David Saez Padros wrote: > Hi !! > >> That's probably better to actually _do_ callout when spf=pass, because >> you are "sure" that one the authorized IPs for the domain has sent the >> mail, so you have rights to verify the address exists. > > yes, but then the tested address is likely to exist so the callout will > almost always succeed. If you do the callout when spf != pass you will > honour batv (if used by the remote domain) and/or check that at least > the remote address exists. >
Indeed, but, as mentioned before, some will argue that if the spf is false you have no right to use their resources to verify things as it is probably a spam. And if spf != pass && spf != false (IE: not defined) you still have no right to do a callout as you could be a player in a ddos. So there is no real solution to this, the best practice would be that the callout should be your last line of defense (just before data session). And also that it should be avoided if the host is trusted (but this last one is probably nearly unmaintainable for large environments).
smime.p7s
Description: S/MIME Cryptographic Signature
-- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
