smtp_cbv – SMTP Callback Verification

March 26, 2020 Contributors

This module allows Momentum to perform SMTP Callback Verification (CBV) in its validation process. If this module is loaded, for every inbound message, Momentum will attempt to connect back to the sender domain to determine if the sender address is valid.

Configuration

smtp_cbv "smtp_cbv1" {
  phase = "mailfrom"
  mailfrom = ""
  map = [
    yahoo.net = "yahoo.com"
  ]
}

**Configuration Change. ** This module is not currently supported in a multiple event loop configuration. Future support is planned. For more information about multiple event loops see “Configuring for Multiple Event Loops in Momentum 3.6”.

mailfrom

Specifies the mailfrom address to use in the SMTP Callback Verification. If not specified, a null sender address will be used.

map

If the sending domain matches the value listed on the left hand side, Momentum will attempt SMTP CBV with the domain listed on the right hand side.

Note

This option supports both mailfrom and rcptto since Momentum 3.1 and Momentum 2.2.3.47. Prior releases only provide map support for rcptto.

phase

Specifies the SMTP phase to start SMTP Callback Verification. It can be either mailfrom or rcptto.

The verification result will be stored in a message context variable smtp_cbv_result. See below for more information. You may act on the context variable from a script or from other validation modules as part of your site policy.

You can invoke callback verification from Sieve using the smtp_callback_verify function. For more information see smtp_callback_verify.

smtp_cbv Runtime Usage

The smtp_cbv module sets the following message context variable:

smtp_cbv_result

If the address was verified, that is, if the remote MTA did not permanently reject the CBV attempt, the smtp_cbv_result variable will be set to the string pass. Other possible values are error and transient, reflecting permanent and transient errors during the CBV attempt.

Abuse Issues With CBV

Using SMTP CBV can abuse a remote MTA if a large number of inbound messages are forged to look like they have been sent from a third party’s domain. Exercise caution before deploying this module.