Christopher Chan wrote:
You are removing a layer if you just pass through the recipient check to the ultimate source (the internal delivery machine) before accepting, and it does in fact need to be able to handle the lookups at the speed real messages come in. However, your external relay is likely to get whacked with a dictionary attack that it needs to be able to reject quickly so you can't do that if the delivery box is slow.
OH are we? So what happens when the frontend hands off to the internal delivery machine? Does not the internal delivery machine again do another lookup?
Yes, but it is pretty unlikely that the results will be different since they are both done quickly against the authoritative source. Unlike if you had made an intermediate copy of the database.
I used qmail for one of my domains a while back and it's practice of accepting everything, then sending bounces got a dictionary attack onto some kind of 'good to spam' list and I got about 50,000 messages/day for non-existing users for years afterwards. That was a problem until I put a sendmail with the good users in a virtuser table in front of it. Interestingly, the messages would come in from a large number of different IP addresses but in a sorted order and with clearly coordinated timing.
/me shudders to think of anyone running a pure qmail-1.03 for a mx.
But no one could convince the author that it was anything short of perfect - or that anyone else was qualified to touch the code.