On Wed, Dec 01, 2010 at 11:43:30PM -0600, Stan Hoeppner wrote:
> Victor Duchovni put forth on 12/1/2010 5:06 PM:
> > On Wed, Dec 01, 2010 at 04:50:20PM -0600, Stan Hoeppner wrote:
>
> >> Are LDAP queries still simpler and cheaper once all recipient addresses
> >> are cached in $data_directory/verify_cache?
> >
> > Yes, because the vast majority of "RCPT TO" commands are dictionary
> > attacks, if not all the time, at least at peak loads when it matters.
> > Sending an SMTP probe is much more expensive than making an LDAP query.
>
> So a remote LDAP query is cheaper than a local table lookup?
The lookup is always a cache miss. Then an SMTP probe is sent. Dictionary
attacks always yield cache misses.
> Interesting. I would have assumed lookups to the local RAV cache file
> would be infinitely faster than a remote LDAP query. I would guess that
> for many/most organizations the RAV cache would be populated within a
> few days max, if not a few hours.
You are forgetting that dictionary attacks are almost exclusively queries
for non-existent users. Think clearly, and think outside the box about
worst-case behaviour.
> But you're saying the remote LDAP query is "cheaper" in this
> case, Viktor?
Because I am not thinking about normal loads that don't matter. One
needs to survive hostile loads.
> > LDAP tables are supported and not discouraged, but high volume sites
> > may want to dedicate some LDAP replicas to MTA queries.
>
> I'm not discouraging anyone from using LDAP queries. I merely made the
> case that many times RAV is a better choice, and stated some reasons why.
The reasons are not valid under hostile conditions.
--
Viktor.
