Postfix verify type recipient filtering instead of LDAP ?
After POC tests, we're abt to deploy M160 + 2xC160 Ironport environment. Recipient filtering seems to be builtin as LDAP based implementation.
We've been using Postfix MTA for years and it has very nice verify feature able to verify SMTP envelope recipient addresses from target SMTP mailbox servers directly using SMTP traffic. Not VRFY feature, but instead basic SMTP talk (EHLO, MAIL FROM, RCPT TO) and based on the response codes 2xx, 5xx from the mailbox server, the frontend Postfix either accepts incoming message from internet or not. Postfix verify caches those queries which is good too. Also if target mailbox server is down, Postfix verify will return 4xx codes since it's not able to verify, if the recipient address was valid or not.
Is there any chances getting similar recipient verify support for Ironport email appliance?
We tested LDAP and it sure works, but you need to open additional LDAP connection(s) from DMZ located Ironport devices to protected LDAP servers (AD controllers with Global Catalog role in AD environment) with user authentication information, which is not good. Especially, if you are hosting email filtering service and your customers Exchange mail server and AD environment is not close to your Ironport appliances.
Above Postfix verify style needs only that SMTP connection to Exchange/Groupwise/Notes/... SMTP server. Sure that recipient filtering feature must be enabled in that mailbox server as well, so it would be able to response with 2xx or 5xx return code, if the given recipient exists or not. Activating such recipitn filtering in a Exchange mailbox server is easy. By default, Exchange accepts any inbound mail targeted to that email domain namespace (@mydomain.local) that it is hosting.
So in Postfix style, during an incoming SMTP connection and after getting EHLO/HELO, MAIL FROM, RCPT TO information, Postfix MTA verify server opens new SMTP connetion against target SMTP mailbox server, opens dialog as EHLO, MAIL FROM, RCPT TO, and checks the response, that the target mailbox server returns after RCPT TO. Depending on that return code, frontend Postfix MTA either accepts inbound message for the recipient or not. We'd really like to see this kind of feature in Ironport too.
Re: Postfix verify type recipient filtering instead of LDAP ?
I might not be able to answer all your questions, certainly some pointers.
IronPort LDAP advanced section has options for Cache TTL (default 900sec), You could defn increase this to something that is desirable. Not sure what the max value is but can be found in the user guide.
In regard to sending user authentication information over the network, there is an SSL option LDAPS if the AD server has a valid cert installed.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...