Danny Why not do what I did instead of lookup ldap directories directly, to counter that sort of dependency on another machine for mailflow (you know, DC goes down, or some firewall issue prevents connection, and all of a sudden we start rejecting mail etc. I didnt want that!) What I did was write a script that runs on a windows box internally, that yoinks all smtp addresses out of the AD for given domain names (like all krystaltek.com etc) and compiles a text file which is then scp'ed to the postfix box. A cron job on the postfix box picks this up and sticks it in the right place (/etc/postfix/valid_recips) and postmaps it. If the scp'ed file is more than x minutes old, the cron job on the postfix box complains to us via nagios. Likewise, if the file isnt picked up by the cron job, the next time the windows script runs, it complains (two processes checking each other is cheap and easy redundancy.) If the whole thing goes to pot, at least the postfix box is just running with an out of date copy of the list, rather than no list at all :D Greg Mulholland Just because I don't care, doesn't mean i dont understand - Homer Simpson -----Original Message----- From: Danny [mailto:nocmonkey@xxxxxxxxx] Sent: Wednesday, January 04, 2006 10:48 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: How I spent my Christmas vacation - Email found in subject http://www.ISAserver.org On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: > Hi Danny, > > We'll have to agree to disagree. As long as you allow LDAP traffic > from an anonymous access DMZ to your DC, you're asking for bad things > to happen and people like me with ready and willing fingers to point > at you. If you or anyone else on this planet can compromise my hardened and up to date OpenBSD SMTP mail gateway running Postfix jailed behind a hardened ISA 2004 SP1 server with only SMTP traffic allowed from the Internet, then I will switch to your platform of riddled with spoofed NDR's, DNS clogging, DoS riddled, blacklisting potential, and bandwidth wasting system. > My design is much more secure, hands-on. Secure to who? You did not answer my question about what threats you are attempting to mitigate? > The NDR issue is a problem with > my relay's platform. RFC or not ( and you haven't mentioned which RFC > you're referring to) SMTP RFC821, http://www.faqs.org/rfcs/rfc821.html. > I'm using security best practices by isolating my low security zone > hosts from my highest security zone hosts. Sure, I agree with the DMZ config, but I simply add in the on-demand/scheduled LDAP lookups. Solves your problems and follows your "security best practices" as best as possible without limiting functionality (provided reliable, efficient, and secure email services). ...D ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg@xxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx