[Mimedefang] Maybe OT: using sendmail and Active Directory to reject invalid recipients
brian at bluecoat93.org
brian at bluecoat93.org
Wed Dec 10 18:03:06 EST 2003
Apologies if this is off-topic, but hopefully someone here will find it
useful.
At our company, we run sendmail + MIMEDefang + SpamAssassin on gateway
servers in front of our Microsoft Exchange environment. All mail
flowing into the company from the Internet passes through these
gateways where it is scanned and tagged as potential spam. Sendmail
then delivers the mail on to Exchange. We run approximately 150,000
mails per day through the environment.
OUR QUANDARY: by default, Exchange will accept mail to ANY at the SMTP
stage, whether or not it corresponds to a valid Exchange recipient.
If the recipient turns out to be invalid, Exchange will later bounce
the message. This creates problems for us, since the lion's share of
messages coming into our environment with invalid recipients are SPAM
messages with invalid sender addresses. Thus, Exchange gets bogged
down with hundreds or thousands of bounces and double- bounces.
SIDEBAR: with Exchange 2003, it IS possible to make Exchange reject
SMTP recipients that don't correspond to valid mailboxes (or public
folders, or distribution lists). We decided not to go this route
since it would push handling bounces and double-bounces up to the
sendmail layer (Exchange would reject the recipient, then sendmail
would have to generate a bounce, since it had already accepted the
message before trying to deliver it to Exchange). We'd much rather
stop the invalid mail from every coming in.
INITIAL THOUGHTS: use either LDAP or MIMEdefang's
check_against_smtp_server() function to validate each recipient in
real-time against Active Directory or Exchange. The problem we ran
into with this in testing is that it GREATLY increased the load on our
Exchange and AD servers. MIMEdefang opens up a brand new SMTP session
for *each recipient* when validating against an SMTP server. Thus, for
a spam message with 100 recipients, Exchange now had to handle 101
SMTP sessions instead of only 1. This wasn't ideal for us. Likewise
with querying Active Directory:an extra 100 queries per message. We
decided that real-time validation wasn't going to scale for our
environment.
OUR SOLUTION: export a list of all valid email addresses from Active
Directory every 30 minutes. Use this list to generate sendmail's
access.db file and use the 'blacklist_recipients' feature to filter
recipients at the RCPT TO level. In our case, we export the list on an
internal Linux server, rather than provide direct LDAP access from the
mail gateways to Active Directory. We then use cfengine to copy the
generated access.db file to the gateways and run a 'make' to generate
the DB file.
This has worked VERY well for us so far. The overall load on our
sendmail gateways is down significantly (since many messages never make
it to the MIME- parsing portion of MIMEdefang since all recipients are
rejected at RCPT TO.
Hopefully, someone else out there will find our solution useful. Below
is a link to the scripts we use to export the addresses from Exchange
and generate the access.db file. While not specific to MIMEdefang
(this solution could be used without it), I'm guessing we're not the
only company out there using sendmail as a gatekeeper for Exchange.
http://www.packetslave.com/code/adexport.txt
http://www.packetslave.com/code/genaccessdb.txt
I'd very much welcome feedback on our solution, especially if someone
finds it useful enough to implement and/or improve.
Cheers, Brian
Obligatory legalese: I'm releasing this code with the blessing of my
employer, but any and all opinions are my own. Also, neither I nor my
employer will accept any responsibility if this code causes you to lose
mail, makes smoke come out of your sendmail servers, makes your cat's
hair fall out, or causes your car to get a flat. Use at your own risk.
:-)
More information about the MIMEDefang
mailing list