| Client IPs with no PTR record [message #110229] |
Wed, 29 January 2014 21:07  |
MacLab
Messages: 233
Registered: May 2012
|
|
|
|
Under smtp security options "Block if Client IP has no reverse entry (PTR)":
This setting has been causing some problems as clients send from everywhere including incorrectly configured network IP addresses without a PTR record. Then they complain they cannot connect. What are others' experience?
|
|
|
|
| Re: Client IPs with no PTR record [message #110276 is a reply to message #110229] |
Thu, 30 January 2014 19:04  |
Bud Durland
Messages: 586
Registered: December 2013
Location: Plattsburgh, NY
|
|
|
|
Hopefully, they are sending through their e-mail server, not directly from their machine to your mail server. They really should have their IT department set up a proper PTR record. There are many organizations that will block mail coming from a source without one.
Of you should make sure that the DNS server used by the KC server is working properly as well. There are many web sites that can be used a reality check to see if the results from your DNS server are correct.
|
|
|
|
| Re: Client IPs with no PTR record [message #110279 is a reply to message #110276] |
Thu, 30 January 2014 19:17 |
MacLab
Messages: 233
Registered: May 2012
|
|
|
|
Thanks. They are using our servers directly and authenticating so there is no additional mail server involved. The problem is it could be a mobile phone etc and the IP they have at the moment happens to have no PTR record. Not easy to talk to IT when it is T-Mobile or you are a guest on a campus. It is rare but it happens enough for customers to complain.
I would wish that Kerio would accept authentication but it seems to look first at the IP that has no PTR record and reject. As far as DNS lookups being wrong, I have verified the IPs as not having a PTR record and Kerio was correct.
|
|
|
|
| Re: Client IPs with no PTR record [message #110280 is a reply to message #110279] |
Thu, 30 January 2014 19:23 |
j.a.duke
Messages: 239
Registered: October 2006
|
|
|
|
MacLab wrote on Thu, 30 January 2014 13:17Thanks. They are using our servers directly and authenticating so there is no additional mail server involved. The problem is it could be a mobile phone etc and the IP they have at the moment happens to have no PTR record. Not easy to talk to IT when it is T-Mobile or you are a guest on a campus. It is rare but it happens enough for customers to complain.
I would wish that Kerio would accept authentication but it seems to look first at the IP that has no PTR record and reject. As far as DNS lookups being wrong, I have verified the IPs as not having a PTR record and Kerio was correct.
What options do you have checked on the Relay Control tab?
I've got numerous mobile users and have Block if no PTR enabled, yet I have yet to receive a single complaint over the last 6 years using Kerio.
Thanks.
Cheers,
Jon
|
|
|
|
|
|
| Re: Client IPs with no PTR record [message #119140 is a reply to message #110281] |
Thu, 05 February 2015 21:37 |
Vet_80
Messages: 3
Registered: February 2015
|
|
|
|
Confirm. PTR check from Kerio is total shit:
1. Instead of check for proper PTR only for unauthenticated connections, it checks every incoming connection.
2. Even cheeked PTR-record is not compared with host name announced by external sending-host during connection in SMTP dialog.
|
|
|
|
|
|
| Re: Client IPs with no PTR record [message #119147 is a reply to message #119143] |
Fri, 06 February 2015 05:37 |
Vet_80
Messages: 3
Registered: February 2015
|
|
|
|
Pavel Dobry (Kerio) wrote on Thu, 05 February 2015 22:27
2. Matching PTR record to announced hostname does not decrease spam probability.
2. Really? Have you read carefully about topicstarters issue connected with no ptr record on some clients IP-addresses:
MacLab wrote on Thu, 30 January 2014 19:39Most mobile users are fine and in fact probably 98% of users are fine... I hope hint is obvious.. If not, don't try to think, simply follow the best practices.. (for example from gmail guys). 
Pavel Dobry (Kerio) wrote on Thu, 05 February 2015 22:27..
1. Of course it does. Clients should use port 587 for sending emails, not 25. SMTP Submission port requires authentication and is not subject to PTR DNS check..
1. Nice try. Then I assume you should tell it to all email-client programs producers. Then they will set 587 as a default connectivity port for SMTP instead of 25. Or you can open separate hot line for end-users, to explain them, why they can't send an e-mails from theirs brand new gadgets. Be sure, they remember the server address and of course properly typed login and password..
P.S. Nothing personal, but sometimes truth could be painful.. 
[Updated on: Fri, 06 February 2015 06:00] Report message to a moderator |
|
|
|
| Re: Client IPs with no PTR record [message #119162 is a reply to message #119147] |
Fri, 06 February 2015 10:37 |
 |
Pavel Dobry (Kerio)
Messages: 2057
Registered: October 2003
Location: Czech Republic
|
|
|
|
Vet_80 wrote on Fri, 06 February 2015 05:37 I hope hint is obvious.. If not, don't try to think, simply follow the best practices.. (for example from gmail guys).
Yes, I have read it carefully. Please read my previous post carefully too. I was answering your objection about missing PTR record matching with hostname. Not about non-existing PTR.
Quote:
1. Nice try. Then I assume you should tell it to all email-client programs producers. Then they will set 587 as a default connectivity port for SMTP instead of 25. Or you can open separate hot line for end-users, to explain them, why they can't send an e-mails from theirs brand new gadgets. Be sure, they remember the server address and of course properly typed login and password..
Most of them do. Apple Mail, Thunderbird. You tell your users what username they need to use, what server hostname they need to use, what protocol (account) they need to set up in their email clients. So telling them to use port 587 for sending emails is a natural part of initial configuration data you provide to them. Outgoing SMTP on port 25 is blocked in many hotels or wifi networks. So using 587 is necessary anyway (unless you have own VPN).
Knowledge Base: http://manuals.gfi.com/en/kerio/home/Content/Home.htm.
|
|
|
|
| Re: Client IPs with no PTR record [message #119167 is a reply to message #110229] |
Fri, 06 February 2015 14:16 |
Vet_80
Messages: 3
Registered: February 2015
|
|
|
|
So, probably you'll agree, that because of almost everybody now gets a PTR record automatically from ISP, PTR spam protection you have provide in Kerio protects from nothing at all.
Then another hint: automatically assigned PTR-records looks like "x.x.x.x.domainname.com" or "x-x-x-x.domainname.com". Connect it with a couple of custom rules in spam filters, using ".??.??.", "-???-???-" etc. as a condition in filed "Received" to decline incoming massages and finally you will get a profit from PTR checking..
Concerning port range: actually its more about 465 port, which is used for secure client connection by e-mail client software and it is never blocked by anybody.. anybody except Kerio PTR record check system.. which, as we find out earlier, in addition protects from nothing.
Now you see, I was not impolite, simply named things as they are...
P.S. Own e-mail address and chosen by himself password is a headache of the user. Company's mail host is also not a mystery. IMAP or POP for administrator doesn't meter at all. But input of special port becomes a problem, which I can describe by next sentences: "I have successfully adjusted by a couple of steps my Yahoo or Gmail mailbox, what's wrong with our corporate one. Why it so complicated?"
|
|
|
|
Members
Search
Help
Register
Login
Home
