Are you concerned about exposing your directory with conversational LDAP accept? It's a real threat. Someone can open a connection, and in 120 seconds have a list of 10,000 valid addresses at your company.

I am expecting IronPort to implement a form of DHAP (directory harvest attack prevention) to prevent this based on the number of invalid LDAP requestest per IP per hour, much like the current post conversational feature.

Basically a limit to the number of LDAPaccept failures per connection and/or a limit to the number of LDAPaccept failures per IP per hour. I would expect to implement a limit like 30 or so per hour. At that point a harvest attack would take quite some time.

Am I off in my thinking here?

My reason not to use virtual gateways for NDR bounce messages. When you do post conversational bounces you are going to be sending a fairly high level of emails to bogus or spoofed MAIL FROM: addresses (backscatter).

So with a virtual gateway you can route these out a dedicated IP address for NDRs.

My beef is using virtual gateways for your NDR bounce solution just hides the problem of lack of conversational bounces. You will still be sending a lot of backscatter garbage out, just now you don't really care if it gets blacklisted. If you don't care if is gets blacklist why send them at all?

I should really not be the one standing on this soapbox... Yes, I have been responsible for an insane amount of miss-directed/garbage NDRs, I'm trying to recover from this :)

Don't get me wrong I think virtual gateways are cool, just not as a NDR solution. They are great for multiple domains, marketing, etc.