On Wed, Dec 01, 2010 at 11:43:30PM -0600, Stan Hoeppner wrote: > Victor Duchovni put forth on 12/1/2010 5:06 PM: > > On Wed, Dec 01, 2010 at 04:50:20PM -0600, Stan Hoeppner wrote: > > >> Are LDAP queries still simpler and cheaper once all recipient addresses > >> are cached in $data_directory/verify_cache? > > > > Yes, because the vast majority of "RCPT TO" commands are dictionary > > attacks, if not all the time, at least at peak loads when it matters. > > Sending an SMTP probe is much more expensive than making an LDAP query. > > So a remote LDAP query is cheaper than a local table lookup?
The lookup is always a cache miss. Then an SMTP probe is sent. Dictionary attacks always yield cache misses. > Interesting. I would have assumed lookups to the local RAV cache file > would be infinitely faster than a remote LDAP query. I would guess that > for many/most organizations the RAV cache would be populated within a > few days max, if not a few hours. You are forgetting that dictionary attacks are almost exclusively queries for non-existent users. Think clearly, and think outside the box about worst-case behaviour. > But you're saying the remote LDAP query is "cheaper" in this > case, Viktor? Because I am not thinking about normal loads that don't matter. One needs to survive hostile loads. > > LDAP tables are supported and not discouraged, but high volume sites > > may want to dedicate some LDAP replicas to MTA queries. > > I'm not discouraging anyone from using LDAP queries. I merely made the > case that many times RAV is a better choice, and stated some reasons why. The reasons are not valid under hostile conditions. -- Viktor.