Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: DTNX/NGMX Postmaster (postmasterdtnx.net)
Date: Wed Dec 01 2010 - 23:25:15 CST
On 01/12/2010, at 23:18, Stan Hoeppner wrote:
> Martin Kellermann put forth on 12/1/2010 9:19 AM:
>> so, is it still (seven years later) "The right thing™ to do" ?
>> will it work proper with exchange 2007/2010 ?
>> since the usage of "script-generated map-files" will never show
>> a real-time picture of the valid exchange-recipients to postfix,
>> isn't it nicer to do "online LDAP requests" from postfix?
>> maybe this is possible with a LDAP-SASL plugin...?
> If you have very few users, say 1-100, and your organization doesn't
> have frequent personnel changes, I recommend using relay_recipient_maps
> and manually editing the table when needed.
> If more than that, for many reasons, I recommend using recipient address
> verification instead of LDAP lookups, assuming you have decent spam
> filtering techniques on your Postfix gateway, which is a requirement in
> today's world anyway.
> The main reasons I recommend this over LDAP are:
> 1. These probes are typically faster than LDAP queries
> 2. Recipient verification caches probe results reducing query load
> and increasing performance. AFAIK LDAP results aren't cached.
> 3. _VASTLY_ simpler configuration compared to LDAP
> 4. Doesn't require LDAP support be compiled into your Postfix package
> 5. You get a _realtime_ answer regarding SMTP mailbox availability.
> An LDAP response may differ from an Exchange SMTP response due to
> a number of reasons, such as AD synchronization, etc. This is
> probably rare, but it can happen.
I would suggest that in most cases, the RAV option is probably the best choice, unless performance is an issue because of hardware constraints, or mail volume?
Compared to maintaining a recipient map it is pretty much automatic once set up, and very resilient when it comes to changes to your Exchange server and/or AD servers. Which you'll love when you are not the person maintaining the Exchange server, or someone in upper management decides that all accounts should have aliases for all the common typos they can think of.
Compared to LDAP it can be easily tested using any telnet client, does not depend on having a valid account within the AD forest, and is configured using the transport map entry you need anyway to deliver mail. You don't need any additional firewall rules either, beyond the port you use for SMTP traffic.
We use RAV on our MX servers to route mail to clients with Exchange. Simple, and it works like a charm.