So really, this is just recipient validation then? That makes it a different ball game altogether. Then all the gateway machine has to have is information to make it a smarthost without the complicated routing, right?
-----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 12:40 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT] We're talking what I'd call reverse whitelisting (or more apporpriately recipient whitelisting) - in other words checking email validity at the borders prior to acceptance for delivery. For instance, currently my external relays accept mail for [EMAIL PROTECTED], which is passed inbound through a virus gateway then to Exchange, which is where the validity of the address is first tested. Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] Minus the relaying hacks, obviously > -----Original Message----- > From: Mulnick, Al [mailto:[EMAIL PROTECTED] > Sent: Monday, January 12, 2004 12:11 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT] > > > Whitelisting has other issues as well for a company. It's a built in > issue of not knowing which customer is trying to contact you ahead of > time and > having that address or domain whitelisted. > In order for any blocking to work properly without losing valid email > from clients/customers, you have to be very accurate and in most > instances ahead of the request. That provides a problem that does not > have a valid technology solution in my mind. > > You can tell I'm not a fan of whitelisting as well ;) > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Monday, January 12, 2004 10:27 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT] > > Ours was a bit more um, manual than that. And there were 2 groups > (Exchange admins and Unix admins) dealing with it. We didn't have a > single point of contact for fixing this kind of thing. > > Not to mention, the whitelist was 8000+ lines for 3500 users. > > I'm really just not a fan of whitelisting inbound. I like the idea of > doing it with the LDAP routing, but that's just me. > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Tony Murray [mailto:[EMAIL PROTECTED] > > Sent: Monday, January 12, 2004 9:52 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT] > > > > > > What sort of problems did you have with whitelist management? > > I'd be interested to know because we have recently introduced this > > type of whitelisting here. > > > > We have around 15,000 mail users and send any whitelist > updates to the > > mail relays every 2 hours. So far we haven't come across > any issues > > with this. > > > > Tony > > ---------- Original Message ---------------------------------- > > Wrom: MQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLEJGDGV > > Reply-To: [EMAIL PROTECTED] > > Date: Mon, 12 Jan 2004 06:28:22 -0800 > > > > Not necessarily. > > > > If this is a big enough deal to warrant the work, you could > do one way > > sync out to something like openldap > (http://www.openldap.org) and use > > it - replicating only the desired data there. > > > > Trust me, when we had whitelists on our external relays, > there was no > > end to the problems and issues we had with inbound mail, > and we only > > had 3500 people at the time. I'd think something like this is worth > > the effort if you really want to reject prior to acceptance. > > > > Roger > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > Wrom: CJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLSZLKBRNVWWCUF > > > Sent: Monday, January 12, 2004 9:08 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] ldifde and/or csdve > > > > > > > > > The only downside with this option is that it usually > means you need > > > to expose your production AD DCs to servers in the DMZ. > Even if you > > > baton down the ports through your firewall, use IPSec, > etc. it still > > > means there is a route through to your DCs. > > > > > > Tony > > > > > > ---------- Original Message ---------------------------------- > > > Wrom: OKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXOEAIJJPHSCRTN > > > Reply-To: [EMAIL PROTECTED] > > > Date: Mon, 12 Jan 2004 05:19:17 -0800 > > > > > > You might want to look at another option. Depending on the mail > > > transfer agent you're using at the relays, many can do LDAP > > > verification "live" off AD. Sendmail can do it, and I believe > > > postfix and others > > can as well. > > > > > > Having worked in an environment in which we had to keep white and > > > black lists up to date - at its worst, it was 3500 users > and more or > > > less constantly out of date. I'd strongly suggest you look at a > > > different way to do it. > > > > > > Roger > > > -------------------------------------------------------------- > > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > > Inovis Inc. > > > -----Original Message----- > > > Wrom: HGSWZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQZUI > > > Sent: Saturday, January 10, 2004 10:20 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] ldifde and/or csdve > > > > > > > > > I'm going to find out real soon if it meets requirements or > > not. :-) > > > Thanks for taking the time, Joe. Basically we're trying > to create > > > blacklists and whitelists for email filters based on > email address > > > to make sure user of x company does not have email parsed through > > > various stages. > > > > > > One question... does adfind actually pull each value from the > > > proxyAddresses field and match up to the parameter you've > specified > > > (e.g. > > > the SMTP:*)... ? > > > Thanks again! > > > > > > -m > > > > > > > > > _____ > > > > > > Wrom: VOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLE > > > [mailto:[EMAIL PROTECTED] On Behalf Of Joe > > > Sent: Saturday, January 10, 2004 7:31 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] ldifde and/or csdve > > > > > > I will probably get dunned for the use of perl (except by > Robbie and > > > Richard) but.... > > > > > > If this is a one off thing, i.e. not a regular process > and you just > > > want to grab some data here is a quick and dirty > solution. This is a > > > joeware whip it up on the spot special for you.... no charge. :op > > > > > > > > > __START SCRIPT__ > > > `adfind -t 50000 -gc -b -f > \"&(mail=*)(proxyaddresses=SMTP:*)\" mail > > > proxyaddresses >tempfile.txt`; open fh,"<tempfile.txt"; > > > %uniqueemail=(); %ciuniqueemail=(); foreach $thisline (<fh>) { > > > if ($thisline=~/.