How do I validate connecting hosts in the DNS?


This article applies to:

  • Trustwave MailMarshal (SEG)

Question:

How do I validate connecting hosts in the DNS?

Procedure:

Enabling the check box, 'Validate Connecting Hosts in the DNS' (in the Receiver | Host Validation tab of Array Properties) will set the MailMarshal Receiver service to do a reverse DNS lookup, or Pointer (PTR) record lookup, for all incoming messages.

A PTR record shows the domain names associated with an IP address. So, when the Receiver gets an IP address, it will do a PTR record lookup to see what information is returned. The intention is to check for potential spam messages.

The options in MailMarshal are:

  • Accept unknown hosts (used for logging purposes only)
    The MailMarshal Receiver will do a PTR record lookup and if there is no PTR record, or if the domain name supplied in the message does not match the domain name indicated by the PTR record, then the event will be logged in the MailMarshal Receiver text log.

    Note: The message will still be accepted. This option is useful to diagnose a potential spam problem.

  • Host must have PTR record
    The MailMarshal Receiver will block any message where the IP address does not have a valid PTR record. If there is no record, MailMarshal logs this event in the Windows Application Event Log and terminates the connection with the SMTP response: 554 No SMTP service here

    Note: The domains do not have to match; the only requirement is that there is a PTR record.

  • PTR record must match the HELO connection string
    The MailMarshal Receiver will block a message where any domains listed in the PTR record do not match that supplied in the HELO string provided by the sending server. If the record does not match, MailMarshal logs this event in the NT Event Log and terminates the connection with the SMTP response: 554 No SMTP service here

    Note: This option should be used with caution - it is very likely that you will block valid e-mail from domains that do not have their PTR records set up correctly.

Notes:

These features, which provide varying degree of checks, can only be used where MailMarshal can 'see' the actual IP address of the sending e-mail server. They are of no use for example where MailMarshal sits behind a firewall and only sees the IP address of that firewall.

By using these features it is possible for valid e-mail to be blocked For example some sites do not have their PTR records set up correctly. Therefore, when turning on 'Validate Connecting Hosts', it is recommended to select the first option 'Accept unknown hosts' and monitor results in the Windows Application Event Log. When you are satisfied that valid e-mail is not being blocked, then select one of the other two options.

This article was previously published as:
NETIQKB29369
Marshal KB254

 

 

 

 


Last Modified 3/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle10532.aspx