On 05/12/2010, at 18:19, mouss wrote: > Le 03/12/2010 01:55, Stan Hoeppner a écrit : >> Victor Duchovni put forth on 12/2/2010 4:27 PM: >> >>> The OP is really far better off querying the LDAP server: >> >> That may be Viktor. I think he should test both and pick the solution >> that works best in his environment, both from a performance and >> management perspective. Choice is usually a good thing, and he has >> plenty with Postfix. :) > > let's look at this from the exchange server viewpoint: > > - with ldap, exchange sees no (RAV) connections. > - with RAV, exchange is hit for every address to verify > > Given all the job that exchange does (or is supposed to do), and the costs of > the licences if you need to add new servers, then you'd better hit the AD > server. > > if you really want caching, then setup an intermediary postfix that does ldap > lookup and hit it with RAV...
This sounds a bit like premature optimization, which some say is the root of all evil. It also violates the 'Keep It Simple, Sysadmin' principle ;-) Exchange isn't the most efficient mail server, but I'd suggest that, for the majority of Exchange deployments, you probably need to look elsewhere if the simple SMTP transactions iniated by RAV are causing a performance problem. In our case, most of the unwanted connections never make it to the RAV stage, as it's one of the last checks done, and the majority of all remaining connections seems to hit the local cache. As far as I'm aware we see very few SMTP dictionary attacks, and they all tend to bounce off one of the earlier verification steps. A 'check_recipient_access' map with known exceptions for example, such as deactivated accounts, the usual suspects such as 'iamjustsendingthisleter' and so on. Of course, YMMV. I agree with Stan, test it and keep what works best for your setup. Cya, Jona
