Victor Duchovni put forth on 12/1/2010 11:51 PM: > On Wed, Dec 01, 2010 at 11:43:30PM -0600, Stan Hoeppner wrote: > >> Victor Duchovni put forth on 12/1/2010 5:06 PM: >>> On Wed, Dec 01, 2010 at 04:50:20PM -0600, Stan Hoeppner wrote: >> >>>> Are LDAP queries still simpler and cheaper once all recipient addresses >>>> are cached in $data_directory/verify_cache? >>> >>> Yes, because the vast majority of "RCPT TO" commands are dictionary >>> attacks, if not all the time, at least at peak loads when it matters. >>> Sending an SMTP probe is much more expensive than making an LDAP query. >> >> So a remote LDAP query is cheaper than a local table lookup? > > The lookup is always a cache miss. Then an SMTP probe is sent. Dictionary > attacks always yield cache misses. > >> Interesting. I would have assumed lookups to the local RAV cache file >> would be infinitely faster than a remote LDAP query. I would guess that >> for many/most organizations the RAV cache would be populated within a >> few days max, if not a few hours. > > You are forgetting that dictionary attacks are almost exclusively queries > for non-existent users. Think clearly, and think outside the box about > worst-case behaviour. > >> But you're saying the remote LDAP query is "cheaper" in this >> case, Viktor? > > Because I am not thinking about normal loads that don't matter. One > needs to survive hostile loads. > >>> LDAP tables are supported and not discouraged, but high volume sites >>> may want to dedicate some LDAP replicas to MTA queries. >> >> I'm not discouraging anyone from using LDAP queries. I merely made the >> case that many times RAV is a better choice, and stated some reasons why. > > The reasons are not valid under hostile conditions.
Well, yes, assuming you're not dropping such hostile connections with Postscreen, smtpd_foo_restrictions, and/or fail2ban or similar, _before_ the transactions get to the recipient validation stage in volume. Are you assuming most, or a significant number, of such transactions live to the RAV stage? I just noticed Viktor that you are one of the LDAP code authors. Please note I am making no arguments _against_ the use of LDAP, but merely making some arguments _for_ the use of RAV. -- Stan
