Problem response query LDAP vs server Lotus/Domino
I have some problem with the query LDAP accept. My LDAP server is a Lotus server and I activate the query LDAP accept on my public listener. Several times I have the message in the LDAP debug: Critical: LDAP: query LDAP.accept result Query timed out. In the mail-log, I have the message: 451 Temporary recipient validation errors.I lost several messages. I observed that the good query LDAP response in less 5 second and the others response between 6 seconds and 45 seconds or more. I know the solution of my problem is my LDAP server but can I have other solutions to upgrade my hardware on my server? The performances on this server are deteriorated.
Can I increase the values of response on Ironport for the queries LDAP. Or do you have a other solutions. If not I will have to disable the LDAP accept on my listener, it’s problematic.
When I implement LDAP acceptance at customer sites I crank up the values for both LDAP Cache entries and TTL (Cache Time To Live). My typical rule of thumb is 10x the user cound for Cache entries and 1 day for the TTL.
So if you have 2000 users I change the Cache entries from 10,000 to 20,000. I do this for two reason, 1. the IronPort caches both positive and negative LDAP results, 2. most users have multiple e-mail addresses/aliases.
With regards to the Cache TTL by default it's set to 15 minutes which in my opinion might be two aggressive consider the low chance of a "false positive". Basically the only chance of a 1 day TTL causing a problems is if a spammer attempted to send mail to email@example.com (which didn't exist at the time) and then the organization hired (or created an alias) Joe Blow. At this point the e-mail address is cached as a cache negative response and the new user wouldn't get mail for up to 24 hours. The chances of this are pretty remote.
This should take the load off the LDAP servers, typically my customers don't even see a performance hit on the LDAP environment with these guidelines.
And as Doc stated you shouldn't "lose" mail with a 451 error, just delay the delivery to the desired end user.
There are two important settings on the Domino side which might be good to check.
1. Make sure your LDAP directory is full text indexed (this is very important to get better respond times) 2. Verify that 'compact' task doesn't lock down the directory. For example copy style or in-place with file size reduction will lock down the directory from LDAP lookups. I'm using 'compact -b' without problems
We've started receiving an enormous amount (a few hundred per day) of the following LDAP messages:
"LDAP group query failure during per-recipient scanning, possible LDAP misconfiguration or unreachable server"
When we look at our LDAP server, the response times look okay. On the IronPort side, we are currently set to 30,000 cache entries and a TTL of 36,000 sec. We have approximately 28-30,000 e-mail users.
Our queries haven't changed in quite a while. We upgraded to 5.1.1 approximately a week after these errors started, so we ruled that out as a cause of/help for the problem. Do you see upping our cache entries/TTL numbers helping with this error, as suggested for the other LDAP error? If not, do you have any other suggestions? Thanks.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...