Unanswered Question
plorence_ironport Tue, 03/17/2009 - 17:20

See the user guide under "Sender Verification." Trace is telling you that the sender is matching a sender group whose "Connection host DNS verification" settings have the checkbox for "Connecting host reverse DNS lookup (PTR) does not match the forward DNS lookup (A)" checked.

From the user guide:

"The IronPort appliance attempts to verify the sending domain of the connecting host via DNS for incoming mail. This verification is performed prior to the SMTP conversation. The system acquires and verifies the validity of the remote host’s IP address (that is, the domain) by performing a double DNS lookup. A double DNS lookup is defined as a reverse DNS (PTR) lookup on the IP address of the connecting host, followed by a forward DNS (A) lookup on the results of the PTR lookup. The appliance then checks that the results of the A lookup match the results of the PTR lookup. If the PTR or A lookups fail, or the results do not match, the system uses only the IP address to match entries in the HAT and the sender is considered as not verified.

Unverified senders are classified into three categories:

• Connecting host PTR record does not exist in the DNS.
• Connecting host PTR record lookup fails due to temporary DNS failure.
• Connecting host reverse DNS lookup (PTR) does not match the forward DNS lookup (A).

Using the sender group “Connecting Host DNS Verification” settings, you can specify a behavior for unverified senders (see Implementing Host Sender Verification for the SUSPECTLIST Sender Group)."



This Discussion