Log in

No account? Create an account
exim4, sender verify, and smart hosts - Nick [entries|archive|friends|userinfo]

[ website | gagravarr.org ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

exim4, sender verify, and smart hosts [Nov. 30th, 2004|01:49 pm]
Today, I discovered that one of my machines running exim4 wasn't doing sender verification as I thought it should be. (This is where the server checks to see if the sender is OK, by checking to see if a mailserver for that sender's domain would accept a bounce for them)

By reading the manual, I was able to find that running "exim4 -bhc some.external.ip", or even "exim4 -d -bhc some.external.ip", I could find out what rules and checks were being applied, and why.

After a bit of prodding, this turned out to be because I had the line
  require verify = sender
instead of
  require verify = sender/callout
which is what I really needed.

Then, I hit a snag. My machine was trying to use my smarthost to verify the sender of an inbound message, and that wasn't working. The solution was to add "verify_sender = false" to the smarthost router definition, to stop it being used to check sender addresses. This also means there's no router available to do the checks....

So, I then added a new dnslookup router, with the option "verify_only", which means it only gets used for verification, never delivery. The routers I have then look like:
# Use this only for doing verifications
   driver = dnslookup
   domains = ! +local_domains
   transport = remote_smtp
   ignore_target_hosts = :

# Finally, route mail out through bytemark
# Not used on sender verification, as that won't work
  driver = manualroute
  transport = remote_smtp
  verify_sender = false
  route_list = !+local_domains my.smarthost.name

Bingo, I then had my sender verification working. True, most people who are doing sender verification will be using dnslookup and not a smarthost, but I'm sure I can't be the only one!

Update: You might find that the default timeout on the sender verify callout is too short, and you'll end up rejecting mail from people with overloaded mail servers. Changing sender/callout to sender/callout=45s will cause the check to wait for up to 45 seconds before timing out. I've found that this doesn't impose too much of an extra load on my servers, but does stop legitimate mail being rejected.