Author: listrcv Date: To: Magnus Holmgren CC: exim-users Subject: Re: [exim] Am I an open relay or aren't I?
Magnus Holmgren wrote:
>>Considering that, what's the actual benefit of using the defer_ok option?
>
>
> Now you're quoting two sections relating to sender (callback) checks, but from
> my mail you quote the recipient (call-forward) check. I'm confused, but I'll
> cover both ways.
Oh, sorry, it's me who confused that. I thought it was sender verification.
> Using a call-forward without defer_ok would render the secondary effectively
> meaningless
That's true, very good explanation, thanks!
>>If a SPAMer has set up MXs that point to non-accepting hosts, he will
>>get the SPAM through because you set defer_ok.
>
>
> The reasoning behind defer_ok on the sender verification is that it might
> cause too many false positives. That could be wrong, YMMV, try for yourself.
I have enabled sender verification callouts, but without defer_ok. The
idea that it might be a good idea to enable defer_ok is what made me ask.
But when I rethink that ... The callout sender verification does two
things, ensuring the sending address is reachable and, in a side effect,
wards off _lots_ of SPAM.
Denying mail from unreachable addresses is mandatory because once you
accept a mail, you are responsible for handling it according to the
standards --- which includes eventually sending delivery errors. Since
you cannot send anything to unreachable addresses, accepting mail from
them is a violation of RFCs --- letting aside that I don't want a
mailserver to be that unreliable.
Setting defer_ok would lead to accept all the SPAM and mail from
unreachable addresses. Not a good idea ...
> Anyway, if the spammer bothers to set up a sender address that causes
> verification to defer, they could as easily set up a sender address that
> verifies OK.
Yeah, fortunately most of them don't do that. What gets through and is
detected as SPAM here is a little less than 1.3 mails per day per user.
Taking undetected SPAM into accout, it's maybe 1.5 --- a bearable rate.
Thus, I don't understand why so many mail service providers are so
exited about SPAM that many of them misconfigure their servers to use
sucking blacklists. But then, most of them don't know what they do, anyway.