Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Stan Hoeppner (stanhardwarefreak.com)
Date: Wed Dec 01 2010 - 23:43:30 CST
Victor Duchovni put forth on 12/1/2010 5:06 PM:
> On Wed, Dec 01, 2010 at 04:50:20PM -0600, Stan Hoeppner wrote:
>> Are LDAP queries still simpler and cheaper once all recipient addresses
>> are cached in $data_directory/verify_cache?
> Yes, because the vast majority of "RCPT TO" commands are dictionary
> attacks, if not all the time, at least at peak loads when it matters.
> Sending an SMTP probe is much more expensive than making an LDAP query.
So a remote LDAP query is cheaper than a local table lookup?
Interesting. I would have assumed lookups to the local RAV cache file
would be infinitely faster than a remote LDAP query. I would guess that
for many/most organizations the RAV cache would be populated within a
few days max, if not a few hours. After that point, all lookups are to
a local table, which again, I'd assume would be much faster than an LDAP
query. But you're saying the remote LDAP query is "cheaper" in this
>> Do you disagree with my other 4 points Viktor? You know this stuff far
>> better than I, so if I'm wrong on the other points I'd like to be
>> corrected, so as not to make the same recommendations in the future.
> My comment is about LDAP table lookups vs. RAV (Recipient Address
> Validation). I don't recall what your other points were, if it is not
> critical, we probably don't need to revisit them.
I don't know about being "critical", but I think they are valid points
supporting the use of RAV.
> LDAP tables are supported and not discouraged, but high volume sites
> may want to dedicate some LDAP replicas to MTA queries.
I'm not discouraging anyone from using LDAP queries. I merely made the
case that many times RAV is a better choice, and stated some reasons why.
I know of one Canadian company with 40K+ users worldwide and a few
million MX connections a day that uses strictly RAV on their two MX
relays. Their reasons for doing so have much more to do with ease and
consistency of management than performance though. Mainly that the
dozes of departmental mail servers run a mix of different MTAs
(Exchange, Groupwise, Notes, etc) and directory services (AD,
eDirectory, etc), making it too difficult to try managing a single LDAP
master directory for the MX servers to query. Thus, they use RAV, and
it works extremely well for them, from both a management and performance