exim: Don't do sender verification by callout.

Doing callouts puts extra resource pressure on the called server. Since
the sender address will be forged in a lot of cases anyway, this won't
really help us and can be used in a DDOS attack on some server. See
http://www.backscatterer.org/index.php?target=sendercallouts

diff --git a/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt b/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
index 21be517ee2aebcfcae896f0ae514374b9f3942c2..44da6dc3a9e07b85da182c06c1ad085d4add264d 100644 (file)
--- a/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
+++ b/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
@@ -76,13 +76,9 @@ acl_check_rcpt:
 
 
   # Deny unless the sender address can be verified.
 
 
   # Deny unless the sender address can be verified.

-  #
-  # This also performs "callout" verification, i.e., connect to the sender's
-  # mailserver and see if it accepts the mail address. This is quite
-  # expensive, but might save a bunch of spamchecks...

   deny
     message = Sender verification failed
   deny
     message = Sender verification failed

-    !verify = sender/callout
+    !verify = sender

 
 
   # Accept if the message arrived over an authenticated connection, from
 
 
   # Accept if the message arrived over an authenticated connection, from