On 02/12/2010, at 06:25, DTNX/NGMX Postmaster wrote:
On 01/12/2010, at 23:18, Stan Hoeppner wrote:
Martin Kellermann put forth on 12/1/2010 9:19 AM:
so, is it still (seven years later) "The right thing™ to do" ?
will it work proper with exchange 2007/2010 ?
since the usage of "script-generated map-files" will never show
a real-time picture of the valid exchange-recipients to postfix,
isn't it nicer to do "online LDAP requests" from postfix?
maybe this is possible with a LDAP-SASL plugin...?
If you have very few users, say 1-100, and your organization doesn't
have frequent personnel changes, I recommend using relay_recipient_maps
and manually editing the table when needed.
If more than that, for many reasons, I recommend using recipient address
verification instead of LDAP lookups, assuming you have decent spam
filtering techniques on your Postfix gateway, which is a requirement in
today's world anyway.
http://www.postfix.org/ADDRESS_VERIFICATION_README.html
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
The main reasons I recommend this over LDAP are:
1. These probes are typically faster than LDAP queries
2. Recipient verification caches probe results reducing query load
and increasing performance. AFAIK LDAP results aren't cached.
3. _VASTLY_ simpler configuration compared to LDAP
4. Doesn't require LDAP support be compiled into your Postfix package
5. You get a _realtime_ answer regarding SMTP mailbox availability.
An LDAP response may differ from an Exchange SMTP response due to
a number of reasons, such as AD synchronization, etc. This is
probably rare, but it can happen.
I would suggest that in most cases, the RAV option is probably the best choice,
unless performance is an issue because of hardware constraints, or mail volume?
Compared to maintaining a recipient map it is pretty much automatic once set
up, and very resilient when it comes to changes to your Exchange server and/or
AD servers. Which you'll love when you are not the person maintaining the
Exchange server, or someone in upper management decides that all accounts
should have aliases for all the common typos they can think of.
Compared to LDAP it can be easily tested using any telnet client, does not
depend on having a valid account within the AD forest, and is configured using
the transport map entry you need anyway to deliver mail. You don't need any
additional firewall rules either, beyond the port you use for SMTP traffic.
We use RAV on our MX servers to route mail to clients with Exchange. Simple,
and it works like a charm.
Cya,
Jona
thank you all for your detailed suggestions.
looking at the pro-and-con's of LDAP vs RAV, i think, i will give RAV a try.
since i never used the postfix verify server before, the master.cf shows
the default
"verify unix - - n - 1 verify"
main.cf is unconfigured regarding the verify server, so it will use this
(postconf -d)
defaults:
address_verify_cache_cleanup_interval = 12h
address_verify_default_transport = $default_transport
address_verify_local_transport = $local_transport
address_verify_map = btree:$data_directory/verify_cache
address_verify_negative_cache = yes
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 3h
address_verify_poll_count = ${stress?1}${stress:3}
address_verify_poll_delay = 3s
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
address_verify_relay_transport = $relay_transport
address_verify_relayhost = $relayhost
address_verify_sender = $double_bounce_sender
address_verify_sender_dependent_default_transport_maps =
$sender_dependent_default_transport_maps
address_verify_sender_dependent_relayhost_maps =
$sender_dependent_relayhost_maps
address_verify_service_name = verify
address_verify_transport_maps = $transport_maps
address_verify_virtual_transport = $virtual_transport
any hints or pitfalls using this values?
i tried testing RAV on one transport-domain by adding
"check_recipient_access hash:/etc/verifylist" to
smtpd_recipient_restrictions. in /etc/verifylist i defined "test.com
reject_unverified_recipient" and
it seems to work so far.
but i see a strange "double-bounce" in mail.log which i don't understand:
--------------
12:45:00 postfix/smtpd[26517]: connect from [...]
12:45:00 postfix/cleanup[26524]: 500E0EB438E:
message-id=<20101202114500.500e0eb4...@$myhostname>
12:45:01 postfix/qmgr[26504]: 500E0EB438E:
from=<double-bou...@$myhostname>, size=311, nrcpt=1 (queue active)
12:45:06 postfix/smtp[26774]: 500E0EB438E: to=<n...@test.com>,
relay=IP[IP]:PORT, delay=5.7, delays=0.6/0/0.03/5.1, dsn=5.1.1,
status=undeliverable (host IP[IP] said: 550 5.1.1 User unknown (in reply
to RCPT TO command))
12:45:06 postfix/smtpd[26517]: NOQUEUE: reject: RCPT from [...]: 450
4.1.1 <n...@test.com>: Recipient address rejected: unverified address:
host IP[IP] said: 550 5.1.1 User unknown (in reply to RCPT TO command);
from=<sen...@domain.com> to=<n...@test.com> proto=ESMTP helo=<[...]>
12:45:07 postfix/smtpd[26517]: disconnect from [...]
--------------
and there's a 5 sec. delay ... seems way too long to me for just
checking the recipient...!?
thank you
PS: should unverified_recipient_reject_code set to 450 or 550 ?
