[OPLINTECH] Something to keep in mind about various email providers

Fri May 29 08:12:23 EDT 2015

Bob,

To keep information flowing I always white listed the entire OPLIN ip 
range on the OPLIN mail servers, so even if you were the most prolific 
spammer in history it would have made it through to OPLIN accounts.

Slight correction, PTR records are checked against the HELO greeting 
from the connecting server. PTR tests really just shows that you have a 
static ip, and control over the DNS for that ip, so it cuts out things 
like infected desktops. An example email from my gmail account to 
jendreka at oplin.org looks like this...

Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com 
[209.85.212.173]) by barracuda.oplin.org with ESMTP id LKn2Dz52N1n2Bhpk 
for <jendreka at oplin.org>; Fri, 29 May 2015 07:55:29 -0400 (EDT)

mail-wi0-f173.google.com is how Google identified itself to my 
Barracuda, and mail-wi0-f173.google.com is listed as the PTR for 
209.85.212.173, so they're set. The record looks like this...

173.212.85.209.in-addr.arpa. 21599 IN    PTR mail-wi0-f173.google.com.

If you'd like you can have your server send me a test message at 
jendreka at oplin.org. I'll look through the headers and we'll get a PTR 
configured for it. By your logs the helo is going to start with 
"staffweb", but the full helo needed isn't usually written into the 
transaction logs. The ip seems to be 66.213.124.227.

The anti spoofing record you were probably thinking of is a SPF record. 
SPF records are created as TXT records in DNS and list out the various 
ips that are allowed to send with a given domain in the "From" field. A 
SPF record that states only OPLIN ips are allowed to send mail with 
oplin.org in the From field would look like this...

oplin.org.  IN TXT "v=spf1 ip4:66.213.0.0/17 -all"

Let me know if anyone needs clarification.

Karl Jendretzky
IT Manager - Ohio Public Library Information Network
(614) 728-1515
karl at oplin.ohio.gov

On 05/28/2015 01:12 PM, Bob Neeper wrote:
> FWIW
>
> We have been running eTicket on an internal server for quite a while.
> Even though a 10.x.x.x it was able to send emails to our OPLIN accounts.
>
> Now we have 1and1 service, which ignores the emails. gmail accepts them.
>
> A log (for eTicket messages) on the server shows:
>
> 2015-05-27T14:06:54.092279-04:00 StaffWeb postfix/smtp[23851]: 
> C40684393F: to=<bob at yourcl.org>, relay=mx01.1and1.com
> [74.208.5.21]:25, delay=0.29, delays=0/0/0.28/0, dsn=4.0.0, 
> status=deferred (host mx01.1and1.com[74.208.5.21] refused to talk to
> me: 554-perfora.net (mxeueus004) Nemesis ESMTP Service not available 
> 554-No SMTP service 554 invalid DNS PTR resource record,
> IP=66.213.124.227)
>
> 2015-05-27T14:06:55.242391-04:00 StaffWeb postfix/smtp[23850]: 
> C27AE43942: to=<neeperro at gmail.com>, relay=gmail-smtp-
> in.l.google.com[74.125.201.27]:25, delay=1.4, delays=0.01/0/0.48/0.95, 
> dsn=2.0.0, status=sent (250 2.0.0 OK 1432750004
> th17si142130icb.46 - gsmtp)
>
> 1and1 error message information shows:
>
> 550 No SMTP Service
> The IP Address of the email Server you use is not allocated a domain 
> name in the domain name service (DNS).
> Please contact your Administrator to add the domain name to the domain 
> name service.
>
> 550 Bad DNS PTR resource record
> The e-mail server you are using employs is using a dynamic IP address.
> To deliver your e-mail please use the Smarthost of your provider to 
> deliver e-mails.
>
>
> So it seems (I think)
> Many email servers will check for PTR records to ensure mail is not 
> spoofed. PTR's are basically reverse DNS.
> If they receive an email from w.x.y.z from somebody at foo.com, they do a 
> look up on w.x.y.z to ensure it is really foo.com.
> If not, they ignore the email.
>
> And our internal only server doesn't meet requirement for 1and1, while 
> google doesn't care.
>
> Bob
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20150529/db7b64cb/attachment.html>