Whitelist pollA while ago I wrote that "Verify Connecting Host Name in DNS" pre-empts both local and DNS whitelists.
The usefulness of "Verify Connecting Host Name in DNS" would be greatly enhanced if it were possible to use the whitelist to override rejection of mail from hosts with bad or missing DNS.
And here are some further thoughts of mine on why the answer to the poll is "yes!"
1. DNS is fragile. It can break transiently. Perhaps a name server is unreachable, or recursive look-ups are failing for some reason beyond the control of the Domino site's administrator. This is unusual, but if it happens on a Domino server that verifies connecting host names, the result will be that the server rejects all mail until the DNS issue is resolved.
2. A number of people have observed that many US ISPs insist on proper PTR records for all servers sending them SMTP mail. The argument is that because this is so, every mail administrator will ensure that s/he does have correct PTR records for their mail server, so mail servers lacking PTR records should be very rare.
For me, this latter point is the problematic one. While it may be true that mail server PTR records are ubiquitous in the USA, in parts of Europe and the far east they remain quite unusual.
In fact it is very common for business mail servers operated by companies outside the US to have no DNS.
We whitelist where necessary of course - many business partners of ours are in heavily blacklisted networks. But we can't enable verification of connecting host name in DNS, because we'd start to reject all their mail anyway.
Verify connecting host in DNS will remain turned off here until the local whitelist overrides it in some future release of Domino. Or until every mail admin in the world gets a clue, which will be some time after hell freezes over.
1. Mark Gottschalk21/12/2006 18:20:12
Homepage: http://www.2roads.com
Hi Chris,
See my post in your other thread about this topic:
http://chris-linfoot.net/d6plinks/CWLT-6URFGE
It is possible to whitelist the "Verify connecting host in DNS" setting outside of Domino by using your own DNS server. Create a bogus PTR record for the organization you need to whitelist and your mailserver will find it and allow the connection.
2. Chris Linfoot21/12/2006 19:10:36
Thanks. We are aware of this workaround, but it doesn't scale 
3. Matthias Leisi22/12/2006 07:50:11
Homepage: http://www.dnswl.org/
On a slightly related note: Since the unreliability of DNS may be an issue for whitelisting purposes, dnswl.org offers it's data in a variety of formats for local mirroring/copying and use.
Is it possible to feed such a list to Notes/Domino? If yes, what format would be required?
I'm far from a Notes/Domino expert myself, but if someone can show me the "What", I'll be glad to add an additional format for download and add the description to our "How to use" page at http://www.dnswl.org/tech
4. Chris Linfoot22/12/2006 08:33:35
The "what" is pretty straightforward.
We just need a <CR><LF> separated list of IPs/networks formatted as literals, but including wildcards (*) and ranges of numbers (0-31).
Example 1: the network 192.168.0.0/22 would be represented as [192.168.0-3.*]
Example 2: the network 172.16.10.0/27 would be represented as [172.16.10.0-31]
Example 3: the single address 10.10.0.1/32 would be represented as [10.10.0.1]
5. Matthias Leisi22/12/2006 19:45:39
Homepage: http://www.dnswl.org/
Thanks to Chris for working on getting this out of the door 
Data suitable for Notes' whitelisting feature is now available at http://www.dnswl.org/data/ (the notes-dnswl.tar.gz file); the explanation at http://www.dnswl.org/tech points back here, namely to http://chris-linfoot.net/d6plinks/CWLT-6P9CX5
If you plan to regularly download this data, we would be glad if you use rsync for data transfer:"rsync --times rsync1.dnswl.org::dnswl/notes-* /some/path/"
6. Eric Parsons24/12/2006 03:34:53
Homepage: http://startingblockcomputing.com
In my previous organization, we experimented with the Verify. You'd probably be amazed at the number of badly setup smtp servers in the states, particularly in the government sector.
I also have to disagree with the "since no one is set up correctly, we shouldn't do it" attitude. I agree that business has to go on, but one of my biggest complaints is that without the threat of pain, no one (present company included) will change their manner of work. If it weren't for fines, I would probably drive in the 80-90 mph range.
Find an old 386, run sendmail, make sure it's mostly slow and unavailable, then leave the verification off. Make the high speed systems available for those who are corrrectly setup, those who "pay the price."
7. Chris Linfoot24/12/2006 09:26:45
1. Your solution only works if the old 386 is a high preference MX for the domain and the lower preference MXes all send a transient failure (4xx) when connecting hosts have no PTR. Domino sends a 5xx permanent failure when PTR verification fails, so this will not work.
2. You ignore the fact that many mail servers lacking PTR do so not because their owners don't want to do it but because their ISPs (typically in the far east) cannot provide it. This may be due to incompetence, laziness or some misguided sense of security through obscurity, but it will always be so,
3. Now go into the President or CEO's office and explain to him that the reason we are bouncing all email from that hot new far eastern business partner is that their geek doesn't know his RFC from his elbow and that we are punishing him. Call me to let me know if you still have a job.
Unable to post a comment? Please read this for a possible explanation...
-