+: *([EMAIL PROTECTED] <mailto:[EMAIL PROTECTED])/> )/) > > > { > > > $uniqueemail{$1}=1; > > > $ciuniqueemail{lc($1)}=1; > > > } > > > } > > > > > > print "\n\nUnique Email Addresses\n" > > > map {print "$_\n"} sort keys %uniqueemail; > > > > > > print "\n\nCase Insensitive Unique Email Addresses\n" > > > map {print "$_\n"} sort keys %ciuniqueemail; __END SCRIPT__ > > > > > > > > > It uses adfind (www.joeware.net <http://www.joeware.net> on the > > > free win32 tools page) to query a global catalog to get > all of the > > > objects with either mail attribute populated OR SMTP > starting one of > > > the values in proxyaddresses and also retrieves those > attributes. It > > > sends this to a file both because I don't know how big > your forest > > > is and your memory in your pc is. If you have something > smaller for > > > a forest or a big box you can pull straight into memory with > > > > > > @output=`adfind -t 50000 -gc -b -f > > > \"&(mail=*)(proxyaddresses=SMTP:*)\" mail proxyaddresses`; > > > > > > > > > Also the base is nothing which means search the entire > directory, if > > > you wanted a single domain you could set -b parameter to > some value > > > like dc=child1,dc=domain,dc=com. > > > > > > > > > It also will give you two hashes of unique IDs. One is case > > > sensitive, one is case insensitive. Shouldn't matter and I > > > personally would do everything case insensitive but not > sure exactly > > > what you are looking for so did it both ways. If you want case > > > insensitive, kill any line with uniqueemail in it and leave the > > > lines with ciuniqueemail in it. > > > > > > ex: > > > > > > __START SCRIPT__ > > > `adfind -t 50000 -gc -b -f > \"&(mail=*)(proxyaddresses=SMTP:*)\" mail > > > proxyaddresses >tempfile.txt`; open fh,"<tempfile.txt"; > > > %ciuniqueemail=(); foreach $thisline (<fh>) { if ($thisline=~/.+: > > > *([EMAIL PROTECTED])/ <mailto:[EMAIL PROTECTED])/> ) > > > {$ciuniqueemail{lc($1)}=1}}; print > > > "\n\nCase Insensitive Unique Email Addresses\n" > > > map {print "$_\n"} sort keys %ciuniqueemail; __END SCRIPT__ > > > > > > > > > Oh one quick thing, I hate it when I don't easily see > what a regular > > > expression is doing so the regex above ($thisline=~/.+: *([EMAIL PROTECTED])/ > > > <mailto:[EMAIL PROTECTED])/> ) breaks down like this > > > > > > $thisline=~/.+: *(.+)/ > > > > > > $thisline=~ Take the $thisline variable and run a > > > match against > > > it.... > > > /.+: *([EMAIL PROTECTED] <mailto:[EMAIL PROTECTED])/> )/ This is the > > > match. > > > Match any line > > > that has a : and an @ sign in it. On a match take the > info following > > > the : > > > or a : with a trailing space and save it. > > > > > > This will match any of the following lines: > > > > > > >mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > >proxyaddresses: SMTP:[EMAIL PROTECTED] > > > >proxyaddresses: smtp:[EMAIL PROTECTED] > > > > > > and save the email address piece in the variable $1. > > > > > > > > > > > > If you need to match up the dn to the email addresses > this gets more > > > involved but is still pretty easy. The following script > will create > > > a semi colon delimited list with the DN as the first > field and all > > > other fields email addresses for the specified dn. > > > > > > > > > __START SCRIPT__ > > > `adfind -t 50000 -gc -b -f > \"&(mail=*)(proxyaddresses=SMTP:*)\" mail > > > proxyaddresses >tempfile.txt`; open fh,"<tempfile.txt"; > > > %ciuniqueemail=(); foreach $thisline (<fh>) { > > > if ($thisline=~/dn:(.+)/) {$cdn=lc($1)}; > > > if ($thisline=~/.+: *([EMAIL PROTECTED])/ <mailto:[EMAIL PROTECTED])/> ) > > > {$ciuniqueemail{$cdn}{lc($1)}=1; } > > > > > > print "\n\nCase Insensitive Unique Email Addresses\n" > > > foreach $dn (sort keys $ciuniqueemail) { > > > print "$dn;"; > > > map {print "$_;"} sort keys %{$ciuniqueemail{$dn}}; > > > print "\n"; > > > } > > > __END SCRIPT__ > > > > > > > > > want to match to display names or whatever else instead? > > > Simply add the > > > field to the search and change the line picking out the current > > > "key". I really like dn as that is guaranteed unique in a forest, > > > anything else and you need to scope your search better to avoid > > > non-unique hits which would skew the output incorrectly. > > > > > > > > > > > > Does that meet the requirements? > > > > > > > > > joe > > > > > > > > > > > > > > > > > > _____ > > > > > > Wrom: JGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZX > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > [EMAIL PROTECTED] > > > Sent: Friday, January 09, 2004 2:20 PM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] ldifde and/or csdve Im hoping > someone on here > > > might be able to help me. I have a request to create a file that > > > contains all my users smtp addresses. Im running in an > AD windows > > > 2000 environment. I need to ensure that the list contains all > > > addresses for each person. I.e. in some cases the same > person might > > > have three different smtp addresses for whatever reason. > Ive done > > > some csdve commands such as: > > > > > > Csvde -f GAlSync.csv -d > > > "OU=Contacts,OU=whatever,DC=CORP,DC=companyname,DC=com > > > > > > Which generates me a csv with the data in it but the > cleanup to get > > > to just the smtp addy's will be almost unbearable. Does anyone > > > happen to know a better way to get just those smtp addy's out of > > > there? > > > > > > Thanks, > > > > > > Travis > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
