[Mimedefang] Maybe OT: using sendmail and Active Directory t o reject invalid recipients

Bob Falkenberg rfalkenberg at looksmart.net
Thu Dec 11 11:59:28 EST 2003 

Brian, 

Up until late last year we used SendMail 8.11.3 configured to do ldap
look-ups against an Exchange 5.5 server.  We where able to handle approx.
100k messages a day.  50k getting bounced user unknown, 15 to 25k getting
bounced via MAPS and 20 to 30k of legit email.  We would like to think that
AD and Exchange 2000 or 2003 could handle this as well but maybe not if your
tests are correct.

We moved away from this setup for a couple of reasons.  The first being the
sendmail.cf for that server was written by hand by a sysadmin who wasn't
with us any more and the second being that if the connection to the ldap
server was broken we didn't get mail until the connection was restored.

I like your solution but we took a little different tack here that other
folks might find interesting.  Instead of creating an access.db we are
creating a virtusertable this allows us to bounce the "user unknown" mail
for multiple domains before it ever reaches the Exchange servers.  A perl
script run against the Exchange LDAP directory creates the file and we push
it out to the external mail servers.  This removes the dependency on the
LDAP server connection and speeds up the lookups for addresses because
SendMail has it loaded from the virtusertable.db file already.

Just another take on the same theme, 

Bob F.  


-----Original Message-----
From: David F. Skoll [mailto:dfs at roaringpenguin.com] 
Sent: Wednesday, December 10, 2003 7:13 PM
To: mimedefang at lists.roaringpenguin.com
Subject: Re: [Mimedefang] Maybe OT: using sendmail and Active Directory to
reject invalid recipients


On Wed, 10 Dec 2003 brian at bluecoat93.org wrote:

> Apologies if this is off-topic, but hopefully someone here will find 
> it useful.

I find it quite useful!  Thanks.

[...]

> INITIAL THOUGHTS:  use either LDAP or MIMEdefang's
> check_against_smtp_server() function to validate each recipient in 
> real-time against Active Directory or Exchange.  The problem we ran 
> into with this in testing is that it GREATLY increased the load on our 
> Exchange and AD servers.  MIMEdefang opens up a brand new SMTP session 
> for *each recipient* when validating against an SMTP server.  Thus, 
> for a spam message with 100 recipients, Exchange now had to handle 101 
> SMTP sessions instead of only 1.

But not all at the same time -- they are serialized.

> This wasn't ideal for us.  Likewise
> with querying Active Directory:an extra 100 queries per message.  We 
> decided that real-time validation wasn't going to scale for our 
> environment.

Is AD that slow?  I thought the whole point of LDAP was the "L" part:
"Lightweight".  Can't AD keep up with 5-10 queries/second?

I ran a quick test on my machine (P-II 400Mhz):

time for i in `seq 1 100` ; do ldapsearch -x -D
'cn=Manager,dc=roaringpenguin,dc=com' -w foo '(mail=dfs at roaringpenguin.com)'
> /dev/null; done

This is using OpenLDAP, and it did 100 queries in 4 seconds.  The test is
grossly inefficient, because we're also timing the invocation of ldapsearch,
the opening of a new LDAP connection, the query, and the closing of the
connection; a proper implementation would be much faster.  AD must be awful
indeed if it won't scale to this level.

Our CanIt product does several (sometimes tens) of SQL queries against a
PostgreSQL database per email; that is surely heavier than an LDAP lookup,
and reasonable hardware can handle upwards of 5-10 emails/second.

> http://www.packetslave.com/code/adexport.txt
> http://www.packetslave.com/code/genaccessdb.txt

Very nice; thanks!

Regards,

David.
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing
list MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list