[exim] Advice on using acl_smtp_vrfy - good, bad?

Top Page
Delete this message
Reply to this message
Author: Sebastian Arcus
Date:  
To: Exim Users
Subject: [exim] Advice on using acl_smtp_vrfy - good, bad?
I have just discovered that Exim doesn't enable VERIFY by default -
unless the acl_smtp_vrfy is configured. Searching online, some suggest
that enabling acl_smtp_vrfy is bad, as it would open the door to
dictionary attacks - which makes sense. On the other hand, I use myself
the VERIFY command on remote smtp servers - by using the following acl
(if my understanding is correct):

   deny  message     = Sender cannot be verified
         ! verify    = sender/callout=1m,defer_ok


I find this feature incredibly useful in cutting down on spam. Now,
considering the above, it would seem only fair that I enable VERIFY on
my own servers. Could I have some advice or informed opinions on this
please. Or maybe some suggestions to configure acl_smtp_vrfy in a safer way?