From: Matthijs Kooijman <matthijs@stdin.nl>
Date: Mon, 4 May 2009 12:58:56 +0000 (+0200)
Subject: exim: Don't do sender verification by callout.
X-Git-Url: https://git.stderr.nl/gitweb?p=matthijs%2Fservers%2Fdrsnuggles.git;a=commitdiff_plain;h=65cf2f49508f04297239866bc8a4e8590db15d27

exim: Don't do sender verification by callout.

Doing callouts puts extra resource pressure on the called server. Since
the sender address will be forged in a lot of cases anyway, this won't
really help us and can be used in a DDOS attack on some server. See
http://www.backscatterer.org/index.php?target=sendercallouts
---

diff --git a/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt b/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
index 21be517..44da6dc 100644
--- a/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
+++ b/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
@@ -76,13 +76,9 @@ acl_check_rcpt:
 
 
   # Deny unless the sender address can be verified.
-  #
-  # This also performs "callout" verification, i.e., connect to the sender's
-  # mailserver and see if it accepts the mail address. This is quite
-  # expensive, but might save a bunch of spamchecks...
   deny
     message = Sender verification failed
-    !verify = sender/callout
+    !verify = sender
 
 
   # Accept if the message arrived over an authenticated connection, from