Whitelisting has other issues as well for a company. It's a built in issue of not knowing which customer is trying to contact you ahead of time and having that address or domain whitelisted. In order for any blocking to work properly without losing valid email from clients/customers, you have to be very accurate and in most instances ahead of the request. That provides a problem that does not have a valid technology solution in my mind.
You can tell I'm not a fan of whitelisting as well ;) -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 10:27 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT] Ours was a bit more um, manual than that. And there were 2 groups (Exchange admins and Unix admins) dealing with it. We didn't have a single point of contact for fixing this kind of thing. Not to mention, the whitelist was 8000+ lines for 3500 users. I'm really just not a fan of whitelisting inbound. I like the idea of doing it with the LDAP routing, but that's just me. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Tony Murray [mailto:[EMAIL PROTECTED] > Sent: Monday, January 12, 2004 9:52 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT] > > > What sort of problems did you have with whitelist management? > I'd be interested to know because we have recently introduced this > type of whitelisting here. > > We have around 15,000 mail users and send any whitelist updates to the > mail relays every 2 hours. So far we haven't come across any issues > with this. > > Tony > ---------- Original Message ---------------------------------- > Wrom: MQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLEJGDGV > Reply-To: [EMAIL PROTECTED] > Date: Mon, 12 Jan 2004 06:28:22 -0800 > > Not necessarily. > > If this is a big enough deal to warrant the work, you could do one way > sync out to something like openldap (http://www.openldap.org) and use > it - replicating only the desired data there. > > Trust me, when we had whitelists on our external relays, there was no > end to the problems and issues we had with inbound mail, and we only > had 3500 people at the time. I'd think something like this is worth > the effort if you really want to reject prior to acceptance. > > Roger > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > Wrom: CJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLSZLKBRNVWWCUF > > Sent: Monday, January 12, 2004 9:08 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] ldifde and/or csdve > > > > > > The only downside with this option is that it usually means you need > > to expose your production AD DCs to servers in the DMZ. Even if you > > baton down the ports through your firewall, use IPSec, etc. it still > > means there is a route through to your DCs. > > > > Tony > > > > ---------- Original Message ---------------------------------- > > Wrom: OKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXOEAIJJPHSCRTN > > Reply-To: [EMAIL PROTECTED] > > Date: Mon, 12 Jan 2004 05:19:17 -0800 > > > > You might want to look at another option. Depending on the mail > > transfer agent you're using at the relays, many can do LDAP > > verification "live" off AD. Sendmail can do it, and I believe > > postfix and others > can as well. > > > > Having worked in an environment in which we had to keep white and > > black lists up to date - at its worst, it was 3500 users and more or > > less constantly out of date. I'd strongly suggest you look at a > > different way to do it. > > > > Roger > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > Inovis Inc. > > -----Original Message----- > > Wrom: HGSWZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQZUI > > Sent: Saturday, January 10, 2004 10:20 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] ldifde and/or csdve > > > > > > I'm going to find out real soon if it meets requirements or > not. :-) > > Thanks for taking the time, Joe. Basically we're trying to create > > blacklists and whitelists for email filters based on email address > > to make sure user of x company does not have email parsed through > > various stages. > > > > One question... does adfind actually pull each value from the > > proxyAddresses field and match up to the parameter you've specified > > (e.g. > > the SMTP:*)... ? > > Thanks again! > > > > -m > > > > > > _____ > > > > Wrom: VOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLE > > [mailto:[EMAIL PROTECTED] On Behalf Of Joe > > Sent: Saturday, January 10, 2004 7:31 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] ldifde and/or csdve > > > > I will probably get dunned for the use of perl (except by Robbie and > > Richard) but.... > > > > If this is a one off thing, i.e. not a regular process and you just > > want to grab some data here is a quick and dirty solution. This is a > > joeware whip it up on the spot special for you.... no charge. :op > > > > > > __START SCRIPT__ > > `adfind -t 50000 -gc -b -f \"&(mail=*)(proxyaddresses=SMTP:*)\" mail > > proxyaddresses >tempfile.txt`; open fh,"<tempfile.txt"; > > %uniqueemail=(); %ciuniqueemail=(); foreach $thisline (<fh>) { > > if ($thisline=~/.