Postfix verify type recipient filtering instead of LDAP ?

Unanswered Question
Jul 23rd, 2009

After POC tests, we're abt to deploy M160 + 2xC160 Ironport environment. Recipient filtering seems to be builtin as LDAP based implementation.

We've been using Postfix MTA for years and it has very nice verify feature able to verify SMTP envelope recipient addresses from target SMTP mailbox servers directly using SMTP traffic. Not VRFY feature, but instead basic SMTP talk (EHLO, MAIL FROM, RCPT TO) and based on the response codes 2xx, 5xx from the mailbox server, the frontend Postfix either accepts incoming message from internet or not. Postfix verify caches those queries which is good too. Also if target mailbox server is down, Postfix verify will return 4xx codes since it's not able to verify, if the recipient address was valid or not.

http://www.postfix.org/ADDRESS_VERIFICATION_README.html
http://www.postfix.org/verify.8.html

Is there any chances getting similar recipient verify support for Ironport email appliance?

We tested LDAP and it sure works, but you need to open additional LDAP connection(s) from DMZ located Ironport devices to protected LDAP servers (AD controllers with Global Catalog role in AD environment) with user authentication information, which is not good. Especially, if you are hosting email filtering service and your customers Exchange mail server and AD environment is not close to your Ironport appliances.

Above Postfix verify style needs only that SMTP connection to Exchange/Groupwise/Notes/... SMTP server. Sure that recipient filtering feature must be enabled in that mailbox server as well, so it would be able to response with 2xx or 5xx return code, if the given recipient exists or not. Activating such recipitn filtering in a Exchange mailbox server is easy. By default, Exchange accepts any inbound mail targeted to that email domain namespace (@mydomain.local) that it is hosting.

So in Postfix style, during an incoming SMTP connection and after getting EHLO/HELO, MAIL FROM, RCPT TO information, Postfix MTA verify server opens new SMTP connetion against target SMTP mailbox server, opens dialog as EHLO, MAIL FROM, RCPT TO, and checks the response, that the target mailbox server returns after RCPT TO. Depending on that return code, frontend Postfix MTA either accepts inbound message for the recipient or not. We'd really like to see this kind of feature in Ironport too.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kyerramr Fri, 07/24/2009 - 03:46

I might not be able to answer all your questions, certainly some pointers.

IronPort LDAP advanced section has options for Cache TTL (default 900sec), You could defn increase this to something that is desirable. Not sure what the max value is but can be found in the user guide.

In regard to sending user authentication information over the network, there is an SSL option LDAPS if the AD server has a valid cert installed.

Hope this helps.

-Kishore

epb_ironport Fri, 07/24/2009 - 20:57

We would also like to see this feature as it would ease integration with some of our legacy systems that don't use LDAP.

We're using 3 C650s (loadbalanced behind F5 LTM6400s) and a M660 in our environment.

mychrislo_ironport Mon, 10/05/2009 - 07:08

One of my (message + MTA) server, that doesn't use Ironport, has an "incoming relay" uses exactly this postfix address verification.

It's kinda "new" to me. Since most recipient verification either done locally from the edge mta or using LDAP backends.

The edge server does not operate by us.

Pretty unique feature, I am sure qmail/sendmail doesn't have that too.

But the postfix readme also says this feature is only suitable for low volume traffic. But low or high is not controllable by us. (spamming, e.g.).

ironport99 Wed, 10/14/2009 - 11:47

The SMTP "Call Ahead" is due for release on the Ironport the 1st half of next year.

mychrislo Mon, 01/25/2010 - 22:57

Sorry to bring up this post again, but still waiting...I am sure I can use the feature.

Actions

This Discussion