On Mon, 2004-09-06 at 21:34 -0500, Bruce Kallick wrote:
> I changed
> require verify = header_sender
> to
> require verify = sender
<...>
>
> But I need to know if doing this compromises the mail server's security.
I don't think anyone would argue that it would 'compromise the mail
server's security' even if you were to omit both of the above from your
configuration. It would just make you accept some mail which it
otherwise wouldn't have done.
The two lines above do similar things, but slightly different. The
former attempts to verify the address(es) found in the From: header of
the mail itself, while the latter attempts to verify the address in the
SMTP reverse-path -- the address to which bounces would be sent.
At the moment it's just looking at the domain's DNS records and checking
that it thinks it knows how to send mail to that domain. Personally I
find I accept too much crap that way -- I prefer to also enable
callouts, to check the whole address. Exim will actually connect to the
mail servers for the (apparent) sender's domain pretend to send a bounce
to the address in question. If that is rejected, Exim won't accept the
incoming mail. If it's accepted, Exim aborts the connection before
actually _sending_ a bounce. See §38.21 of the Exim spec.
Since you're not doing callouts, and since I assume the DNS for
'domain.com' is actually working for you, I suspect the problem isn't as
I originally thought. Could it be that your perl script is sending mail
without a From: header in it, and expecting Exim to add one for itself?
Try adding something like this to your RCPT-time ACL in an appropriate
place (probably the end, just before a final 'accept').
accept hosts = 127.0.0.1
control = submission
See §§44 and 38.11.
--
dwmw2
