VERIFYFILTER(8) | Double Precision, Inc. | VERIFYFILTER(8) |
verifyfilter, verifysmtp - Verify mail addresses
filterctl {[start] | [stop]} verifyfilter
This is a mail filter/tool combination that tries to determine the validity of E-mail addresses by attempting to contact the mail domain's mail server, and executing a RCPT TO command. There are three ways to use this tool.
verifyfilter is suitable for handling moderate amount of E-mail traffic. Address validation is expensive, requiring a DNS lookup and an outbound connection to a mail server for every validated address. verifyfilter goes through the same steps that the mail server does when sending mail, including enabling of encryption.
verifyfilter uses logging and caching, to avoid repeatedly validating the same return address when receiving multiple E-mails from the same sender; but its caching is rudimentary (a simple log file), and increased logging due to high E-mail traffic mail delivery may create large log files, impacting performance.
verifysmtp [-n] [-t directory] [-m {full|base}] {user@domain}
The verifysmtp command creates a network connection to domain's mail server, and checks if it considers the given E-mail address as valid. Two or more E-mail addresses can be given, and each E-mail address gets checked individually.
verifysmtp terminates with a zero exit code if all given E-mail addresses passed. A non-zero exit code indicates that one or more of the given addresses were rejected.
The -m option is analogous to the verifyfilter-logmode setting, described below, that specifies how E-mail addresses are compared against the cached verification results. The -t enables caching of verification results, and specifies the directory for storing the cached results.
The -n option suppresses internal error messages from getting logged to standard error. This is used in the verifyfilter global mail filter.
filterctl {[start] | [stop]} verifyfilter
The verifyfilter global mail filter, if enabled, checks each message's return address. The E-mail message gets rejected if its return address's mail server rejects the return address. There's not much sense in accepting mail if its return address is undeliverable.
verifyfilter ignores messages from authenticated senders, and does not check their return addresses.
mkdir /etc/courier/maildroprcs cp /usr/lib/courier/verifysender /etc/courier/maildroprcs cp /usr/lib/courier/verifysenderfull /etc/courier/maildroprcs
In your $HOME:
mkdir $HOME/.trackdir
In $HOME/.mailfilters/rcptfilter:
include '/etc/courier/maildroprcs/verifysender'
Or:
include '/etc/courier/maildroprcs/verifysenderfull'
This alternative provides comparable functionality as the global mail filter, but exposed via the localmailfilter(7)[1] API.
With maildrop, a protected wrapper filtering recipe gets installed into /etc/courier/maildroprcs/verifysender, which invokes verifysmtp via maildrop's system command. The wrapper must be included in this manner, since maildrop normally does not allow the system command in the embedded execution mode that's used by the local mail filtering API.
The wrapper executes verifysmtp with a special argument, a single “.”. This is a special parameter that indicates that verifysmtp should read the E-mail address from the SENDER environment variable (avoiding issues with shell expansion, and script kiddies).
The /etc/courier/maildroprcs/verifysender wrapper can be suitably, perhaps optionally, included from either the rcptfilter or the smtpfilter script.
verifyfilter caches the return address it checks. Once verifyfilter verifies that the return address is accepted by the sending domain's mail server, this is logged and additional E-mail with the same return address gets immediately accepted without contacting the sending domain's mail server to re-check the same address.
Successfully verified return addresses get cached for approximately 2-3 hours. If no other E-mail with the same address get received before the cache expires that return address gets rechecked the next time it is seen. If another E-mail with the same return address gets received, it is immediately accepted and the email address gets recached. Most mailing lists' bounce addresses should not cause excessive re-verification, provided a regular trickle of mailing list traffic. This includes mailing list that use per-message bounce addresses that follow the common VERP convention (Variable Envelope Return Path), see “FILES” below.
As becomes obvious after perusing the contents of the stock verifysender local mail filter, verifysmtp's -t gives the name of a scratch directory that verifysmtp uses for the cache. This directory should be set aside for verifysmtp, and not used for other purposes. The global mail filter shares the scratch directory together with other Courier functions that work the same way.
Just because a mail server accepted the RCPT TO it does not mean that the given E-mail address can ultimately receive E-mail.
verifysmtp is a shell script wrapper that imports Courier's environment from /etc/courier/courierd then executes verifyfilter. Running as a non-daemon user, verifysmtp may not be able to read some Courier's configuration files, and also won't use several others like smtproutes and authclient. As such, verifysmtp's behavior might differ from Courier's, when sending mail.
verifyfilter uses the following configuration files. Changes to the following files do not take effect until the filter has been stopped and restarted.
/etc/courier/filters/verifyfilter-mode
/etc/courier/filters/verifyfilter-logmode
With the default “base” logging mode, once the E-mail address <list-12@example.com> gets verified, all further addresses like <list-13@example.com> and <list-foo-bar@example.com> are considered as verified, but not <anotherlist@example.com>.
/etc/courier/filters/verifyfilter-nthreads
courierfilter(8)[2], localmailfilter(7)[1].
Sam Varshavchik
10/28/2020 | Courier Mail Server |