Re: [exim] Certified Server Validation/Client SMTP Validatio…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: John Horne
Date:  
À: Exim users
Sujet: Re: [exim] Certified Server Validation/Client SMTP Validation (CSV)?
On Wed, 2010-02-17 at 12:04 +0000, Ian Eiloart wrote:
>
> --On 15 February 2010 13:37:53 +0000 John Horne <john.horne@???>
> wrote:
>
> >
> > Yes, we use it but I don't think it is widely deployed.
> >
> > Stats from one of our mailhubs for today so far shows:
> >
> >     Sending host HELO failed CSA            488     (No. of domains: 2)

>
> These include sites claiming to be you. Presumably, then, there's only one
> other domain publishing records.
>

No. The 'number of domains' is simply the number of different sender
domains seen which have failed our CSA check. It was used to give an
idea of the number of different senders saying they were us. But 488
failures from 2 domains could mean 244 tries from each domain, or 487
from one domain and one attempt from the other domain. In that respect
perhaps not too useful.

> Of course, you don't need CSA to determine whether the email is from you.
>

True. There are other ways to do this with Exim.

>
> >     CSA check gave a temporary error:       862

>
> Can you reject these? Are they sites with faulty DNS?
>

We used to reject them, but we changed this to defers simply to be
'nice' to those sites who may well have had a problem with DNS name
servers.

> >     CSA success:                            0       (No. of domains: 0)

>
> And nobody sending you legitimate email is using it.
>

Hmm. For this year so far we have had no successes, but looking at our
old stats 2009 gave us a couple of hundred successes per week and 2005
(!) giving us over a 1000 per week. I will investigate to see if we have
messed up the success logging part.

> > So, it is rejecting sites, although the CSA successes seems to indicate
> > that it is not used that much (at least for the mail we have received
> > today)! Most of the CSA failures are for sites claiming to be us.
>
> So, not a lot of value all in all. Do you also use SPF?
>

We don't currently advertise SPF records in the DNS, but we do have SPF
checks. For one mailhub so far today:

  SPF check gave a temporary error:       205
  SPF failure:                            1830    (No. of domains: 398)
  SPF success:                            11037   (No. of domains: 1085)




John.

-- 
John Horne                   Tel: +44 (0)1752 587287
University of Plymouth, UK   Fax: +44 (0)1752 587001