Exim - Address Verification

Exim validates senders or recipients address by checking as far as possible whether could deliver a message to it. A number of ACLs cause a address to be verified this page describes what happens during the verification process

Basic Sender and Recipient Verification

If you use verify = sender or verify = recipients as an ACL condition, Exim uses its routers to process the address, in the same way as when delivering a message, if the routing succeeds then the address is verified. For local domains the local part is checked, for other domains routing can verify the domain, but cannot verify the local part.

The callout mechanism extends the verification process to do additional checking of remote local parts.

verify

verify = sender/callout
verify = recipient/defer_ok/callout=10s

Verification Callouts

They only way to verify the local part of a remote address is to make an SMTP callback (sender address) or callforward (recipient address), we use the term callout for both.

If the callout option is present a second stage to verify the address occurs, Exim makes a SMTP connection to one of the hosts to test whether the address is acceptable, if there is a problem with all the hosts then the ACL yields "defer", unless the "defer_ok" is specified in which case the condition is forced to succeed. Callouts use more resources to verify an address, so they used be used with care. The default timeout is 30 seconds but this can be changed by specifying a time (see above example).

Redirection while Verifying

When a message is redirected by aliasing or a forward file, two outcomes may happen

if the redirection is only one child address, verification continues with that child address
if the redirection is more than one child address, verification does not continue, a success result is returned.

Testing Address Verification

You can test how Exim handles addresses by using the -bvs (senders) and -bv (recipients) Exim options, there is a difference if you have options like verify_senders.

Test addresses

# exim -bvs paul.valle@datadisk.co.uk
# exim -bv paul.valle@datadisk.co.uk

Note: if it fails you get a error stating "Unroutable address", otherwise it comes back with "verified", it will even tell you if the address was rewritten

Bounce Address TAG Validation (BATV)

Bounce address TAG validation is a method of detecting "collateral spam", this arises when a message with a valid but forged sender address cannot be delivered. The resulting bounced message is sent to the innocent third party whose address has been forged. BATV adds a time stamped tag to the envelope sender addresses in outgoing messages, thus genuine incoming bounces will therefore always contain tagged addresses that have not timed out, any other bounces can be rejected.

For further information regarding BATV I point you to the official Exim web site.