RE: [exim] sender verify at verizon.net (sigh)

Pàgina inicial
Delete this message
Reply to this message
Autor: Eli
Data:  
A: 'Alan J. Flavell', 'Exim users list'
CC: 
Assumpte: RE: [exim] sender verify at verizon.net (sigh)
Alan wrote:
> On Tue, 22 Feb 2005, Kevin Smith wrote:
>
> > Reducing rfc1413_query_timeout from 30s to 20s worked for me.
>
> As a point of information, we do still have rfc1413_query_timeout
> enabled[1], but we set the time down to 10s : for a while
> indeed I had
> it at 7s, and that would IMHO probably be enough, but we
> finished on a
> "round number". Seems to me that this is the kind of query that will
> either respond promptly, or not at all - there is little point in
> hanging around for a response (unless you deliberately want to delay
> the caller, for some policy reason of your own).
>
>
> [1] The question whether it serves any useful function nowadays could
> be moot. I could mention two situations where it's beneficial:
>
> a) U=CacheFlow Server (25 hits so far this week, 135 hits last week)
> or U=squid are sure-fire indicators of an open proxy; we also added
> U=proxy to that.
>
> This is useful, but is now relatively rare (as you see from the
> numbers)
>
> b) when one is attacked from a multi-user system, it can be
> helpful to
> the administrator of that system if one can provide an rfc1413 id.
>
> But again, this happens only rarely nowadays, since
> multi-user systems
> are increasingly blocked against making uncontrolled direct-to-MX
> calls to the Internet.


I used to have ident checks on our Exim systems as well - figured what the
hay, it's there and I'll use it. I had the delay down to 5 seconds for your
stated reasons - it should return rather quickly or not at all, so if it
doesn't return in 5 seconds, just keep trucking.

I used to run ident on the servers as well (and on webservers too), however
nothing ever used ident except for email, and even then it was completely
100% useless since our mail servers are virtual hosting mail servers so the
ident check always returned just the user Exim ran as, and for webservers it
would return the same.

I found that using internal checks to record the real sending user far more
useful than ident ever was, so I (think) I turned off the ident checks in
Exim, and I turned off the ident daemon on the servers as well. It was just
a waste of resources running an ident daemon for no real purpose. It can be
faked so easily anyways, it's one of those legacy things which is really
useless in the current day.

Only use I can see for ident is for people who want to go on IRC and a
server requires ident, and well, I don't let users do that on any of our
servers :)

Eli.