John D. Hardin wrote:
If you want to only accept mail from valid user names in foreign
domains, that's more of a problem. Very few sendmail installs these
days enable VRFY, in order to cut down on dictionary attacks. The only
semi-reliable way to check whether a given alias at a foreign domain
exists is to start an SMTP session and send a RCPT TO: and see if it
is accepted.
I think this is called "call back verification" or something like that.
I know CommuniGate Pro supports it natively, and I think postfix does
too (but I don't have direct experience with postfix, exim, nor qmail; I
just think I've heard of at least one of them having this type of
option). I also know that verizon does it on their MX hosts, but don't
know what their MTA is.
This can cause problems with an aggressive Greet Pause, by the way. For
example, if your Greet Pause to verizon is longer than 10-15 seconds,
they assume your mailer isn't valid, and thus they reject your sender
address because they can't verify it.
And this isn't necessarily reliable because the
public-facing MX may not know who valid users are, it may accept all
emssages and then a later, more-inner MX that does know who is valid
may reject based on valid recipients.
I don't know whether sendmail natively supports doing this (which I
doubt), and if so, how to enable it. Many admins consider doing this
automatically to be impolite, as it can effectively be a DDoS vector.
Natively? I don't think so.
From within a milter? Sure. I think you could take mimedefang's
recipient validation function (for looking ahead to prevent the problem
you outline when describing that "public-facing MX may not know who
valid users are" issue) to instead call the sender's mail server to
validate the sender as a recipient. So that's one milter that can
probably do it. You could probably write a variation of milter-ahead
that would do it. Or roll your own from scratch.
