[Mimedefang] md_check_against_smtp_server
Yizhar Hurwitz
yizhar at mail.com
Sat Oct 20 17:27:04 EDT 2007
HI.
> From: "David F. Skoll" <dfs at roaringpenguin.com>
> Subject: Re: [Mimedefang] md_check_against_smtp_server {Scanned by
> Allteks Mailsafe}
>
> I don't think it's a good idea to cache the results of md_check_against_server.
> If someone does a dictionary attack and you cache negative lookups,
> your cache will grow very large. If you don't cache negative lookups,
> then most of the time you won't have a cache hit.
>
>
I disagree.
On some of my servers (those that use md_check_against_smtp_server),
I use a simple cache of the positive results only.
Some of the ideas and goals are:
* I assume that most of the time I do have a cache hit for valid recipients,
even so I didn't test that assumption, but anyway we can argue about
statistics,
but for sure we can agree that some cache hits (for valid recipients) is
more then no cache at all, right?
* If/When the backend server isn't available to the mail relay (for any
reason),
the mail relay can accept messages to known valid recipients from the cache,
while tempfailing the other.
This is better then tempfailing all messages or accepting all of them in
such case.
* Caching the positive responses can reduce the smtp overhead.
* By not caching the negative responses, I don't have a problem to
maintain a large cache.
* By not caching the negative responses, I don't have a problem when I
create a new valid recipient on the back-end server,
as it will accept mail immediately.
* Because I cache only positive responses, I can use a very long TTL.
I use 30 days currently.
Here you can find more details and my related and simple code:
[Mimedefang] My semi-cached version of md_check_against_smtp_server:
http://lists.roaringpenguin.com/pipermail/mimedefang/2006-December/031463.html
Please note that my servers are mostly for small businesses and run less
then 10 slaves,
and less then 200 valid recipients, so I can afford using the above
simple but not so efficient code.
If you run on a larger scale - some modifications of the cache db
storage and handling will be necessary.
My 5 cents,
Yizhar Hurwitz
http://yizhar.mvps.org
More information about the MIMEDefang
mailing list