Nigel Metheringham wrote:
Bill - I think your answer is referring to callback verification,
which Graham (original poster) explicitly wasn't suggesting. DNS
checks - such as you suggest - are handled by basic sender
verification.
Nigel.
Very much so.
'mea culpa'.
One name. inocuous 'tail', but two very different actions.
We should 'honour the threat' (confusion AND flame war potential...)
... and just sever the nomenclature (other post on that..)
Thanks,
Bill
On 23 May 2011, at 15:42, W B Hacker wrote:
Graham Butler wrote:
I am currently looking into adding 'require verify = sender',
with no callouts, to our Exim configuration. Unfortunately, my
manager went to a conference last week and was informed that
adding 'verify sender' was not very wise and could lead to the
rejection of legitimate emails.
From my understanding,' verify sender' is 'confined to
verifying that the domain is registered in the DNS' with either
a MX or an 'A' address. Rejecting such emails I would have
thought would be good practice. I would agree that using
'verify sender' with callout is bad practice.
Is the use of 'verify sender' recommended, and can anybody who
has included 'verify sender' give any feed back on any problems
they have experienced regarding rejections of legitimate emails.
Graham Butler Infrastructure Team. The University of
Huddersfield
We found it to not add enough value to risk. Stopped doing it
within about a month of starting.
The 'good stuff' - confirmation that there is not only a valid DNS
route back, but that there is actually a device online and at least
pretending to comply with smtp.. cannot be assured...
Because of:
... greylisting ...
... even quite short 'in session' delays (15 or 20 seconds)
... rejections due to per-IP connection-count limits
... certain types of server 'pools' or even just multiple IP on
same box if the probe comes from an IP that itself fails an rDSN
check, as many do.
.. .other active checks that don't let the probe get 'far enough,
fast enough' down the smtp session sequence to return approval
before you time-out
So even when it works fast and well, it takes up b/w, time, and
cycles to provide an 'appears to be OK' answer, yet still not a
guarantee.
Dead-easy for a bot to fake a compliant session.
Harder to fiddle DNS records.
YMMV,
Bill
-- ## List details at
https://lists.exim.org/mailman/listinfo/exim-users ## Exim details
at http://www.exim.org/ ## Please use the Wiki with this list -
http://wiki.exim.org/
-- [ Nigel Metheringham ------------------------------
[email protected] ] [ Ellipsis Intangible Technologies
]
--
Ciào
Bill
韓家標
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
