Erwin Ambrosch|XHOSTPLUS wrote:
> Hi All,
>
> I've exim4 configured to do a verify = sender/callout=15s and it works
> for sender which domain is not in the list of local_domains. If an
> E-Mail is sent with the domain_part existing in the local_domains, it
> exim4 doesn't perform the sender/callout verification.
>
> Here my ACLS effected by this issue:
>
If no prior acl's have skipped over these...
> deny !verify = sender/callout=15s
>
Should deny remote callers who fail sender verification callout.
Should NOT deny your local_domain users, and may not even test them.
> accept domains = +local_domains
Will accept anything with $domain in the hostlist of +local_domains.
No other test is being performed at this point.
> endpass
Will not call 'verify = recipient' IF the $domain IS in +local_domains
> verify = recipient
Will only be called if the $domain is NOT in +local_domains
Possible unwanted side effect: the 'endpass' may also skip other acl code not
shown to us. Use it with great care and much testing, ELSE set an acl_ variable
flag, and test THAT whenever/wherever appropriate.
You might consider combining the conditions:
## If it is NOT our user, we don't care about the sender
## if it IS our user we want at least some evidence of credible sender
deny
!verify = recipient
!verify = sender/callout=15s
## No endpass needed.
CAVEAT: *many* legitimate senders WILL fail a sender verify callout.
So:
deny
!verify = recipient
## any point in *ever* taking traffic for folks that do not exist?
warn
!verify = sender/callout=15s
set acl_?? = 1
log_message = Sender $sender_host_address - failed SV $sender_verify_failure
- Then use the value of acl_?? later to see how harsh you wish to be, i.e. is
it the sole fault? One of just two faults? - in an otherwise well-behaved
arrival. Or is it just one more of *many* unwanted characteristics?
HTH,
Bill