[Exim] Sender callout verification issues

Top Page
Delete this message
Reply to this message
Author: I. Forbes
Date:  
To: exim-users
Subject: [Exim] Sender callout verification issues
Hello All

I have been running sender callout verification for a about a week
and I have had to turn it off again.

It seems that their are too many broken hosts out there that deal
with legitimate e-mail that I can't just ignore. The final straw was
problems with Verizon, who are also doing some kind of callout
verification. It seems when two callout systems start talking to each
other, the communications break down. (See my separate thread on
Verizon. 12 hours turning off our verification they seem to be
accepting our mail again.)

Remember, the objective is to block spam and viruses, not to try and
police RFC's. It seems in order to go forwards with this exim needs a
few extra tools. Two come to mind:


1) ALTERNATIVE CALL BACK SENDER ADDRESS

A lot of smtp servers fail call back verification because they do not
accept "bounce messages" ie mail from "<>" (ouch!).

Now that is an issue, but if they are handling bona fida mail that my
customers want to read, I need to accept it.

Can exim be setup to use an alternate address in an additional test
if the sending server rejects "MAIL FROM: <>" ? Ie if this test
generates a 5xx error then try sender callout verification with with
"MAIL FROM: <testsender@???>" (where this address passes
local recipient verification)? The results of this should be cached
in a hints database.


2) LOGGING OF OTHER SERVER'S CALLOUT VERIFICATION ATTEMPTS

There are obviously other systems that are already running callout
verification. Any attempt to do a callout verify on them, results in
them doing a callout verify on me. Sometimes this works, but
sometimes it does not. Sorting out the issues here becomes very
complex - particularly when the other server has cached the results
of some previous test.

What kind of entries can I expect to see in my exim logs when someone
tests my server for callout verification?

From playing around with my test server the only log I get is a
warning for a reverse DNS failure - that is because I have not setup
DNS in the test environment. How would one go about logging other
servers sender verification callouts?


3) USEFUL TOOLS

I have typed "telnet server.com 25" too many times over the last few
days. I am sure many people have already put together tools for
running a callout verification on a server. Before I go and re-invent
the wheel, is there a tool like this, and maybe another one-line
command tool for removing an entry from the callout hints file, that
have been made public already?


Thanks

Ian


--
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 21 683-1388 Fax: +27 21 674-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa