Author: Steve Kirk Date: To: hampshire Subject: Re: [Hampshire] VRIFY
On Tuesday 19 February 2008 14:44, Jacqui Caren wrote: > Ottavio Caruso wrote:
> > Hello,
> >
> >
> > The scenario: this box is a linux mail relay, scanning mail and
> > delivering to a destination mail server, a horrible M$ EXCHANGE.
> >
> > When it deals with recipient verification, the relay runs a local
> > daemon that connects to the destination server via either LDAP or
> > SMTP according to settings.
> >
> > Now, the EXCHANGE is notoriously crap at recipient verification and
> > if you telnet the server at port 25 it will accept mail for any
> > address @ that domain, for example:
> >
> > 657657657567@???
> > 67tr37y3y7@???
> > invalid@???
> >
> > and so on.
> >
> > Now I have been told to advise the exchange's admin to enable VRFY.
>
> It is recommended that this be disabled for net access as this is
> often used by spammers and hackers to check valid emails/account
> names.
Yep, I'd second this, to a certain extent. If i remember correctly, VRFY
is required to be compliant to the RFCs but it is also my understanding
that it's widely abused as Jacqui says. >
> Alternatively you could have the mail frontend connect to the
> exchange LDAP account server - if available.
This is effectively what we do at work, albeit in the form of a FreeBSD
and Postfix based appliance solution. We will respond as though any
address exists if a VFRY is attempted in order to be RFC compliant -
although I also think this is done so the suppliers can say the device
is RFC compliant without giving away address lists etc.
LDAP is then used to check email addresses actually exist before a mail
is accepted onto the mail queue, at the time a RCPT is issued. The
appliance effectively mirrors the LDAP structure from AD using (I
think) OpenLDAP to the appliance itself. It seems to work well, and it
is also resilient to loss of connectivity between the appliances at
domain controller as they're at different sites. It re-imports any
changes nightly.
