On Wed, 2010-05-19 at 17:37 -0500, Andy Dorman wrote: > On 05/19/2010 04:26 PM, Karsten � wrote: > > On Wed, 2010-05-19 at 23:13 +0200, Mikael Syska wrote: > >> Not to highjack the thread, but there are also other things to consider. > >> > >> I have no idea how on Postfix, but this could help you too Scott Lavoie. > >> > >> If there are multiple exchange backends for postfix/spamasassin > >> gateway ... how could one validate that users exists, given that you > >> only have a list of valid users for some of the exchange servers and > >> the mailahead/milterahead/smtp are not an option? > > > > Don't think you're hijacking the thread -- you just stated exactly, what > > I mentioned in my previous post. > > > > The only real problem, validating recipients at the front MX, based on > > the data in the backend Exchange servers. Everything else is not a > > problem, even though managing a Linux server might seem to be one from > > the point of view of a Windows admin... ;) > > > > Aside from the spam, keeping track of the valid addresses has been one of our > (AnteSpam) biggest challenges over the past 8 years. The solution that has > worked best for us has been to maintain a separate list of valid addresses > for > postfix to use. But coming from a db background, it has annoyed us no end > that > we have to maintain a duplicate of another db. ;-) > > We develop the valid address list by using a short (and very fast) perl smtp > test that checks the destination server's response to RCPT for the new > address. > We run this test when email comes in for every new/unknown address (and we > track the failures in a simple key-value high speed db so we do not > continuously > hammer the poor destination servers with queries for the same bad address > used > yesterday or earlier). > > Exchange servers have been our biggest headache with doing this however cause > many take "eons" to respond. And when your filtering server is trying to > handle > a LOT of incoming junk emails per second, you just can not wait for Exchange > to > get around to answering you. So for most Exchange servers we either require > they manage their address list manually OR, if they insist on AnteSpam > automatically adding new addresses, we send what we call a "ping" email with > a > special reply-to address so when the Exchange server gets around to sending > us > the NDR, we can mark that address as bogus and move on. > > As you can see from this long-winded but simplified explanation, this has not > been easy to do. Honestly, I am NOT an Exchange expert...but I swear it had > to > be a design goal for some of these servers take 15 or 30 minutes (or longer) > to > send the NDR. And when you are supporting a domain that is being flooded > with > thousands of emails to bogus addresses per hour, it gets kinda tedious > holding > the mail and addresses in limbo long enough to give the Exchange server time > to > respond (or not) so you know what to do with the email. > > Honestly, for a simple solution the best thing is to manually keep a list of > valid addresses for Postfix (or whatever MTA you use). It adds a little > support > load until you train the domain admin to add new addresses twice, once in > Exchange and once for the filter. But the option of building the valid > address > list automatically is NOT for the faint of heart. > > Or I suppose it is possible for Exchange and Postfix/your MTA to share a db > of > valid addresses? I know Postfix is very flexible in that regard. No clue > about > Exchange. > > Good luck. > You can use Postfix's probing (or Exim's callout) to query the Exchange 'server' provided it is set up to reject invalid recipients. As pointed out if this is not done Exchange will happily take any old rubbish and bounce it some time later. Alternatively have the MTA make an LDAP callout to AD. Exchange is basically an AD schema extension so it's reasonably easy to do - but network chatter is a PITA.
To solve that annoying Exchange 'I take any mail dot com...' issue: To enable valid recipients only.... 1) Expand ESM, Message Delivery. 2) Right click on "Message Delivery" and choose Properties. 3) Click on the tab "Recipient Filtering". 4) Enable the option "Filter Recipients who are not in the directory." You then need to enable the Recipient Filter on the SMTP Server. 1) Still in ESM, Expand Admin Groups, , Server, , Protocols, SMTP. 2) Right click on SMTP Virtual Server and choose Properties. 3) Click on "Advanced" next to the IP address on the first tab. 4) With the IP address selected, choose "Edit". 5) Enable "Apply Recipient Filter". 6) Click Apply/OK until clear.
