On 05/19/2010 04:26 PM, Karsten � wrote:
On Wed, 2010-05-19 at 23:13 +0200, Mikael Syska wrote:
Not to highjack the thread, but there are also other things to consider.
I have no idea how on Postfix, but this could help you too Scott Lavoie.
If there are multiple exchange backends for postfix/spamasassin
gateway ... how could one validate that users exists, given that you
only have a list of valid users for some of the exchange servers and
the mailahead/milterahead/smtp are not an option?
Don't think you're hijacking the thread -- you just stated exactly, what
I mentioned in my previous post.
The only real problem, validating recipients at the front MX, based on
the data in the backend Exchange servers. Everything else is not a
problem, even though managing a Linux server might seem to be one from
the point of view of a Windows admin... ;)
Aside from the spam, keeping track of the valid addresses has been one of our
(AnteSpam) biggest challenges over the past 8 years. The solution that has
worked best for us has been to maintain a separate list of valid addresses for
postfix to use. But coming from a db background, it has annoyed us no end that
we have to maintain a duplicate of another db. ;-)
We develop the valid address list by using a short (and very fast) perl smtp
test that checks the destination server's response to RCPT for the new address.
We run this test when email comes in for every new/unknown address (and we
track the failures in a simple key-value high speed db so we do not continuously
hammer the poor destination servers with queries for the same bad address used
yesterday or earlier).
Exchange servers have been our biggest headache with doing this however cause
many take "eons" to respond. And when your filtering server is trying to handle
a LOT of incoming junk emails per second, you just can not wait for Exchange to
get around to answering you. So for most Exchange servers we either require
they manage their address list manually OR, if they insist on AnteSpam
automatically adding new addresses, we send what we call a "ping" email with a
special reply-to address so when the Exchange server gets around to sending us
the NDR, we can mark that address as bogus and move on.
As you can see from this long-winded but simplified explanation, this has not
been easy to do. Honestly, I am NOT an Exchange expert...but I swear it had to
be a design goal for some of these servers take 15 or 30 minutes (or longer) to
send the NDR. And when you are supporting a domain that is being flooded with
thousands of emails to bogus addresses per hour, it gets kinda tedious holding
the mail and addresses in limbo long enough to give the Exchange server time to
respond (or not) so you know what to do with the email.
Honestly, for a simple solution the best thing is to manually keep a list of
valid addresses for Postfix (or whatever MTA you use). It adds a little support
load until you train the domain admin to add new addresses twice, once in
Exchange and once for the filter. But the option of building the valid address
list automatically is NOT for the faint of heart.
Or I suppose it is possible for Exchange and Postfix/your MTA to share a db of
valid addresses? I know Postfix is very flexible in that regard. No clue about
Exchange.
Good luck.
--
Andy Dorman
Ironic Design, Inc.
AnteSpam.com, HomeFreeMail.com, ComeHome.net
