Yeah, we got bitten by this one at work last week (actually started
noticing problems around Wednesday or Thursday of the previous week, but
only resolved it last week).  We had some users within the department
who wanted to manage their CS e-mail via Gmail, and had set up their
Gmail to send out via our SMTP server, which had worked fine until
Google unilaterally decided on this new restriction, which most likely
violates several standards.

Since we control reverse DNS on our domain, I was able to fudge things
up to get Google to accept our cert (a legitimate cert, issued by
Globalsign, that has multiple generic aliases in the SAN list, but
intentionally avoided the canonical host name, since these generic
aliases should be allowed to migrate to different physical servers,
transparently).  I found out that you can have multiple PTR records on
one IP address, which is completely legal in DNS, but not usually
considered good practice (or so I thought).  Of course, this second PTR
record caused some things to fail in a non-deterministic way, since
lookups on the IP address gave the PTR records in pseudo-random order,
causing code that only looked at the first answer to get inconsistent
results.  Grrr!

Thanks, Google, for once again messing with standards, and forcing
everyone else to bend to your will!

Gilbert

On 2020-04-18 3:14 p.m., Hartmut W Sager wrote:

[... deleted ...]