Re: [exim] Advice on using acl_smtp_vrfy - good, bad?

Top Page

Reply to this message
Author: Sebastian Arcus
To: exim-users
Subject: Re: [exim] Advice on using acl_smtp_vrfy - good, bad?

On 27/12/17 01:27, Sebastian Arcus via Exim-users wrote:
> I have just discovered that Exim doesn't enable VERIFY by default -
> unless the acl_smtp_vrfy is configured. Searching online, some suggest
> that enabling acl_smtp_vrfy is bad, as it would open the door to
> dictionary attacks - which makes sense. On the other hand, I use myself
> the VERIFY command on remote smtp servers - by using the following acl
> (if my understanding is correct):
>   deny  message     = Sender cannot be verified
>         ! verify    = sender/callout=1m,defer_ok
> I find this feature incredibly useful in cutting down on spam. Now,
> considering the above, it would seem only fair that I enable VERIFY on
> my own servers. Could I have some advice or informed opinions on this
> please. Or maybe some suggestions to configure acl_smtp_vrfy in a safer
> way?

After more digging around, I found on Wikipedia (of all places) that
callout verification can (and is) done nowadays using the simple MAIL
command - so enabling the VRFY command doesn't seem to be necessary any
more. It is strange that this useful information doesn't seem to be
posted anywhere else - at least I haven't stumbled over it anywhere so far.