[Mimedefang] Distributed access lists
John Rudd
john at rudd.cc
Sat Jun 24 16:59:06 EDT 2006
On Jun 24, 2006, at 1:24 PM, Kenneth Porter wrote:
> --On Saturday, June 24, 2006 1:01 PM +0900 alan premselaar
> <alien at 12inch.com> wrote:
>
>>>> You could deliver the primary's access database to the secondary
>>>> somehow (via scp/rsync, ftp, etc. like in every 5 minutes or so, or
>>>> just when your primary access database gets updated, e.g. when you
>>>> add
>>>> a new mailbox) and merge both access files before building the
>>>> access.db. Thus the secondary MX will always have all the
>>>> information
>>>> needed to reject mail coming to non-existing recipients for both of
>>>> your domains.
>>>
>>> My paragraph above sort of explains why this won't work, since my
>>> access
>>> file doesn't contain much. I'll look and see what it has, though, and
>>> maybe I can do something with it.
>>
>> Distributed access lists, while providing an independant means of
>> rejecting unknown users even if the primary MX is unavailable, is more
>> of an administrative burden.
>
> Why not put the access list in DNS, which is also distributed? Dynamic
> updates allow multiple servers to maintain it, and local caching
> should keep it reasonably fast.
You mean like hesiod?
(imagine NIS implemented on top of DNS, and you've got hesiod)
That was certainly well adopted by the 'net at large.
Don't get me wrong, I think hesiod is _great_. But LDAP has pretty
much taken over that niche, even at MIT (where hesiod came from, as
part of project athena).
(and before anyone says "but DNS is even less secure than NIS!", you
don't put any secure information in hesiod; so the password field of
the passwd domain is "*" for all hesiod entries, and you use some other
password store/authentication mechanism for users not in /etc/passwd
(project athena intended you to use kerberos for that))
More information about the MIMEDefang
mailing list