RE: [Exim] verify = sender/callout

Etusivu
Poista viesti
Vastaa
Lähettäjä: Pat Lashley
Päiväys:  
Vastaanottaja: eli-list, exim-users
Aihe: RE: [Exim] verify = sender/callout
--On Monday, January 19, 2004 13:53:17 -0500 Eli <eli-list@???> wrote:

> I personally don't use any callouts for verifying recipient or sender since
> the mail servers that I have handle huge amounts of users and email. Having
> to do callouts to servers would drastically hit performance, and here's why:
>
> 1) slow mail servers could tie up callout verification if I don't have a low
> timeout specified (and then I may never properly verify the address if the
> server is constantly delayed)
> 2) if you have lots of email traffic, and you get hit with a spam/virus
> attack with faked senders, you could end up doing tons of callouts, only
> costing you more cpu time to deal with that before you even get to the
> spam/virus scans
>
> I'd say that if you have a low volume server, you could certainly try it
> out. Specify a short callout period like 10s or something so you don't have
> your server sitting around forever. You could even try without a callout
> for a week, see what performance is like, then enable it and see what
> difference it makes.
>
> Personally the default check of testing the domain for an mx record is
> enough for me - if there's at least a domain by that name that can accept
> email, at least it should be possible to contact *someone* about problems.
>
> Plus, sender verification must be done at RCPT or MAIL time, which is before
> exiscan can do a spam/virus check, which means I must make Exim work as fast
> as possible up until I can deny someone who is spamming (since I don't know
> if they're a spammer at RCPT or MAIL time).


You certainly can do sender verification in the DATA ACL; so there's
no reason you couldn't do the spam test first. (But in my opinion,
the spam test is likely to be much more CPU intensive than the callout.
I look at the sender/callout as a way to avoid the overhead of a spam
test...)

Recipient verification is probably most useful for 'local' addresses
anyway; and then only if the message is to be relayed to an internal
SMTP or LMTP server for final delivery. (It is a great way to check
for virtual [mail-only] users when using Cyrus for the mailstore. It
even handles detail notation properly.)


My experience with a large public webmail-based system is that
the sender callouts, and a few other ACL checks have practically
eliminated the queue of undeliverable bounce messages, thereby
drasticly reducing the total system overhead.



-Pat