On Mon, 23 May 2011, Graham Butler wrote: > I am currently looking into adding 'require verify = sender', with no > callouts, to our Exim configuration. Unfortunately, my manager went to a > conference last week and was informed that adding 'verify sender' was > not very wise and could lead to the rejection of legitimate emails. > > >From my understanding,' verify sender' is 'confined to verifying that > >the domain is registered in the DNS' with either a MX or an 'A' > >address. Rejecting such emails I would have thought would be good > >practice. I would agree that using 'verify sender' with callout is bad > >practice. > > Is the use of 'verify sender' recommended, and can anybody who has > included 'verify sender' give any feed back on any problems they have > experienced regarding rejections of legitimate emails.
Used it for years, with no problems. Well, no problems that I much care about anyway. The principle we operate with is: we do not accept mail from sites to which we could not return messages. The justification behind this, apart from the obvious, is that mail domains are supposed to be required to support addresses like postmaster@ and abuse@. I take the position that a domain that originates email but is not configured to accept messages to it is expressing the opinion "I will send what I like and I do not care to hear what you might think of it". I don't really want to receive mail from such sites. That said, my boss recently came upon a case: "<[email protected]>: Sender verify failed Looks like they haven't set up an A or MX record for the domain - but they have set up a SPF record... revolution.co-operative.coop. 96 IN TXT "\"v=spf1 ip4:217.114.80.100 ~all\"" So, you might like to consider taking into account whether there are published SPF records, for example. (I didn't do anything about this case). Balance the benefits of "sender = verify" (particular with regard to rejecting spam and messages with fraudulent sender domains) against the possible risks of rejecting the odd 'legitimate' mail. You can always maintain a whitelist of sender domains to not include in the "verify = sender" check if you come across them and need to keep mail working for them, using "! domains = ..." Yesterday's stats for my MXs say: Connections: total made 407578 Rejects/sender address unverifiable 5515 Messages accepted for processing 72119 Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
