On Tue, 2009-11-24 at 11:00 +0800, Christopher Chan wrote: > Ian Forde wrote: > > > > On Nov 23, 2009, at 5:34 PM, Christopher Chan > > <christopher.chan at bradbury.edu.hk > > <mailto:christopher.chan at bradbury.edu.hk>> wrote: > > > >> Les Mikesell wrote: > >>>> > >>> > >>> You probably really want ldap for that sort of thing. > >> > >> You probably really want to reconsider using ldap for anything that gets > >> loads of changes daily. > > > > In the case of a mail relay, at one point years back I decided to > > drop (not bounce) all email to bogus recipients at the relay level > > rather than let it get to (yuck) Exchange, which would bounce it. The > > trick was having an updated recipient list. My first thought was to > > query Active Directory for each user, thus getting an up-to-date result. > > > > This turned out to be a *bad* idea for a couple of reasons. 1) if I > > can't reach AD, mail won't queue up on the relays, which is one of > > their major functions. 2) I'm making the relays directly dependent on > > AD latency. 3) any flood of email from outside can cause a large > > amount of queries against AD, causing a DOS that the relays are > > supposed to shield the internal network from. > > > > So instead, I found a script to gather the list of users from AD, did > > some modifications and wrote some wrappers. The result? A script that > > runs from cron to get the list of valid addresses, convert them into > > an access file that sendmail (or postfix, in the first case years ago) > > can use instead. There's a little more latency, but as long as I do > > some sanity checking (too many changes? Send an alert and don't change > > the access file) it works just fine. Ldap-based, yes. But loosely > > coupled. A good compromise in my experience... > > Precisely why a buffer like this for sites with a very large user base > might want to use cdb. postfix supports cdb and sendmail can get cdb > support from sf.net/sendmail-cdb. Both need the tinycdb library though. > Even mysql/postgresql could do with a break for legit users. ---- considering that LDAP is optimized for high amounts of read and minimal writes, the problem with any SMTP daemon querying an LDAP server getting bogged down suggests that other problems are at hand and should be solved. I mean if the primary user/authentication system can't handle the load, you got problems. I admire the workarounds but damn, you have to solve the problems anyway because this surely isn't the only place where this is a problem. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.