Re: [exim] Email DNS Issue

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Vincent Stemen
Data:  
Para: exim-users
Asunto: Re: [exim] Email DNS Issue
On 2008-03-14, Matt <lm7812@???> wrote:
>> IF you are doing sender-verify, you will have to expect that a
>> significant number of sending hosts will not pass.
>>
>> Faulty 'vanilla' DNS entries aside, many will be in large ISP 'pools'
>> where incoming/outgoing are separate, and may not be properly listed in
>> DNS, or just not configured to respond as you wish they would.
>>
>> Others may treat your query as possible spambot probing and shut *you*
>> out. Still others have delays or greylsting that will look like a fail
>> in any reasonable time, hence drop the connection.
>
> Its not a sender-verify like that. I THINK all it does is make sure
> the sending email adresses domain has an mx record. I did not add
> this to my exim config its just been there for years.


Actually, it does not just do a DNS check. Sender verify connects to
domain of the senders address and initiates the first step in sending
mail to make sure their server responds that the senders email address
exists. It then disconnects without actually delivering any mail.


> ---
> # Deny unless sender address can be verified:
> require verify = sender
> ---
>
> Does anyone else have this in the exim.conf? This 4.6 Exim.
>
> Matt


Yes. Absolutely. I use sender verify. It blocks probably 60 or 70% of
our spam mail. But I don't use the *require verify* statement. Instead
I do it in an ACL rule so that I have control over other parameters.

  drop    domains       = +hosted_domains
          logwrite      = verifying sender $sender_address
          !verify       = sender/callout=45s
          message       = mail refused
          delay         = 8s


To deal with valid but crappy sites that send email from bogus non-verifyable
addresses, I use whitelists that skip sender, HELO, etc, verifications by having
the following rule in the ACL section before the above sender verify rule.

  # Accept if sender is whitelisted.
  accept  domains       = +hosted_domains
          senders       = /etc/exim/acl/whitelist_from


  # Accept if recipient is whitelisted.
  accept  domains       = +hosted_domains
          recipients    = /etc/exim/acl/whitelist_to


I don't encounter that many legitimate sites that won't sender verify.
It is usually sites where you get automated emails, such as some online
shopping sites, etc. Generally, to be safe, when I use such a service,
I either whitelist them ahead of time or, more often, I provide a unique
email address that is recipient whitelisted. This is because, you don't
always know what address their automated system is going to send email
from.

Without sender verify, we would get hundreds of additional spam mails
per day.