Re: [exim] Using verify sender

Top Page
Delete this message
Reply to this message
Author: Nigel Metheringham
Date:  
To: W B Hacker
CC: exim users
Subject: Re: [exim] Using verify sender
Bill - I think your answer is referring to callback verification, which
Graham (original poster) explicitly wasn't suggesting. DNS checks - such
as you suggest - are handled by basic sender verification.

    Nigel.


On 23 May 2011, at 15:42, W B Hacker wrote:

> Graham Butler wrote:
>> I am currently looking into adding 'require verify = sender', with no
>> callouts, to our Exim configuration. Unfortunately, my manager went
>> to a conference last week and was informed that adding 'verify
>> sender' was not very wise and could lead to the rejection of
>> legitimate emails.
>>
>>> From my understanding,' verify sender' is 'confined to verifying
>>> that the domain is registered in the DNS' with either a MX or an
>>> 'A' address. Rejecting such emails I would have thought would be
>>> good practice. I would agree that using 'verify sender' with
>>> callout is bad practice.
>>
>> Is the use of 'verify sender' recommended, and can anybody who has
>> included 'verify sender' give any feed back on any problems they have
>> experienced regarding rejections of legitimate emails.
>>
>> Graham Butler Infrastructure Team. The University of Huddersfield
>>
>
> We found it to not add enough value to risk. Stopped doing it within about a month of starting.
>
> The 'good stuff' - confirmation that there is not only a valid DNS route back, but that there is actually a device online and at least pretending to comply with smtp.. cannot be assured...
>
> Because of:
>
> ... greylisting ...
>
> ... even quite short 'in session' delays (15 or 20 seconds)
>
> ... rejections due to per-IP connection-count limits
>
> ... certain types of server 'pools' or even just multiple IP on same box if the probe comes from an IP that itself fails an rDSN check, as many do.
>
> .. .other active checks that don't let the probe get 'far enough, fast enough' down the smtp session sequence to return approval before you time-out
>
> So even when it works fast and well, it takes up b/w, time, and cycles to provide an 'appears to be OK' answer, yet still not a guarantee.
>
> Dead-easy for a bot to fake a compliant session.
>
> Harder to fiddle DNS records.
>
> YMMV,
>
> Bill
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/


--
[ Nigel Metheringham ------------------------------ nigel@??? ]
[                 Ellipsis Intangible Technologies                  ]