Milter-greylist

Well, yes,
The replicas would solve the problem, indeed - but it is another layer
that needs to be managed.
Anyway - just thinking about the whole LDAP thing - would it be really
any good?
As someone already mentioned, most users actually do not care about the
finesses of greylisting - they just assume you would give them a working
setup  they do not have to touch.
Moreover, it would be actually more maintenance - you always risk the
some dummy user would misconfigure it and then come back to you crying
or complaining.

I would say - the ideal antispam solution is the one end user do not
have to touch or know about (i.e. no configuration, no training,...).

Ondrej

Emmanuel Dreyfus wrote:
>
> On Mon, Mar 03, 2008 at 10:20:27AM +0100, Ondrej Valousek wrote:
> > That would be a fairly cool thing!
> > What I would be a bit concerned a bit is that in our case the
> > milter-greylist is running in de-militarized zone on the MTA. On our LAN
> > we have Microsoft AD domain which could be potentially used to store
> > greylisting data, but MTA could be potentially compromised and thus
> > expose the whole Active Directory to the attacker...
>
> Perhaps you can add another LDAP server on the DMZ that would hold the
> mail
> address config branch, and setup AD so that it talks to it for that
> branch?
>
> Alternatively, you can setup LDAP replicas on your MTA. Your AD will push
> there the information, filtering out anything you consider sensitive. I
> am not sure AD knows how to do that, but at least it's possible with
> openLDAP: I have local LDAP replicas on each MX, and thoses do not get
> userPassword attributes from the master, for instance.
>
> -- 
> Emmanuel Dreyfus
> manu@... <mailto:manu%40netbsd.org>
>
>