Postfix 2.1 is finally out and has a bunch of new
features, ranging from the potentially very evil ability to match mail on
the usual range of header and body checks and then auto-Bcc extra recipients
(imagine your company’s paranoid security personnel Bcc’ing themselves a copy
of every outgoing mail that contains a word like, say, IPO), all the way
to weapons to prevent evil in the form of [address
verification](http://www.postfix.org/ADDRESS_VERIFICATION_README.html).
Address verification is a great new feature. In short, this takes the RCPT
FROM from each incoming connection, obtains the MX for the reported domain,
and connects back in real-time with a probe to determine whether the reported
sender address is actually deliverable. If it is, the incoming e-mail is
allowed through. Otherwise, it gets a 550. A cache of both positive and
negative results is built up, otherwise this would be horribly expensive on
all but the lowest traffic sites.
Exim has had this for a while (under a different name),
but that MTA’s monolithic design doesn’t appeal to me. An MTA is too complex a
piece of software to have a monolithic design these days, especially if it runs
as root. That’s a liability I don’t need.
Don’t turn on address verification unless you have a relatively low traffic
site. Those probes are expensive, even with caching.