Re: [exim] Sender verification

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Sender verification
Erwin Ambrosch|XHOSTPLUS wrote:

> Hi All,
>
> I've exim4 configured to do a verify = sender/callout=15s and it works
> for sender which domain is not in the list of local_domains. If an
> E-Mail is sent with the domain_part existing in the local_domains, it
> exim4 doesn't perform the sender/callout verification.
>
> Here my ACLS effected by this issue:
>



If no prior acl's have skipped over these...

> deny !verify = sender/callout=15s
>


Should deny remote callers who fail sender verification callout.
Should NOT deny your local_domain users, and may not even test them.

> accept domains = +local_domains


Will accept anything with $domain in the hostlist of +local_domains.
No other test is being performed at this point.


>          endpass


Will not call 'verify = recipient' IF the $domain IS in +local_domains

>          verify = recipient


Will only be called if the $domain is NOT in +local_domains

Possible unwanted side effect: the 'endpass' may also skip other acl code not
shown to us. Use it with great care and much testing, ELSE set an acl_ variable
flag, and test THAT whenever/wherever appropriate.

You might consider combining the conditions:

## If it is NOT our user, we don't care about the sender
## if it IS our user we want at least some evidence of credible sender

deny
    !verify = recipient
    !verify = sender/callout=15s



## No endpass needed.

CAVEAT: *many* legitimate senders WILL fail a sender verify callout.

So:

deny
    !verify = recipient


## any point in *ever* taking traffic for folks that do not exist?


warn
    !verify     = sender/callout=15s
    set acl_??  = 1
    log_message = Sender $sender_host_address - failed SV $sender_verify_failure


- Then use the value of acl_?? later to see how harsh you wish to be, i.e. is
it the sole fault? One of just two faults? - in an otherwise well-behaved
arrival. Or is it just one more of *many* unwanted characteristics?

HTH,

Bill