03-19-2019 05:42 AM
Hello is the following an option :
- we use ldap for recipient vaidation ( the RAT contains our specific domains to validate ). So whenever an external mail arives at the esa ( for one of those domains ) we do a recipient check against a LDAP server. This works fine. Default action is set to temp. refuse mails when LDAP server is unavailable..
We want a fall back scenario were we can use SMTP call ahead if the ldap server is unavailble ( so not to let all mail in, but still do a recipient check based on call ahead )
Tried this one but seems not to work ( created SMTP call ahead profile , assigned it to the pubic listener etc, then renamed the ldap server dns name to something which doesn't exist ) … but mails got rejected
Tue Mar 19 13:31:03 2019 Critical: LDAP: query DNS result DNS Hard Error looking up x.x.x.x (A): NXDomain
Tue Mar 19 13:31:26 2019 Critical: LDAP: query XXX-shared-LDAP_LDAPS.accept result LDAP server misconfigured or unreachable
I also tried setting the ldap query to allow mail in, when LDAP is unreachable. Same behaviour when I rename the ldap server..
So is this a working solution : LDAP recipient vaidation with failover to SMTP call ahead?
Regs
03-22-2019 08:40 AM
No.
RAT is checked first.
LDAP acceptance supplements this.
Then SMTP call-ahead is performed.
So leave working LDAP setup that accepts mail when LDAP not available.
Turn off LDAP server, then see what happens.
But ultimately SMTP Call-ahead is going to be used all the time with LDAP accept, not only when LDAP fails.
What I don't know - you could try - is what the default behavior for LDAP accept in the Workqueue when LDAP is not available.
If this is to allow mail to be delivered, then you can perform SMTP call-head first, then LDAP query in the Workqueue.
If you don't have multiple mail systems / LDAP directories, you will probably be getting the same acceptance results.
So you may want to make a judgement call on which option to use.
I used SMTP call-ahead with LDAP to solve a rather complex multi-mail system deployment where not all recipients were available in LDAP.
I also have not done an intensive load comparison between SMTP call-ahead and LDAP acceptance to see how this affects general message processing duration, CPU and ultimately workqueue throughput. You may need to consider the impact, especially in a DR scenario.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide