[Mimedefang] Maybe OT: using sendmail and Active Directory to reject invalid recipients

Wed Dec 10 18:03:06 EST 2003

Apologies if this is off-topic, but hopefully someone here will find it 
useful.

At our company, we run sendmail + MIMEDefang + SpamAssassin on gateway 
servers in front of our Microsoft Exchange environment.  All mail 
flowing into the company from the Internet passes through these 
gateways where it is scanned and tagged as potential spam.  Sendmail 
then delivers the mail on to Exchange.  We run approximately 150,000 
mails per day through the environment.

OUR QUANDARY:  by default, Exchange will accept mail to ANY at the SMTP 
stage,  whether or not it corresponds to a valid Exchange recipient.  
If the recipient turns out to be invalid, Exchange will later bounce 
the message.  This creates  problems for us, since the lion's share of 
messages coming into our environment  with invalid recipients are SPAM 
messages with invalid sender addresses.  Thus,  Exchange gets bogged 
down with hundreds or thousands of bounces and double- bounces.

SIDEBAR:  with Exchange 2003, it IS possible to make Exchange reject 
SMTP recipients that don't correspond to valid mailboxes (or public 
folders, or distribution lists).  We decided not to go this route 
since it would push handling bounces and double-bounces up to the 
sendmail layer (Exchange would reject the recipient, then sendmail 
would have to generate a bounce, since it had already accepted the 
message before trying to deliver it to Exchange).  We'd much rather 
stop the invalid mail from every coming in.

INITIAL THOUGHTS:  use either LDAP or MIMEdefang's 
check_against_smtp_server() function to validate each recipient in 
real-time against Active Directory or Exchange.  The problem we ran 
into with this in testing is that it GREATLY increased the load on our 
Exchange and AD servers.  MIMEdefang opens up a brand new SMTP session 
for *each recipient* when validating against an SMTP server.  Thus, for 
a spam message with 100 recipients, Exchange now had to handle 101 
SMTP sessions instead of only 1.  This wasn't ideal for us.  Likewise 
with querying Active Directory:an extra 100 queries per message.  We 
decided that real-time validation wasn't going to scale for our 
environment.

OUR SOLUTION:  export a list of all valid email addresses from Active 
Directory every 30 minutes.  Use this list to generate sendmail's 
access.db file and use the 'blacklist_recipients' feature to filter 
recipients at the RCPT TO level.  In our case, we export the list on an 
internal Linux server, rather than provide direct LDAP access from the 
mail gateways to Active Directory.  We then use cfengine to copy the 
generated access.db file to the gateways and run a 'make' to generate 
the DB file.

This has worked VERY well for us so far.  The overall load on our 
sendmail gateways is down significantly (since many messages never make 
it to the MIME- parsing portion of MIMEdefang since all recipients are 
rejected at RCPT TO.

Hopefully, someone else out there will find our solution useful.  Below 
is a link to the scripts we use to export the addresses from Exchange 
and generate the access.db file.  While not specific to MIMEdefang 
(this solution could be used without it), I'm guessing we're not the 
only company out there using sendmail as a gatekeeper for Exchange.

http://www.packetslave.com/code/adexport.txt 
http://www.packetslave.com/code/genaccessdb.txt

I'd very much welcome feedback on our solution, especially if someone 
finds it useful enough to implement and/or improve.

Cheers, Brian

Obligatory legalese: I'm releasing this code with the blessing of my 
employer, but any and all opinions are my own.  Also, neither I nor my 
employer will accept any responsibility if this code causes you to lose 
mail, makes smoke come out of your sendmail servers, makes your cat's 
hair fall out, or causes your car to get a flat.  Use at your own risk.  
:-)