Okay so I am running postfix with fail2ban on my VPS which a client of mine uses as a relay for their email. A cilent of theirs is getting banned by my fail2ban install, because of the following setup: host40.domain.com is arriving from ip.40 host40.domain.com has a CNAME pointing to smtp.domain.com which resides on ip.255 rDNS lookup of host40.domain.com points to ip.255 There is an SPF record for domain.com which indicates a range of IPs that mail can come from with domain.com, and the two IPs above are encompassed in that domain. No SPF records on the subdomains though. fail2ban doesn't actually look at SPF records, it is banning on a warning from postfix that is effectively saying host40.domain.com can't be verified as an rDNS provides alternate results to those that are showing when mail arrives, so we cannot verify that the host40.domain.com is who it initially says it is.... I am basically trying to tactfully explain this to my client's client's network admin that they are using a CNAME incorrectly... I just want to confirm that someone else agrees with me that this is a bit of a weird setup and doesn't conform to RFCs as I think it doesn't? Or am I going nuts...
Mailservers should have a MX record which points to an A record. The External IP of that mailserver should also have a valid rDNS record which matches the A record. You can get away with CNAME records for mailservers which reside on webservers (such as for shared hosting scenarios) but this gets more tricky. You could either set a whitelist on that IP if it's a static to allow relaying or get them to configure stuff correctly. I'd need more information though to ascertain exactly what's happening
Okay - this more or less confirms what I was thinking, thanks saspro. Basically, mail is arriving from domain1 IP address1, however that domain1 has a cname to another domain2 which is on a different IP address2. The latter IP address2 has an rDNS to the CNAME, and if I ping domain1 it returns the IP address2 given under the CNAME domain2. So it is indeed screwed. Now to tactfully explain to get their **** together as I'm not white listing for their incompetence.
You've already got the technical why here in the thread; the reverse 'A' record needs to match the forward 'A' record or the mail will be rejected. It doesn't really matter what the A record is, as long as it matches how the email server is identifying itself when it sends the email onwards, and its not, hence the problems. I would point out the problem and state strongly that you're not the only person in the world to have this option set in Postfix, so it will be causing them problems if they don't fix it. I have the option set too, as its a great way of blocking any spam coming from dialup users/viruses/spoofed addresses. Granted it also stops email from some lazy sysadmins who don't set up their systems correctly, but then I don't cry too much about it as they can't email me to complain...
