Milter-greylist

On Mon, Mar 03, 2008 at 10:20:27AM +0100, Ondrej Valousek wrote:
> That would be a fairly cool thing!
> What I would be a bit concerned a bit is that in our case the
> milter-greylist is running in de-militarized zone on the MTA. On our LAN
> we have Microsoft AD domain which could be potentially used to store
> greylisting data, but MTA could be potentially compromised and thus
> expose the whole Active Directory to the attacker...

Perhaps you can add another LDAP server on the DMZ that would hold the mail
address config branch, and setup AD so that it talks to it for that branch?

Alternatively, you can setup LDAP replicas on your MTA. Your AD will push 
there the information, filtering out anything you consider sensitive. I
am not sure AD knows how to do that, but at least it's possible with
openLDAP: I have local LDAP replicas on each MX, and thoses do not get 
userPassword attributes from the master, for instance.

-- 
Emmanuel Dreyfus
manu@...