Graham Butler wrote:
I am currently looking into adding 'require verify = sender', with no
callouts, to our Exim configuration. Unfortunately, my manager went
to a conference last week and was informed that adding 'verify
sender' was not very wise and could lead to the rejection of
legitimate emails.
From my understanding,' verify sender' is 'confined to verifying
that the domain is registered in the DNS' with either a MX or an
'A' address. Rejecting such emails I would have thought would be
good practice. I would agree that using 'verify sender' with
callout is bad practice.
Is the use of 'verify sender' recommended, and can anybody who has
included 'verify sender' give any feed back on any problems they have
experienced regarding rejections of legitimate emails.
Graham Butler Infrastructure Team. The University of Huddersfield
We found it to not add enough value to risk. Stopped doing it within
about a month of starting.
The 'good stuff' - confirmation that there is not only a valid DNS route
back, but that there is actually a device online and at least pretending
to comply with smtp.. cannot be assured...
Because of:
... greylisting ...
... even quite short 'in session' delays (15 or 20 seconds)
... rejections due to per-IP connection-count limits
... certain types of server 'pools' or even just multiple IP on same box
if the probe comes from an IP that itself fails an rDSN check, as many do.
.. .other active checks that don't let the probe get 'far enough, fast
enough' down the smtp session sequence to return approval before you
time-out
So even when it works fast and well, it takes up b/w, time, and cycles
to provide an 'appears to be OK' answer, yet still not a guarantee.
Dead-easy for a bot to fake a compliant session.
Harder to fiddle DNS records.
YMMV,
Bill
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
