Greg's problems sending mail to LEMIS

This document was written in 2002, and I don't intend to update it. It's here for hysterical raisins. The content is valid, but who cares about doing the right thing any more?

If you have arrived here, you have probably received an automatically generated message which looks something like this:

Please read this message, which contains important information about problems on your site. If you cannot understand it, please contact us at the address shown below. You can find further relevant information at http://www.lemis.com/reverse-lookup.html. The attached message is caused by a misconfiguration of your DNS server: your mail server 38.200.192.174 does not have reverse mapping. In addition, it claims to be hbmed02.herndon.aws.psiweb.com, which has a different IP address (10.100.4.15). As an anti-spam measure, we require reverse lookups for all mail we accept. This message will not be delivered unless you correct your DNS configuration. Since this situation has continued for a considerable period of time, we must assume that it is not a transient problem. If you believe this assessment is incorrect, or if you need help resolving the problem, please contact me by phone at +61-8-8388-8286 between 9 am and 6 pm Central Australian time (currently GMT+0930). ******************************************************************* danjjt63498mo@dfki.de, you have been copied on this message because we have reasonable grounds to believe that you are not aware of these problems, and that you have entrusted herndon.aws.psiweb.com to deliver your mail for you. This message is an indication that herndon.aws.psiweb.com is not perfoming this task correctly. If the situation continues, you should contact herndon.aws.psiweb.com support and get them to rectify the problem. Please read this message, which contains important information about problems on your site. If you cannot understand it, please contact us at the address shown below. You can find further relevant information at http://www.lemis.com/reverse-lookup.html.

This refers to a problem at your site, not at ours. It does mean that your mail will not get through until you correct the problem. The message may differ slightly, depending on what exactly is wrong at your site. There are a number of possibilities. It's possible that after fixing the problem you currently have, your mail will still be rejected because of other problems, so it's worth reading the following list:

Your mail server may have an invalid name. When setting up the mail server, you should get it to identify itself by its fully qualified domain name. In our case, for example, our main mail server is called wantadilla.lemis.com, and that's the name with which it identifies itself. Supplying this name indicates that you are really who you say you are. In order for this to work, you must have a valid DNS A record for the server. For our main mail server, www.lemis.com, it looks like this:
```
wantadilla		IN A 192.109.197.80
```
You can then look up this address on the Internet with the nslookup program:
```
$ nslookup wantadilla.lemis.com
Server:  klapaucius.zer0.org
Address:  204.152.186.45

Name:    wantadilla.lemis.com
Address:  192.109.197.80
```
The name server is the name server which performs the lookup, and can vary. If we look at the name of the server in the sample message above, we see:
```
$ nslookup hbmed02.herndon.aws.psiweb.com
Server:  klapaucius.zer0.org
Address:  204.152.186.45

Name:    hbmed02.herndon.aws.psiweb.com
Address:  10.100.4.15
```
In other words, the address is wrong. This could be a forgery.

In order to check the validity of the server address, the mail transport agent software uses a DNS technique called reverse lookup. It supplies an IP address and expects a list of names back. You set this up with DNS PTR records. If you don't have reverse DNS, or if the address doesn't match, we will not accept your mail. You do this with a PTR record, which in our case looks like this:
p>
```
80	IN PTR wantadilla.lemis.com.
```
With this, we can perform a reverse lookup:
```
$ nslookup 192.109.197.80
Server:  hub.FreeBSD.org
Address:  216.136.204.18

Name:    wantadilla.lemis.com
Address:  192.109.197.80
```
Again, looking at the sample above, we get:
```
$ nslookup 38.200.192.174
Server:  hub.FreeBSD.org
Address:  216.136.204.18

*** hub.FreeBSD.org can't find 38.200.192.174: Non-existent host/domain
```
In other words, the DNS system was not able to get a name corresponding to the address.

Your mail server may have the name of another mail server. For example, a spammer might choose to use the name wantadilla.lemis.com for his server (in fact, this has happened). In order to check that it's really valid, the mail server needs to check that the IP address of the server is correct. If not, it rejects it.

This also means that when you change the IP address, you must also update your DNS records or your mail configuration so that they match. For example, if we were to change the IP address of our main mail server wantadilla.lemis.com, which is currently 192.109.197.80, to, say, 192.109.197.1, we could do one of two things:
1. Change the A record for wantadilla to:
```
wantadilla		IN A 192.109.197.1
```
2. Change the PTR record for 192.109.197.1 to:
```
1	IN PTR wantadilla.lemis.com.
```
Alternatively, if the IP address already has A record and PTR records, we could change the name of the system to match that name. This is generally the better approach.

Why are we doing this?

It's possible that you will now say “But this isn't our fault. Our mail goes everywhere with no problems, only you reject it. You must be doing something wrong”.

We contend that we're doing something right. Currently, the Internet is overrun by criminals, and national and international laws have not been able to come to terms with the problem. The message above, for example, was generated in response to an attempted spam delivery, and the lack of correct DNS is almost certainly an attempt to hide the identity of the sender. A lot could be done simply by adhering to the standards, which is what we're doing.

The problem is, there are a lot of legal sites out there which are set up incorrectly. If you got one of these messages from us, it means we believe you are a legitimate user; we don't send them to spammers, for obvious reasons.

One of the issues is that system administrators are often overworked and undertrained, and either don't understand the concepts or don't believe they're worth the trouble. If you're a system administrator and there was anything new in the description above, then you are undertrained. If there was nothing new in the description above, but you still don't agree, we'd like to hear why.