Auteur: Renaud Allard Date: À: David Saez Padros CC: exim users Sujet: Re: [exim] UCEPROTECT Blacklists and why callouts are abusive
David Saez Padros wrote: > Hi !!
>
>> That's probably better to actually _do_ callout when spf=pass, because
>> you are "sure" that one the authorized IPs for the domain has sent the
>> mail, so you have rights to verify the address exists.
>
> yes, but then the tested address is likely to exist so the callout will
> almost always succeed. If you do the callout when spf != pass you will
> honour batv (if used by the remote domain) and/or check that at least
> the remote address exists.
>
Indeed, but, as mentioned before, some will argue that if the spf is
false you have no right to use their resources to verify things as it is
probably a spam. And if spf != pass && spf != false (IE: not defined)
you still have no right to do a callout as you could be a player in a ddos.
So there is no real solution to this, the best practice would be that
the callout should be your last line of defense (just before data
session). And also that it should be avoided if the host is trusted (but
this last one is probably nearly unmaintainable for large environments).