On 2008-02-26 at 11:03 -0500, Kevin Colagio wrote:
> We have been getting some phishing attempts where the phishers are
> forging a local address to try and give some validity to their request
> for information. The messages are not generated locally, but but I
> don't want to do Sender Verifies for every message that comes in.
>
> What I'd like to do is have Exim only check local sender addresses and
> if it's not a valid address, reject the message. However, I'm not sure
> how to do this. Has anyone implemented something like this?
This is the default for "verify = sender" without the "/callout" option.
Exim verifies the sender using your normal Routers; only when there's a
remote delivery does it stop with verifying that the email can be passed
off remotely (typically, mail domain exists, so no left-hand-side
verification done).
If you normally pass mail off to another host, but can verify the LHS
exists in another way, then you're hopefully already doing this with
your existing setup so that you only accept mail for legitimate
addresses instead of having to accept+bounce and create backscatter. If
you're not doing this already, look at putting the verify_only option
onto a Router which can do the necessary LDAP/whatever lookups.
Somewhere in your RCPT ACL should be a line something like:
require verify = sender
If not, take a closer look at configure.default supplied with Exim and
look at restoring this.
