On Fri, 8 Mar 2013, Bastian Blank wrote:
On Fri, Mar 08, 2013 at 03:45:57PM +0200, Geoff Shang wrote:
Given the high focus on secrity at our company, we've determined
that password verification in LDAP is a costly operation.
Why is it costly? And how does "costly" fit into security?
Because the passwords are stored in some highly encrypted form (not my
area) and comparing passwords means likewise encrypting the password to be
checked.
And password verification is not necessary for looking up stuff.
Not if you bind anonymously. But if you bind with a specific account
(i.e. log in with a username and password), this will need to be verified.
This is no big deal if it happens once but can be a performance drain if
it has to happen for every single lookup.
The other issue is TLS negociation. If it can be set up once, this is
fine. Frequent TLS negotiations will likewise be a performance hit.
We could do anonymous binds in the clear, but we're taking this as a last
resort position.
Add a LDAP replica on each postfix and dovecot server. This is a good
idea for scallability and rudandancy anyway.
Not sure how wild people will be about this idea.
My question is, is it possible to get proxymap to open a persistant
connection for LDAP to do relay_domain and relay_recipient lookups?
It does this in all of my setups. They use Postfix 2.9.
Good point. I'm using 2.7.1 (Debian stable).
mydestination = mx.ourdomain.com, localhost
myhostname = mx.ourdomain.com
I don't think this is correct. Maybe mx.example.com.
It's correct. All hosted domains will be relay_domains.
Geoff.
