On 06/19/2013 07:32 PM, Wietse Venema wrote:
Ansgar Wiechers:
On 2013-06-19 Jeroen Geilman wrote:
Zitat von Andreas Kasenides <andr...@cymail.eu>:
Out: 250-VRFY
You really don't want to enable VRFY on a public mailserver; it only
enables more spammers to abuse you.
Set 'disable_vrfy_command = yes' in main.cf to globally disable it.
Not really. Aside the fact that there are other ways to verify an
address, I get a single VRFY every other month on my mail server.
In my experience most spammers don't actually care if an address is
valid or not and blindly throw their crap at everything that looks at
least remotely like a mail address.
I agree. Technically, VRFY is implemented as RCPT TO without all
the baggage of a mail transaction. The difference is that
smtpd_client_recipient_rate_limit does not apply to VRFY, but that
is easily fixed (I just copied some code from the RCPT TO handler).
Wietse
I seem to remember that allowing VRFY meant spammers could brute-force
valid recipients; perhaps this was long ago and it is no longer true.
--
J.
