WHM Whitelist to Exclude from Exim Sender Verify Callbacks

Sender verification is an important feature used by email servers to help prevent spam. When sender verification is enabled, the receiving email server checks to make sure the sender exists. Various email servers have different ways of handling this feature. Exim, for example, uses a mechanism called 'sender callouts' or 'callbacks'. (When the sending server does not accept a verification request, it does not comply with RFC 2821.)

However, in the event that the network route from the receiving email server to the originating email server is broken (or a firewall blocks the connection), the result can be a bit confusing. The receiving email server treats a failed verification as a failed verification, regardless of whether or not it could even connect to the originating server. This means the email never comes through to the recipient. After all, as far as the email server knows, it's spam.

One of my hosting clients was experiencing this "lost email" problem and a quick grep at /var/log/exim_mainlog confirmed the problem (hosts and IPs changed for obvious reasons):


2008-11-17 15:02:27 [30121] H=relay1.example.com (qsv-spam1.example.com) [67.26.151.59]:36752 I=[69.161.211.25]:25 sender verify defer for : could not connect to customer.example.com [163.112.75.15]: Connection timed out
2008-11-17 15:02:27 [30121] H=relay1.example.com (qsv-spam1.example.com) [67.26.151.59]:36752 I=[69.161.211.25]:25 F=<[email protected]> temporarily rejected RCPT <[email protected]>: Could not complete sender verify callout
2008-11-17 15:02:27 [30120] H=relay1.example.com (qsv-spam1.example.com) [67.26.151.59]:36751 I=[69.161.211.25]:25 incomplete transaction (RSET) from <[email protected]>

As you can see, the email server was unable to connect to customer.example.com to verify the existence of the sender ([email protected]). This doesn't mean the sending server doesn't verify callbacks, but rather that the network connection from my server to the sending server could not be established.

Most of the stuff I found online related to solving this problem on a server running WHM (here and here) explain how to modify exim.conf to add special whitelist rules. Luckily, my server is running WHM 11.23.2 and has a whitelist option that makes it really easy to exclude a particular IP address from sender verification without any manual changes to exim.conf:

1. Click Service Configuration -> Exim Configuration Editor
2. Under Access Lists, find "Whitelist: Bypass all SMTP time recipient/sender/spam/relay checks" and click [EDIT]
3. Add the IP address for the sending server for which you wish to skip sender verification (as the note at the bottom explains, hosts cannot be used in this list)
4. Click Save
5. Click Save again near the bottom of the Exim Configuration Editor page

That's it! Now any emails from that IP that were failing to come through because of a sender verification failure will come through without a problem (again, you can watch /var/log/exim_mainlog to confirm).

Write a Comment

Comment

  1. I’ve been researching this “sender Verify” and “sender verification callout” issue for some time now. I haven’t really seen anyone make any kind of real back and forth discussion about the issue in any way. It seems that there are really 2 kinds of posts, the first kind is “How do I add a whitelist” and the other being “Sender Verify is broken and shouldn’t be used”

    we’ve been using dedicated servers with cPanel and WHM and love the functionality, but it seems we go about wasting a good bit of time when a customer calls up and says “I’m not getting an email from a friend” or “I’m not getting emails from some service”. We then have to figure out what the host is that we have to whitelist.

    Has anyone tested turning off sender verify to see if spam assassin takes care of things properly?

    Just to play devil’s advocate and to get all the issues out, some of the arguments of not using sender verify is as follows.

    It takes processing time and load on your server

    your server can be used in a DDOS attack by sending your server multiple emails from the same fake address, thus making your server verify multiple times

    your system trying to send a verify could hit another server also trying to perform a verify and thus cause a look between 2 servers

    Spammers just start using real address to get past sender verify.

    While I know on our server Sender Verify works at stopping alot of spam, and we will be using it, I’m amazed that spammers have not completely changed to using real addresses from their list of email addresses to spam to.

    I hope other people see your post and reply, I’d like to see where a discussion on the topic will go.

  2. Thanks for the comment, Granville. I haven’t tried turning off Sender Verify all together (admittedly because I fear the volume of spam that may result in doing so), but I’m also very interested to hear more discussion on this topic.

Webmentions

  • Mitchelle Pascual February 3, 2009