Re: [exim] Using verify sender

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Using verify sender
Nigel Metheringham wrote:
> Bill - I think your answer is referring to callback verification,
> which Graham (original poster) explicitly wasn't suggesting. DNS
> checks - such as you suggest - are handled by basic sender
> verification.
>
> Nigel.


Very much so.

'mea culpa'.

One name. inocuous 'tail', but two very different actions.

We should 'honour the threat' (confusion AND flame war potential...)

... and just sever the nomenclature (other post on that..)

Thanks,

Bill

>
> On 23 May 2011, at 15:42, W B Hacker wrote:
>
>> Graham Butler wrote:
>>> I am currently looking into adding 'require verify = sender',
>>> with no callouts, to our Exim configuration. Unfortunately, my
>>> manager went to a conference last week and was informed that
>>> adding 'verify sender' was not very wise and could lead to the
>>> rejection of legitimate emails.
>>>
>>>> From my understanding,' verify sender' is 'confined to
>>>> verifying that the domain is registered in the DNS' with either
>>>> a MX or an 'A' address. Rejecting such emails I would have
>>>> thought would be good practice. I would agree that using
>>>> 'verify sender' with callout is bad practice.
>>>
>>> Is the use of 'verify sender' recommended, and can anybody who
>>> has included 'verify sender' give any feed back on any problems
>>> they have experienced regarding rejections of legitimate emails.
>>>
>>> Graham Butler Infrastructure Team. The University of
>>> Huddersfield
>>>
>>
>> We found it to not add enough value to risk. Stopped doing it
>> within about a month of starting.
>>
>> The 'good stuff' - confirmation that there is not only a valid DNS
>> route back, but that there is actually a device online and at least
>> pretending to comply with smtp.. cannot be assured...
>>
>> Because of:
>>
>> ... greylisting ...
>>
>> ... even quite short 'in session' delays (15 or 20 seconds)
>>
>> ... rejections due to per-IP connection-count limits
>>
>> ... certain types of server 'pools' or even just multiple IP on
>> same box if the probe comes from an IP that itself fails an rDSN
>> check, as many do.
>>
>> .. .other active checks that don't let the probe get 'far enough,
>> fast enough' down the smtp session sequence to return approval
>> before you time-out
>>
>> So even when it works fast and well, it takes up b/w, time, and
>> cycles to provide an 'appears to be OK' answer, yet still not a
>> guarantee.
>>
>> Dead-easy for a bot to fake a compliant session.
>>
>> Harder to fiddle DNS records.
>>
>> YMMV,
>>
>> Bill
>>
>> -- ## List details at
>> https://lists.exim.org/mailman/listinfo/exim-users ## Exim details
>> at http://www.exim.org/ ## Please use the Wiki with this list -
>> http://wiki.exim.org/
>
> -- [ Nigel Metheringham ------------------------------
> nigel@??? ] [                 Ellipsis Intangible Technologies
> ]

>
>
>



--
Ciào

Bill
韓家標