On Thu, 2010-01-07 at 14:01 +0000, Jeremy Harris wrote: > verify sender /callout
To make that clear, it's an ACL function: verify = sender/callout[,options] It's very well documented. > Do the sender-verify only for non-null FROM, and using a null FROM - > just like emitting a bounce. Unless you're Microsoft. <snip> > Some people think that sender-verifies are evil. Google. Callout verification is not evil per se, applied to either senders or recipients (think of a corporate or academic mailhub). However, arbitrary usage of sender callouts against all inbound mail is inadvisable as it is very easy to create a DoS condition against a remote site. The best example is as follows: A spammer takes an address within a domain under your control and then sends millions of messages using that in the "MAIL FROM:" command. All of the hypothetical receiving MX servers (in many thousands, or millions of domains) then do callout verification against the sender domain MX. That's your MX. It dies under the load of incoming connections. I hope you see why arbitrary Sender Address Verification (SAV) is widely considered to be a bad thing. It's a very useful technique in loosely-coupled systems, but not across the Internet as a whole. There are a growing number of blacklists which will list your for using SAV. I could name some but I'd like to keep the religious wars on other lists :) Graeme -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
