It’s the second time this week now, that a quite big website uses a mailserver with DNS settings that do not resolve properly.

Why is that? In those two particular cases I don’t think the problem was ignorance concerning RFCs, but a wrong or yet not completely done configuration:

As an example: the host mail.example.com has an A-Record to the IP adrress 1.2.3.4 . And 1.2.3.4 has a correct reverse PTR entry for mail.example.com. BUT:
1.2.3.4 (well, because we are talking about reverse lookups here that is of course 4.3.2.1.in-addr.arpa) also has another PTR entry to mail.example2.com.
BUT: mail.example2.com does NOT have an A-Record that resolves to 1.2.3.4. In my cases it just didn’t have any A-Record.

So what happens is that the mailserver (in my case postfix) will do a reverse lookup of the IP. As a result it will get mail.example.com OR mail.example2.com randomly. If you specified reject_unknown_client_hostname it will try to match that result it got with the IP address the connect comes from doing a forward lookup.
Meaning: If the result of the first lookup was mail.example.com it will find a correct A-Record that resolves to the IP. All is fine.
But if the result of the first lookup was mail.example2.com it won’t find a matching a record and reject the email.

I find that really annoying. I mean, errors happen, but until now, only one of them has replied to my email containing information on the problem.

To everyone out there that has a mailserver: PLEASE configure your DNS entries properly ;)

For those who want to see what I mean live:

Try comspot.de or dataworld.de ;)

Dataworld.de has told me they will check the issue with their Administrators :) So if you find the error being corrected please tell me about it.

Since I’m using Thunderbird for my emailing I didn’t know about that problem. But one site I’m hosting recently has Emailusers that are using Microsoft’s Outlook Express 6 (The one that ships with XP).

What I didn’t know is that OE6 neither handles SSL handshakes correctly, nor is able to authenticate the user properly via SASL auth.

So you either get an error saying the server doesn’t support SSL, but you see the server’s reply code being ‘250 OK’.
Or you get an error depending on sender-, helo-, and recipient restrictions you’ve got. In my case I have implemented various checks concerning the hostname of the qualified client and of course RBL. Both will reject the ‘normal’ user connecting with OE6.
Normally, when the client authenticates himself none of the above mentioned checks will be done, and for that matter none of the authenticated clients will be blocked.

But if you’re using OE, you will be. (Is that actually a bad thing? ;) )

So I hope the solution I’m going to test later on is going to work:

For the SSL thing you can add ssl_wrapper_mode to postfix’s main.cf and connect on port 465. That SHOULD be working.

The SASL Auth thing should be fixed by adding ‘broken_sasl-auth_clients = yes’ to main.cf .

I’ll post here whether it worked or not.