On 27/12/17 01:27, Sebastian Arcus via Exim-users wrote:
I have just discovered that Exim doesn't enable VERIFY by default -
unless the acl_smtp_vrfy is configured. Searching online, some suggest
that enabling acl_smtp_vrfy is bad, as it would open the door to
dictionary attacks - which makes sense. On the other hand, I use myself
the VERIFY command on remote smtp servers - by using the following acl
(if my understanding is correct):
deny message = Sender cannot be verified
! verify = sender/callout=1m,defer_ok
I find this feature incredibly useful in cutting down on spam. Now,
considering the above, it would seem only fair that I enable VERIFY on
my own servers. Could I have some advice or informed opinions on this
please. Or maybe some suggestions to configure acl_smtp_vrfy in a safer
way?
After more digging around, I found on Wikipedia (of all places) that
callout verification can (and is) done nowadays using the simple MAIL
command - so enabling the VRFY command doesn't seem to be necessary any
more. It is strange that this useful information doesn't seem to be
posted anywhere else - at least I haven't stumbled over it anywhere so far.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
