Re: [exim] Using verify sender

Góra strony
Delete this message
Reply to this message
Autor: W B Hacker
Data:  
Dla: exim users
Temat: Re: [exim] Using verify sender
Graham Butler wrote:
> I am currently looking into adding 'require verify = sender', with no
> callouts, to our Exim configuration. Unfortunately, my manager went
> to a conference last week and was informed that adding 'verify
> sender' was not very wise and could lead to the rejection of
> legitimate emails.
>
>> From my understanding,' verify sender' is 'confined to verifying
>> that the domain is registered in the DNS' with either a MX or an
>> 'A' address. Rejecting such emails I would have thought would be
>> good practice. I would agree that using 'verify sender' with
>> callout is bad practice.
>
> Is the use of 'verify sender' recommended, and can anybody who has
> included 'verify sender' give any feed back on any problems they have
> experienced regarding rejections of legitimate emails.
>
> Graham Butler Infrastructure Team. The University of Huddersfield
>


We found it to not add enough value to risk. Stopped doing it within
about a month of starting.

The 'good stuff' - confirmation that there is not only a valid DNS route
back, but that there is actually a device online and at least pretending
to comply with smtp.. cannot be assured...

Because of:

... greylisting ...

... even quite short 'in session' delays (15 or 20 seconds)

... rejections due to per-IP connection-count limits

... certain types of server 'pools' or even just multiple IP on same box
if the probe comes from an IP that itself fails an rDSN check, as many do.

.. .other active checks that don't let the probe get 'far enough, fast
enough' down the smtp session sequence to return approval before you
time-out

So even when it works fast and well, it takes up b/w, time, and cycles
to provide an 'appears to be OK' answer, yet still not a guarantee.

Dead-easy for a bot to fake a compliant session.

Harder to fiddle DNS records.

YMMV,

Bill