[Mailman-Users] Has anyone actually implemented Postfix address verification for their sites?

[John W. Baxter]

On 5/7/06 10:46 AM, "Brad Knowles" <brad at stop.mail-abuse.org> wrote:

> I'm curious to know -- Postfix has this address verification
> feature, which is kind of like greylisting.  Basically, before a
> message from a given envelope sender will be accepted, the system has
> to get a confirmation that the registered MXes for that envelope
> sender domain will at least appear to accept messages for that sender.

It's not really like greylisting, although it can stop mail from a
similar--not the same--collection of servers.

Exim has a similar feature, which some Exim admins use and others believe is
bad citizenship.  (As with Brad's comments, Exim also caches results.)

Of the Exim admins who use the feature and to whom I listen the most, the
feeling seems to be that this test (a) needs to be done selectively, as some
servers respond oddly or uselessly (eg Yahoo), and (b) should be done after
other protections have not stopped a sender.  We don't presently use the
Exim feature.

Part of selectivity is to ensure that you don't get into a callout loop with
some sender (part of which is deferring callouts where the MAIL FROM command
is
MAIL FROM:<>
until after the DATA command (which the other server's callout should never
send).

Another useful defense can be to delay sending out the initial banner for a
few seconds and/or delay sending the response to EHLO or HELO for a few
seconds.  Many of the spam engines just press on with the EHLO/HELO in the
first case or the MAIL FROM: in the second case, and the receiving server
can then reject the protocol violation (I don't know whether Postfix can do
that).  This is another case where selectivity is a good idea--there is no
point in slowing things down when known white hats are sending you mail (and
the delays do eat your resources--open TCP connections).

  --John