* on the Mon, Oct 13, 2014 at 12:22:38PM +0200, li...@rhsoft.net wrote: >> Address verification is always a guess. You're assuming that by address >> verification I'm talking about actually connecting to the remote SMTP >> server and sending "RCPT TO". I'm not talking about that, I'm talking >> about asking Postfix if the syntax of the address is valid and if the >> DNS is set up suitably to be able to potentially be able to deliver >> the message. I.e, are there valid MX records etc. That is how Exim >> does it at least. > > i doubt: https://github.com/Exim/exim/wiki/Verification
That's a link to a bunch of examples of SMTP time ACL based address verifications in Exim which have explicitly had callouts turned on. Note, what you've linked to has no connection whatsoever with what Exim does when you run "sendmail -bv" as that command only runs through the routers and not the ACLs. > for a formal check without verification you don't need a MTA > http://search.cpan.org/~rjbs/Email-Valid-1.195/lib/Email/Valid.pm > http://search.cpan.org/~nlnetlabs/Net-DNS-0.80/lib/Net/DNS.pm Yes, I realise I can write code to do syntax and DNS checks which might resemble Postfixes ability to route a message. Then I have to worry about things like whether or not Postfix can route mail to ☺@☺.example.com and whether or not Email::Valid supports UTF-8 local parts or punycode blah blah blah. IMO, it is both better, and easier, to ask your mail server if it is able to route a message rather than doing lots of checks to guess what your mail server might be able to do. > BTW - the MX record is not mandatory > if not present the MTA falls back to the A record! Yes. I know that. Don't forget AAAA records. >>> * if your webserver is able to execute shell commands >>> the setup is highly questionable >> >> I don't agree. Executing the following Perl from a CGI script is >> completely safe: >> >> my $valid = eval { >> open(my $output, '-|', '/usr/sbin/sendmail', '-bv', $email_address); >> close $output; >> return $? == 0 ? 1 : 0; >> }; > > if it is done safe and secure - you know every scripts > present on your webserver are audited and safe and don't > use unsanitized user inputs? doubt! I will agree with you that insecure code is insecure. *shrug* -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
signature.asc
Description: Digital signature
