Re: [exim] Using verify sender

Top Page
Delete this message
Reply to this message
Author: Jethro R Binks
Date:  
To: 'exim-users@exim.org'
Subject: Re: [exim] Using verify sender
On Mon, 23 May 2011, Graham Butler wrote:

> I am currently looking into adding 'require verify = sender', with no
> callouts, to our Exim configuration. Unfortunately, my manager went to a
> conference last week and was informed that adding 'verify sender' was
> not very wise and could lead to the rejection of legitimate emails.
>
> >From my understanding,' verify sender' is 'confined to verifying that
> >the domain is registered in the DNS' with either a MX or an 'A'
> >address. Rejecting such emails I would have thought would be good
> >practice. I would agree that using 'verify sender' with callout is bad
> >practice.
>
> Is the use of 'verify sender' recommended, and can anybody who has
> included 'verify sender' give any feed back on any problems they have
> experienced regarding rejections of legitimate emails.


Used it for years, with no problems. Well, no problems that I much care
about anyway.

The principle we operate with is: we do not accept mail from sites to
which we could not return messages. The justification behind this, apart
from the obvious, is that mail domains are supposed to be required to
support addresses like postmaster@ and abuse@. I take the position that a
domain that originates email but is not configured to accept messages to
it is expressing the opinion "I will send what I like and I do not care to
hear what you might think of it". I don't really want to receive mail
from such sites.

That said, my boss recently came upon a case:

"<no-reply@???>:      
Sender verify failed                                                            


Looks like they haven't set up an A or MX record for the domain - but they      
have set up a SPF record...                                                     


revolution.co-operative.coop. 96 IN TXT "\"v=spf1 ip4:217.114.80.100
~all\""

So, you might like to consider taking into account whether there are
published SPF records, for example. (I didn't do anything about this
case).

Balance the benefits of "sender = verify" (particular with regard to
rejecting spam and messages with fraudulent sender domains) against the
possible risks of rejecting the odd 'legitimate' mail.

You can always maintain a whitelist of sender domains to not include in
the "verify = sender" check if you come across them and need to keep mail
working for them, using "! domains = ..."

Yesterday's stats for my MXs say:

Connections: total made 407578
Rejects/sender address unverifiable 5515
Messages accepted for processing 72119

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.