Re: [exim] verify sender

Inizio della pagina
Delete this message
Reply to this message
Autore: Graeme Fowler
Data:  
To: exim-users
Oggetto: Re: [exim] verify sender
On 11/12/2013 10:11, Oliver Howe wrote:
> Is it possible for exim to perform a verify account test as described here -
>
> https://my.handsonwebhosting.com/knowledgebase/139/Mail-Error-451-Could-not-verify-sender-.html


Yes, but don't.

> I have tried exim -bvs and can get part of the way there, for example
>
> # exim -bvs ojhowe@???
> ojhowe@??? verified
>
> # exim -bvs ojhowe@???
> ojhowe@??? failed to verify: Unrouteable address
>
> which is fine, but it says verified for an email address that does not
> exist -
>
> # exim -bvs ojhgsdgdgdgdgdowe@???
> ojhgsdgdgdgdgdowe@??? verified
>
> so is there a way for Exim to send a VERIFY ACCOUNT message to the sender?


Yes, but don't.

The docs you provide from your host are misleading. RFC5321 (which
obsoleted RFC2821 in 2008) states:

" Implementations SHOULD support VRFY "

Note SHOULD rather than MUST. In the following sections, discussion is
made of many sites disabling VRFY and for good reason, as it facilitates
spammers to validate addresses at almost zero cost. This is why an
alternative exists.

It's called "callout verification" and it should only ever be used in
loose- or close-coupled systems which have implicit unilateral or
bilateral trust. It's all detailed in the lovely documentation at
http://docs.exim.org. As an example, at work, we do "call-forward"
verification to a number of on-campus systems which are run by third
parties but for which we provide the MX records; this permits us to
reject inbound mail to non-existent addresses at SMTP time rather than
generate a backscatter bounce if we can't deliver.

However, doing this to remote third-party systems is considered by many
third-party operators to be abusive and may land you on various blacklists.

All you can really validate is that a given domain has an MX (or A)
record, which implies the incoming email is valid. There are other
layers on top of that (SPF, DKIM) with which you can validate the
authenticity of an inbound email.

TL;DR - Don't use callouts or VRFY unless you own, or trust, the remote
system.

Graeme