Le 05/12/2010 21:45, DTNX/NGMX Postmaster a écrit :
On 05/12/2010, at 18:19, mouss wrote:
Le 03/12/2010 01:55, Stan Hoeppner a écrit :
Victor Duchovni put forth on 12/2/2010 4:27 PM:
The OP is really far better off querying the LDAP server:
That may be Viktor. I think he should test both and pick the solution
that works best in his environment, both from a performance and
management perspective. Choice is usually a good thing, and he has
plenty with Postfix. :)
let's look at this from the exchange server viewpoint:
- with ldap, exchange sees no (RAV) connections.
- with RAV, exchange is hit for every address to verify
Given all the job that exchange does (or is supposed to do), and the costs of
the licences if you need to add new servers, then you'd better hit the AD
server.
if you really want caching, then setup an intermediary postfix that does ldap
lookup and hit it with RAV...
This sounds a bit like premature optimization, which some say is the root of
all evil. It also violates the 'Keep It Simple, Sysadmin' principle ;-)
Exchange isn't the most efficient mail server, but I'd suggest that, for the
majority of Exchange deployments, you probably need to look elsewhere if the
simple SMTP transactions iniated by RAV are causing a performance problem.
so, using RAV is more "kiss" than using ldap? let's see:
- with ldap: postfix -> AD
- with rav: postfix -> exchange -> AD
with RAV, you're adding a piece, and not a simple one.
anyway, I understand that different people have diferent opinions. so
let's move on...
In our case, most of the unwanted connections never make it to the RAV stage,
as it's one of the last checks done, and the majority of all remaining
connections seems to hit the local cache. As far as I'm aware we see very few
SMTP dictionary attacks, and they all tend to bounce off one of the earlier
verification steps. A 'check_recipient_access' map with known exceptions for
example, such as deactivated accounts, the usual suspects such as
'iamjustsendingthisleter' and so on.
Of course, YMMV. I agree with Stan, test it and keep what works best for your
setup.
Cya,
Jona
