Hi Greg, Nice solution. The key is that the file is SCP'd to the mail server, and not the other way around. Thanks! Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx] > Sent: Tuesday, January 03, 2006 6:37 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: How I spent my Christmas vacation - > Email found in subject > > http://www.ISAserver.org > > Danny > > Why not do what I did instead of lookup ldap directories directly, to > counter that sort of dependency on another machine for mailflow (you > know, DC goes down, or some firewall issue prevents > connection, and all > of a sudden we start rejecting mail etc. I didnt want that!) > > What I did was write a script that runs on a windows box internally, > that yoinks all smtp addresses out of the AD for given domain names > (like all krystaltek.com etc) and compiles a text file which is then > scp'ed to the postfix box. A cron job on the postfix box > picks this up > and sticks it in the right place (/etc/postfix/valid_recips) and > postmaps it. > > If the scp'ed file is more than x minutes old, the cron job on the > postfix box complains to us via nagios. Likewise, if the file isnt > picked up by the cron job, the next time the windows script runs, it > complains (two processes checking each other is cheap and easy > redundancy.) > > If the whole thing goes to pot, at least the postfix box is > just running > with an out of date copy of the list, rather than no list at all :D > > > Greg Mulholland > Just because I don't care, doesn't mean i dont understand - Homer > Simpson > > -----Original Message----- > From: Danny [mailto:nocmonkey@xxxxxxxxx] > Sent: Wednesday, January 04, 2006 10:48 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: How I spent my Christmas vacation - Email found > in subject > > http://www.ISAserver.org > > On 1/3/06, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: > > Hi Danny, > > > > We'll have to agree to disagree. As long as you allow LDAP traffic > > from an anonymous access DMZ to your DC, you're asking for > bad things > > to happen and people like me with ready and willing fingers > to point > > at you. > > If you or anyone else on this planet can compromise my hardened and up > to date OpenBSD SMTP mail gateway running Postfix jailed behind a > hardened ISA 2004 SP1 server with only SMTP traffic allowed from the > Internet, then I will switch to your platform of riddled with spoofed > NDR's, DNS clogging, DoS riddled, blacklisting potential, and > bandwidth > wasting system. > > > My design is much more secure, hands-on. > > Secure to who? You did not answer my question about what > threats you are > attempting to mitigate? > > > The NDR issue is a problem with > > my relay's platform. RFC or not ( and you haven't mentioned > which RFC > > you're referring to) > > SMTP RFC821, http://www.faqs.org/rfcs/rfc821.html. > > > I'm using security best practices by isolating my low > security zone > > hosts from my highest security zone hosts. > > Sure, I agree with the DMZ config, but I simply add in the > on-demand/scheduled LDAP lookups. Solves your problems and > follows your > "security best practices" as best as possible without limiting > functionality (provided reliable, efficient, and secure email > services). > > ...D > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > greg@xxxxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >