But, we will anyway give a certain amount of points to the email because of the lack of reverse lookup, so we do not negliate it. "

I have a hard time finding the setting to add to our /spamassassin/local.cf to set the amount of score for missing reverse lookup.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial