Sender verification is an important feature used by email servers to help prevent spam. When sender verification is enabled, the receiving email server checks to make sure the sender exists. Various email servers have different ways of handling this feature. Exim, for example, uses a mechanism called 'sender callouts' or 'callbacks'. (When the sending server does not accept a verification request, it does not comply with RFC 2821.)
However, in the event that the network route from the receiving email server to the originating email server is broken (or a firewall blocks the connection), the result can be a bit confusing. The receiving email server treats a failed verification as a failed verification, regardless of whether or not it could even connect to the originating server. This means the email never comes through to the recipient. After all, as far as the email server knows, it's spam.
One of my hosting clients was experiencing this "lost email" problem and a quick grep at
/var/log/exim_mainlog confirmed the problem (hosts and IPs changed for obvious reasons):
2008-11-17 15:02:27  H=relay1.example.com (qsv-spam1.example.com) [18.104.22.168]:36752 I=[22.214.171.124]:25 sender verify defer for
: could not connect to customer.example.com [126.96.36.199]: Connection timed out
2008-11-17 15:02:27  H=relay1.example.com (qsv-spam1.example.com) [188.8.131.52]:36752 I=[184.108.40.206]:25 F=<[email protected]> temporarily rejected RCPT <[email protected]>: Could not complete sender verify callout
2008-11-17 15:02:27  H=relay1.example.com (qsv-spam1.example.com) [220.127.116.11]:36751 I=[18.104.22.168]:25 incomplete transaction (RSET) from <[email protected]>
As you can see, the email server was unable to connect to
customer.example.com to verify the existence of the sender (
[email protected]). This doesn't mean the sending server doesn't verify callbacks, but rather that the network connection from my server to the sending server could not be established.
Most of the stuff I found online related to solving this problem on a server running WHM (here and here) explain how to modify
exim.conf to add special whitelist rules. Luckily, my server is running WHM 11.23.2 and has a whitelist option that makes it really easy to exclude a particular IP address from sender verification without any manual changes to
Service Configuration -> Exim Configuration Editor
Access Lists, find "
Whitelist: Bypass all SMTP time recipient/sender/spam/relay checks" and click
3. Add the IP address for the sending server for which you wish to skip sender verification (as the note at the bottom explains, hosts cannot be used in this list)
Saveagain near the bottom of the Exim Configuration Editor page
That's it! Now any emails from that IP that were failing to come through because of a sender verification failure will come through without a problem (again, you can watch
/var/log/exim_mainlog to confirm).