Re: [Exim] Wish list (I think) regarding sender verify callo…

Top Page
Delete this message
Reply to this message
Author: Alan J. Flavell
Date:  
To: Nico Erfurth
CC: exim-users@exim.org
Subject: Re: [Exim] Wish list (I think) regarding sender verify callout.
On Tue, 1 Oct 2002, Nico Erfurth wrote:

> On Tue, 1 Oct 2002, Tom Marazita wrote:


[uses callback to verify envelope senders...]

> > MAIL FROM:<>
> > 553 5.7.1 <>... Domain part missing


...or "501 bogus mail from", and other variations on the theme.

> > Would it be practical to have an option on sender/callout which
> > caused verification to be considered successful if the response to
> > "MAIL FROM:<>" was 5xx?


See below for why this seems to me in general a bad idea.

You can create a list of domains (maybe wildcarded) for which you want
to try callback; alternatively you can create a list of domains for
which you don't want to try callback. YMMV, as always.

> > I realize it is not optimum, but I can't
> > think of another good way to both maintain sender/callout verfication
> > while accepting mail from these hosts.


> So you want to accept mails from hosts that would not accept your bounces?


When you accept incoming mail, you accept responsibility for handling
it with reasonable care and diligence. That includes reporting
non-delivery situations by means of the standard protocols.

But if you accept mail from such a sender, you would not be able to
report a non-delivery situation in the normal fashion.

> An empty sender indicates a bounce, so its totaly legal to use it and it
> shouldn't be blocked.


Well, _you_ know that, and I know that, and presumably most of the
readers of this list know that; but some of these hosts evidently are
misbehaving deliberately (because they send a message which says so,
claiming it to be an anti-spam measure. Well, it sure cuts out any
spam that we might otherwise have accepted from them!) - others might,
I suppose, be doing it inadvertently...

> Contact the admin of this machine and tell him to fix his configuration.


Sounds easy, doesn't it ;-) I doubt that a tiny fraction of those
attempts would produce any result. Others seem to have the same
experience.

Unless there's an overwhelming reason to accept mail from hosts that
are known to behave that way, I'd vote for putting them into a
blacklist with a special message. For now, the one we use says e.g

  deny    sender_domains = partial-dbm;CONFIG_DIR/unreach_domains.db
          message = We are currently unable to accept mail from \
          $sender_address_domain\n\
          because that mail domain is persistently unreachable or not\n\
          responding properly, for reasons that are outside our control.\n\
             ... and invites them to email our postmaster...


The postmaster, abuse etc. addresses are accepted _prior_ to that
test; if they want to talk to us, then it's up to them to make the
next move.

Into that list can go any email domain whose MX host(s) persistently
don't respond at all, or whose defective responses cause persistent
temporary failures. But if it's one of our funding bodies, we're
likely to take a different approach to the problem...

On the other hand, there's no point in listing a domain for callbacks
if they accept any RCPT TO that you give them, and only reject bad
ones later. Or indeed some of the throwaway-account providers have
been seen to reject invalid recipients at the end of the DATA phase,
which is too late for it to show up in a callback test, right?

all the best