Exim error 451 "unable to verify address" and catchall email address

Tristan

Verified User
Joined
Feb 11, 2005
Messages
590
Location
The Netherlands
Repost from this post in the SpamBlocker4 sub-forum since this doesn't actually seem related specifically to that SpamBlocker4 version after all.

After updating Exim itself from the stock Debian 6 da_exim-4.73 to exim-4.84, installed with CB 2.0 and updating exim.conf to the latest stable 4.2.2 and exim.pl to 17. We noticed it looks like it has some problems to verify local email addresses for external smtp hosts. As we're getting quite a lot of errors like these:

Code:
2014-10-29 08:26:20 1XjNe7-00068Y-QX <= [email protected] H=934829823.232323.abo.wanadoo.de (SERVER02.prismtesting.local) [80.15.104.110] P=esmtpsa X=TLSv1:AES128-SHA:128 A=login:[email protected] S=7304 id=B5C994BC3D68EF489F93C701D38D527B999C089D@SERVER02.prismtesting.local T="test" from <[email protected]> for [email protected]
2014-10-29 08:26:20 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XjNe7-00068Y-QX
2014-10-29 08:26:21 1XjNe7-00068Y-QX == [email protected] R=lookuphost T=remote_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=8500: host tnetmx.telefonica.net [86.109.99.69]: 451 <[email protected]> unable to verify address
2014-10-29 08:44:50 1XjNe7-00068Y-QX == [email protected] R=lookuphost T=remote_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=8500: host tnetmx.telefonica.net [86.109.99.69]: 451 <[email protected]> unable to verify address

This might have something to do with the fact this domain has a catchall email configuration so the email address [email protected] can't be found in the list of virtual emails for this domain, however since it does have a catchall it should still verify the email address back to the smtp host since it is a valid email address.

This specific email did eventually go out after I created a forwarder [email protected] -> [email protected] (the normal catchall email address). After that the "451 <[email protected]> unable to verify address" stopped and the email was delivered at Telefonica. So maybe this is still a problem with the exim conf not verifying email accounts in case of a catchall, any ideas?
 
Since we don't know how host tnetmx.telefonica.net is trying to verify the address, we don't know what the reason could be. RFCs say (unless they've been changed recently) that verificastion of foreign email should only be done to the domain level, not to the individual address level. In fact most servers, including exim on servers running my exim.conf SpamBlocker file, don't even advertise the that it accepts the VRFY (verify) command, since doing so can both lead to DOS attacks, and let spammers prequalify mailing lists against a domain before actually trying to send out email.

You'd have to ask the postmaster at telefonica.net how they attempt to verify email senders.

Jeff
 
Yes we're trying to reach out to Telefonica as well but no answer just yet from them.

Since my hunch now is they do the verifying on an email address level I was wondering whether it would be possible to configure Exim so it also verifies for these catchall email accounts? Or could there be another reason the email did verify after we added a forwarder for this specific account that should otherwise be handled by the catchall?
 
My understanding is that exim as configured on DirectAdmin based servers doesn't advertise or allow the VRFY command, so it's not allowing that method of verification at all. (Most MTAs don't, see my previous post as to why not, and note that I won't add it but you can).

To see what I mean run:
Code:
telnet host.example.com 25
where host.example.com is your server hostname, or run
Code:
telnet localhost 25
from your host.

In the absence of the VRFY command the only way I know of for a server to verify an address is to open a separate connection to try to send to it, and check any error received), while still holding the receiving connection open.

If they did that then the presence of a catchall would definitely qualify.

So I don't know how they verify or why the failure occurred. That's why I wrote that you'd need to ask them.

You're better off never using catchall, because it will allow your domains to get lots of dictionary attack spam and perhaps even DOS attacks. But if you insist on using it, then you'll need to find out how Telefonica is checking email addresses before we can consider a fix.

Jeff
 
Agreed, already in contact with Telefonica over here but till now they're as vague as possible about how their verify methods work, will keep this thread updated as soon as I hear back from them with some actual information. Thanks for thinking along with me!
 
Back
Top