+: *([EMAIL PROTECTED] <mailto:[EMAIL PROTECTED])/> )/) > > { > > $uniqueemail{$1}=1; > > $ciuniqueemail{lc($1)}=1; > > } > > } > > > > print "\n\nUnique Email Addresses\n" > > map {print "$_\n"} sort keys %uniqueemail; > > > > print "\n\nCase Insensitive Unique Email Addresses\n" > > map {print "$_\n"} sort keys %ciuniqueemail; __END SCRIPT__ > > > > > > It uses adfind (www.joeware.net <http://www.joeware.net> on the > > free win32 tools page) to query a global catalog to get all of the > > objects with either mail attribute populated OR SMTP starting one of > > the values in proxyaddresses and also retrieves those attributes. It > > sends this to a file both because I don't know how big your forest > > is and your memory in your pc is. If you have something smaller for > > a forest or a big box you can pull straight into memory with > > > > @output=`adfind -t 50000 -gc -b -f > > \"&(mail=*)(proxyaddresses=SMTP:*)\" mail proxyaddresses`; > > > > > > Also the base is nothing which means search the entire directory, if > > you wanted a single domain you could set -b parameter to some value > > like dc=child1,dc=domain,dc=com. > > > > > > It also will give you two hashes of unique IDs. One is case > > sensitive, one is case insensitive. Shouldn't matter and I > > personally would do everything case insensitive but not sure exactly > > what you are looking for so did it both ways. If you want case > > insensitive, kill any line with uniqueemail in it and leave the > > lines with ciuniqueemail in it. > > > > ex: > > > > __START SCRIPT__ > > `adfind -t 50000 -gc -b -f \"&(mail=*)(proxyaddresses=SMTP:*)\" mail > > proxyaddresses >tempfile.txt`; open fh,"<tempfile.txt"; > > %ciuniqueemail=(); foreach $thisline (<fh>) { if ($thisline=~/.+: > > *([EMAIL PROTECTED])/ <mailto:[EMAIL PROTECTED])/> ) {$ciuniqueemail{lc($1)}=1}}; > > print > > "\n\nCase Insensitive Unique Email Addresses\n" > > map {print "$_\n"} sort keys %ciuniqueemail; __END SCRIPT__ > > > > > > Oh one quick thing, I hate it when I don't easily see what a regular > > expression is doing so the regex above ($thisline=~/.+: *([EMAIL PROTECTED])/ > > <mailto:[EMAIL PROTECTED])/> ) breaks down like this > > > > $thisline=~/.+: *(.+)/ > > > > $thisline=~ Take the $thisline variable and run a > > match against > > it.... > > /.+: *([EMAIL PROTECTED] <mailto:[EMAIL PROTECTED])/> )/ This is the match. > > Match any line > > that has a : and an @ sign in it. On a match take the info following > > the : > > or a : with a trailing space and save it. > > > > This will match any of the following lines: > > > > >mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > >proxyaddresses: SMTP:[EMAIL PROTECTED] > > >proxyaddresses: smtp:[EMAIL PROTECTED] > > > > and save the email address piece in the variable $1. > > > > > > > > If you need to match up the dn to the email addresses this gets more > > involved but is still pretty easy. The following script will create > > a semi colon delimited list with the DN as the first field and all > > other fields email addresses for the specified dn. > > > > > > __START SCRIPT__ > > `adfind -t 50000 -gc -b -f \"&(mail=*)(proxyaddresses=SMTP:*)\" mail > > proxyaddresses >tempfile.txt`; open fh,"<tempfile.txt"; > > %ciuniqueemail=(); foreach $thisline (<fh>) { > > if ($thisline=~/dn:(.+)/) {$cdn=lc($1)}; > > if ($thisline=~/.+: *([EMAIL PROTECTED])/ <mailto:[EMAIL PROTECTED])/> ) > > {$ciuniqueemail{$cdn}{lc($1)}=1; } > > > > print "\n\nCase Insensitive Unique Email Addresses\n" > > foreach $dn (sort keys $ciuniqueemail) { > > print "$dn;"; > > map {print "$_;"} sort keys %{$ciuniqueemail{$dn}}; > > print "\n"; > > } > > __END SCRIPT__ > > > > > > want to match to display names or whatever else instead? > > Simply add the > > field to the search and change the line picking out the current > > "key". I really like dn as that is guaranteed unique in a forest, > > anything else and you need to scope your search better to avoid > > non-unique hits which would skew the output incorrectly. > > > > > > > > Does that meet the requirements? > > > > > > joe > > > > > > > > > > > > _____ > > > > Wrom: JGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZX > > [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Friday, January 09, 2004 2:20 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] ldifde and/or csdve Im hoping someone on here > > might be able to help me. I have a request to create a file that > > contains all my users smtp addresses. Im running in an AD windows > > 2000 environment. I need to ensure that the list contains all > > addresses for each person. I.e. in some cases the same person might > > have three different smtp addresses for whatever reason. Ive done > > some csdve commands such as: > > > > Csvde -f GAlSync.csv -d > > "OU=Contacts,OU=whatever,DC=CORP,DC=companyname,DC=com > > > > Which generates me a csv with the data in it but the cleanup to get > > to just the smtp addy's will be almost unbearable. Does anyone > > happen to know a better way to get just those smtp addy's out of > > there? > > > > Thanks, > > > > Travis > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
