Why mail systems should not defer rejections to
RCPT TO time
There is a movement for the default configurations of things like exim to defer sender verification to
RCPT TO time;
instead of reporting an error or a defer after the
MAIL FROM, all
MAIL FROMs are accepted and only later does the message start getting
errors. I have recently come to a realization about why this is wrong,
and I even have an example.
The problem is that when you give at least a 4xx error to an
it makes the sending mailer think that there is a problem with that
RCPT TO address, not with the
MAIL FROM address. The sending mailer
may then sensibly defer all email to that recipient, because after all
you told it that there was a problem with that address. (The actual text
of your 4xx error may explain the situation, but mailers don't yet read
English error messages.)
We have actually seen this happen with email from our central campus
mail system for someone who was forwarding their email to our system.
Some spam domain fell out of the DNS between the central mail system
accepting it and it coming to us, we started giving temporary defers
RCPT TO time, and all mail for this person backed up.
I believe that this is done because people feel that some mailers do not
react well to
MAIL FROM errors (and I've occasionally seen evidence
of that in our logs). However I feel that the cure is worse than the
disease, and such bad mailers are clearly violating the specification to
start with; coddling spec-violating mailers while causing problems for
mailers that are following the spec does not seem like a good tradeoff
(Besides, we ran our system with sender verification problems reported
MAIL FROM time for years without getting any complaints or problem
reports, so we have empirical evidence that it works fine.)
Theoretically this also allows you to accept mail for
whether or not the sender address actually exists. Personally I do not
believe that this is actually a feature, especially since it has been
years since we got any legitimate outside email to
what we do get has been spam.
Comments on this page:Written on 20 October 2007.