I have just discovered that Exim doesn't enable VERIFY by default -
unless the acl_smtp_vrfy is configured. Searching online, some suggest
that enabling acl_smtp_vrfy is bad, as it would open the door to
dictionary attacks - which makes sense. On the other hand, I use myself
the VERIFY command on remote smtp servers - by using the following acl
(if my understanding is correct):
deny message = Sender cannot be verified
! verify = sender/callout=1m,defer_ok
I find this feature incredibly useful in cutting down on spam. Now,
considering the above, it would seem only fair that I enable VERIFY on
my own servers. Could I have some advice or informed opinions on this
please. Or maybe some suggestions to configure acl_smtp_vrfy in a safer way?
