[CentOS] Recommend Mail Server

Robert Moskowitz rgm at htt-consult.com
Tue Nov 24 05:12:30 UTC 2009 

Christopher Chan wrote:
> Craig White wrote:
>   
>> On Tue, 2009-11-24 at 11:00 +0800, Christopher Chan wrote:
>>   
>>     
>>> Ian Forde wrote:
>>>     
>>>       
>>>> On Nov 23, 2009, at 5:34 PM, Christopher Chan 
>>>> <christopher.chan at bradbury.edu.hk 
>>>> <mailto:christopher.chan at bradbury.edu.hk>> wrote:
>>>>
>>>>       
>>>>         
>>>>> Les Mikesell wrote:
>>>>>         
>>>>>           
>>>>>> You probably really want ldap for that sort of thing.
>>>>>>           
>>>>>>             
>>>>> You probably really want to reconsider using ldap for anything that gets
>>>>> loads of changes daily.
>>>>>         
>>>>>           
>>>> In the case of a mail relay, at one point  years back I decided to 
>>>> drop (not bounce) all email to bogus recipients at the relay level 
>>>> rather than let it get to (yuck) Exchange, which would bounce it. The 
>>>> trick was having an updated recipient list. My first thought was to 
>>>> query Active Directory for each user, thus getting an up-to-date result.
>>>>
>>>> This turned out to be a *bad* idea for a couple of reasons. 1) if I 
>>>> can't reach AD, mail won't queue up on the relays, which is one of 
>>>> their major functions. 2) I'm making the relays directly dependent on 
>>>> AD latency. 3) any flood of email from outside can cause a large 
>>>> amount of queries against AD, causing a DOS that the relays are 
>>>> supposed to shield the internal network from.
>>>>
>>>> So instead, I found a script to gather the list of users from AD, did 
>>>> some modifications and wrote some wrappers. The result? A script that 
>>>> runs from cron to get the list of valid addresses, convert them into 
>>>> an access file that sendmail (or postfix, in the first case years ago) 
>>>> can use instead. There's a little more latency, but as long as I do 
>>>> some sanity checking (too many changes? Send an alert and don't change 
>>>> the access file) it works just fine. Ldap-based, yes. But loosely 
>>>> coupled. A good compromise in my experience...
>>>>       
>>>>         
>>> Precisely why a buffer like this for sites with a very large user base 
>>> might want to use cdb. postfix supports cdb and sendmail can get cdb 
>>> support from sf.net/sendmail-cdb. Both need the tinycdb library though. 
>>> Even mysql/postgresql could do with a break for legit users.
>>>     
>>>       
>> ----
>> considering that LDAP is optimized for high amounts of read and minimal
>> writes, the problem with any SMTP daemon querying an LDAP server getting
>> bogged down suggests that other problems are at hand and should be
>> solved. I mean if the primary user/authentication system can't handle
>> the load, you got problems.
>>
>>   
>>     
>
> I was trumpeting postfix's mysql/postgresql support and then Les says 
> LDAP is the way to go and then I point out that LDAP don't like heavy 
> write environments and you are starting the circle again.
>   

And how many LDAP implementations have mysql/postgresql behind the LDAP 
syntax?

So LDAP is frequently WORST than just a direct SQL table lookup.

At least the few that I have dealt with. I LIKE LDAP. Much better than 
DAP any day of the year ;)

>
> /me tramples LDAP underfoot, gets a horse to trample LDAP, gets a tank 
> to complete the job.
>
>
> LDAP ain't THE SOLUTION for everything you know.
>
>
>   
>> I admire the workarounds but damn, you have to solve the problems anyway
>> because this surely isn't the only place where this is a problem.
>>     
>
>
> Ian pointed how he needs to 'replicate' a local copy of user 'accounts' 
> from Exchange so that he does not kill Exchange. I just pointed out that 
> this sort of thing can be done also for sites with a very large user 
> base that will want something that is more efficient that Berkeley DB. 
> You can chain lookups in postfix. Check cdb, then check 
> mysql/postgresql. If the account exists in the cdb, then there is no 
> need to check mysql/postgresql. So essentially only non-existent 
> addresses and recently created addresses will result in hits to 
> mysql/postgresql. This is not a work around. This is performance 
> enhancement. Whacking a local cdb will be faster than whacking a 
> mysql/postgresql database. Geez.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>

More information about the CentOS mailing list