On 7/18/11, Always Learning <centos at u6.u22.net> wrote: > Sorry if I seem thick but I am having problems understanding why, with > the use of NAT, the HELO/EHLO and their external IP address can not > match. Also what influences does scaling have on the ability of sending > mail servers (MTAs) to operate with host names that match their IP > addresses ? I'm trying to make sense of your suggestion and the objections raised, since I do want to cut down on spam coming into my own server but at the same time I don't want to cut off legit senders. So far it seems to me that in for larger corps, this is what the problem might be. Say they have 3 different connections for redundancy, one serves aaa.bbb.ccc.1x, another serve aaa.bbb.ccc.2x and the last .3x And they have a bunch of services running on various servers, say 10 of them. each with their own hostname e.g. mail1.xyzcorp.com, mail2.xyzcorp.com For troubleshooting/tracing purposes, they use different HELO/EHLO names for the servers and each mail server has their own IP range in the aaa.bbb.ccc.xx net. Since they have less outgoing connections than SMTP servers, their router load balance the outgoing amongst the 3 connections. So in this case, mail2.xyzcorp.com which HELO with aaa.bbb.ccc.11 may get sent out via the aaa.bbb.ccc.20 or aaa.bbb.ccc.30 connection and by your rules get blocked despite being legit. At least that's how I'm understanding it but I don't admin any site large enough to know if things are ever set up like that.