Comments on: 451 Could not complete sender verify callout http://rackerhacker.com/2007/03/29/451-could-not-complete-sender-verify-callout/ Words of wisdom from a server administrator Wed, 16 May 2012 12:56:36 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: dmmcintyre3 http://rackerhacker.com/2007/03/29/451-could-not-complete-sender-verify-callout/#comment-23505 dmmcintyre3 Tue, 19 Jul 2011 12:07:34 +0000 http://rackerhacker.com/2007/03/29/451-could-not-complete-sender-verify-callout/#comment-23505 Another problem that is missing is if the sending mail server is not set up to receive emails to the domain in the from address. I send mail from my own mail server but let Google Apps handle the incoming mail, so anybody who's mail server has this enabled can't receive mail from me. Another problem that is missing is if the sending mail server is not set up to receive emails to the domain in the from address. I send mail from my own mail server but let Google Apps handle the incoming mail, so anybody who's mail server has this enabled can't receive mail from me.

]]> By: EastGhostCom http://rackerhacker.com/2007/03/29/451-could-not-complete-sender-verify-callout/#comment-22585 EastGhostCom Sat, 02 Apr 2011 17:23:11 +0000 http://rackerhacker.com/2007/03/29/451-could-not-complete-sender-verify-callout/#comment-22585 This is what's going on in our case I sent an email from mike@my.dom to my_distro_list@myother.dom One of the recipients on the my_distro_list has a server which apparently performs this "sender verify callout" which is another name for a callback, that is a reverse check to make sure the sending server -ALSO- accepts email for the original sender (i.e., mike@my.dom). The "fix" was to make the outgoing server for myother.dom act as backup MX for my.dom That way, when the recipient server gets the email I sent to my_distro_list, it can verify that the sending server for myother.dom also accepts email for my.dom Presumably this check/verify helps thwart spammers, but not clear how -- if some stupid server acts as an open relay then it acts as an open relay and in so doing answers affirmative, that it does accept email for whatever initial sender domain(s). So this whole business seems right now like a giant waste of time and it probably is, as others have asserted, a mechanism for DoS, as someone could basically make a server performing these silly "sender verify callouts" do extraneous work along with whatever unwitting target server(s) respond to those callouts. This is what's going on in our case

I sent an email from mike@my.dom to my_distro_list@myother.dom

One of the recipients on the my_distro_list has a server which apparently performs this "sender verify callout" which is another name for a callback, that is a reverse check to make sure the sending server -ALSO- accepts email for the original sender (i.e., mike@my.dom).

The "fix" was to make the outgoing server for myother.dom act as backup MX for my.dom

That way, when the recipient server gets the email I sent to my_distro_list, it can verify that the sending server for myother.dom also accepts email for my.dom

Presumably this check/verify helps thwart spammers, but not clear how -- if some stupid server acts as an open relay then it acts as an open relay and in so doing answers affirmative, that it does accept email for whatever initial sender domain(s).

So this whole business seems right now like a giant waste of time and it probably is, as others have asserted, a mechanism for DoS, as someone could basically make a server performing these silly "sender verify callouts" do extraneous work along with whatever unwitting target server(s) respond to those callouts.

]]> By: sanchon http://rackerhacker.com/2007/03/29/451-could-not-complete-sender-verify-callout/#comment-16290 sanchon Thu, 27 May 2010 10:32:28 +0000 http://rackerhacker.com/2007/03/29/451-could-not-complete-sender-verify-callout/#comment-16290 The most obvoius problem is missing: If the sender is using sender callout verify himself, the verify will never succeed as the verification targat wants a verification from the verifier first. Besides it can be used conveniently for DOS attacks. This is why sender callout verification should NEVER be enabled (and not even offered by EXIM)! The most obvoius problem is missing:
If the sender is using sender callout verify himself, the verify will never succeed as the verification targat wants a verification from the verifier first.
Besides it can be used conveniently for DOS attacks.
This is why sender callout verification should NEVER be enabled (and not even offered by EXIM)!

]]>