Re: [exim] verify sender

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMHeiko Schlittermann at <-
 
Delete this message
Reply to this message
Author: Graeme Fowler
Date:  
To: exim-users
Subject: Re: [exim] verify sender
On 11/12/2013 10:11, Oliver Howe wrote:
> Is it possible for exim to perform a verify account test as described here -
>
> https://my.handsonwebhosting.com/knowledgebase/139/Mail-Error-451-Could-not-verify-sender-.html

Yes, but don't.

> I have tried exim -bvs and can get part of the way there, for example
>
> # exim -bvs ojhowe@???
> ojhowe@??? verified
>
> # exim -bvs ojhowe@???
> ojhowe@??? failed to verify: Unrouteable address
>
> which is fine, but it says verified for an email address that does not
> exist -
>
> # exim -bvs ojhgsdgdgdgdgdowe@???
> ojhgsdgdgdgdgdowe@??? verified
>
> so is there a way for Exim to send a VERIFY ACCOUNT message to the sender?

Yes, but don't.

The docs you provide from your host are misleading. RFC5321 (which
obsoleted RFC2821 in 2008) states:

" Implementations SHOULD support VRFY "

Note SHOULD rather than MUST. In the following sections, discussion is
made of many sites disabling VRFY and for good reason, as it facilitates
spammers to validate addresses at almost zero cost. This is why an
alternative exists.

It's called "callout verification" and it should only ever be used in
loose- or close-coupled systems which have implicit unilateral or
bilateral trust. It's all detailed in the lovely documentation at
http://docs.exim.org. As an example, at work, we do "call-forward"
verification to a number of on-campus systems which are run by third
parties but for which we provide the MX records; this permits us to
reject inbound mail to non-existent addresses at SMTP time rather than
generate a backscatter bounce if we can't deliver.

However, doing this to remote third-party systems is considered by many
third-party operators to be abusive and may land you on various blacklists.

All you can really validate is that a given domain has an MX (or A)
record, which implies the incoming email is valid. There are other
layers on top of that (SPF, DKIM) with which you can validate the
authenticity of an inbound email.

TL;DR - Don't use callouts or VRFY unless you own, or trust, the remote
system.

Graeme

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] verify senderRe: [exim] SMTP protocol synchronization error->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)