Wietse Venema put forth on 12/2/2010 7:35 AM: > Victor Duchovni: >> Because I am not thinking about normal loads that don't matter. One >> needs to survive hostile loads. >> >>>> LDAP tables are supported and not discouraged, but high volume sites >>>> may want to dedicate some LDAP replicas to MTA queries. >>> >>> I'm not discouraging anyone from using LDAP queries. I merely made the >>> case that many times RAV is a better choice, and stated some reasons why. >> >> The reasons are not valid under hostile conditions. > > Stan, if your server is connected to the internet, then your worst > case will become your common case. > > Therefore it is a mistake to optimize the common case. > > Wietse
Yes, as always. I've simply been looking at this from the premise that our countermeasures which stop spam connections before the RCPT TO stage will also stop dictionary attacks before the RCPT TO stage since such attacks typically come from the same types of sources. Everyone has slightly different antispam countermeasures, so maybe this would account for some folks seeing far more connections reach the RCPT TO stage than others. Those using SA as a post queue filter, for instance, would likely see far more of these making it to the RCPT TO stage. Am I missing something? "smtpd_delay_reject = yes" doesn't cause a user lookup for each connection does it? Doesn't this merely log the RCPT TO address without looking it up? If the latter, again, I'd assume antispam measures would stop most of the dictionary attack RCPT TO queries from reaching the downstream server via RAV. If I'm wrong here, please educate me. -- Stan
