Yup - just inbound recipient validation. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
> -----Original Message----- > From: Mulnick, Al [mailto:[EMAIL PROTECTED] > Sent: Monday, January 12, 2004 1:25 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT] > > > So really, this is just recipient validation then? > > That makes it a different ball game altogether. Then all the gateway > machine has to have is information to make it a smarthost without the > complicated routing, right? > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Monday, January 12, 2004 12:40 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT] > > We're talking what I'd call reverse whitelisting (or more > apporpriately > recipient whitelisting) - in other words checking email > validity at the > borders prior to acceptance for delivery. > > For instance, currently my external relays accept mail for > [EMAIL PROTECTED], > which is passed inbound through a virus gateway then to > Exchange, which is > where the validity of the address is first tested. > > Roger > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > [1] Minus the relaying hacks, obviously > > > > -----Original Message----- > > From: Mulnick, Al [mailto:[EMAIL PROTECTED] > > Sent: Monday, January 12, 2004 12:11 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT] > > > > > > Whitelisting has other issues as well for a company. It's > a built in > > issue of not knowing which customer is trying to contact > you ahead of > > time and > > having that address or domain whitelisted. > > In order for any blocking to work properly without losing > valid email > > from clients/customers, you have to be very accurate and in most > > instances ahead of the request. That provides a problem > that does not > > have a valid technology solution in my mind. > > > > You can tell I'm not a fan of whitelisting as well ;) > > > > -----Original Message----- > > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > > Sent: Monday, January 12, 2004 10:27 AM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] ldifde and/or csdve [drifting slightly OT] > > > > Ours was a bit more um, manual than that. And there were 2 groups > > (Exchange admins and Unix admins) dealing with it. We didn't have a > > single point of contact for fixing this kind of thing. > > > > Not to mention, the whitelist was 8000+ lines for 3500 users. > > > > I'm really just not a fan of whitelisting inbound. I like > the idea of > > doing it with the LDAP routing, but that's just me. > > > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP > > Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > From: Tony Murray [mailto:[EMAIL PROTECTED] > > > Sent: Monday, January 12, 2004 9:52 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] ldifde and/or csdve [drifting > slightly OT] > > > > > > > > > What sort of problems did you have with whitelist management? > > > I'd be interested to know because we have recently > introduced this > > > type of whitelisting here. > > > > > > We have around 15,000 mail users and send any whitelist > > updates to the > > > mail relays every 2 hours. So far we haven't come across > > any issues > > > with this. > > > > > > Tony > > > ---------- Original Message ---------------------------------- > > > Wrom: MQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLEJGDGV > > > Reply-To: [EMAIL PROTECTED] > > > Date: Mon, 12 Jan 2004 06:28:22 -0800 > > > > > > Not necessarily. > > > > > > If this is a big enough deal to warrant the work, you could > > do one way > > > sync out to something like openldap > > (http://www.openldap.org) and use > > > it - replicating only the desired data there. > > > > > > Trust me, when we had whitelists on our external relays, > > there was no > > > end to the problems and issues we had with inbound mail, > > and we only > > > had 3500 people at the time. I'd think something like > this is worth > > > the effort if you really want to reject prior to acceptance. > > > > > > Roger > > > -------------------------------------------------------------- > > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > > Inovis Inc. > > > > > > > > > > -----Original Message----- > > > > Wrom: CJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLSZLKBRNVWWCUF > > > > Sent: Monday, January 12, 2004 9:08 AM > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: [ActiveDir] ldifde and/or csdve > > > > > > > > > > > > The only downside with this option is that it usually > > means you need > > > > to expose your production AD DCs to servers in the DMZ. > > Even if you > > > > baton down the ports through your firewall, use IPSec, > > etc. it still > > > > means there is a route through to your DCs. > > > > > > > > Tony > > > > > > > > ---------- Original Message ---------------------------------- > > > > Wrom: OKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXOEAIJJPHSCRTN > > > > Reply-To: [EMAIL PROTECTED] > > > > Date: Mon, 12 Jan 2004 05:19:17 -0800 > > > > > > > > You might want to look at another option. Depending on the mail > > > > transfer agent you're using at the relays, many can do LDAP > > > > verification "live" off AD. Sendmail can do it, and I believe > > > > postfix and others > > > can as well. > > > > > > > > Having worked in an environment in which we had to keep > white and > > > > black lists up to date - at its worst, it was 3500 users > > and more or > > > > less constantly out of date. I'd strongly suggest you look at a > > > > different way to do it. > > > > > > > > Roger > > > > -------------------------------------------------------------- > > > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > > > Inovis Inc. > > > > -----Original Message----- > > > > Wrom: HGSWZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQZUI > > > > Sent: Saturday, January 10, 2004 10:20 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: [ActiveDir] ldifde and/or csdve > > > > > > > > > > > > I'm going to find out real soon if it meets requirements or > > > not. :-) > > > > Thanks for taking the time, Joe. Basically we're trying > > to create > > > > blacklists and whitelists for email filters based on > > email address > > > > to make sure user of x company does not have email > parsed through > > > > various stages. > > > > > > > > One question... does adfind actually pull each value from the > > > > proxyAddresses field and match up to the parameter you've > > specified > > > > (e.g. > > > > the SMTP:*)... ? > > > > Thanks again! > > > > > > > > -m > > > > > > > > > > > > _____ > > > > > > > > Wrom: VOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLE > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Joe > > > > Sent: Saturday, January 10, 2004 7:31 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: [ActiveDir] ldifde and/or csdve > > > > > > > > I will probably get dunned for the use of perl (except by > > Robbie and > > > > Richard) but.... > > > > > > > > If this is a one off thing, i.e. not a regular process > > and you just > > > > want to grab some data here is a quick and dirty > > solution. This is a > > > > joeware whip it up on the spot special for you.... no > charge. :op > > > > > > > > > > > > __START SCRIPT__ > > > > `adfind -t 50000 -gc -b -f > > \"&(mail=*)(proxyaddresses=SMTP:*)\" mail > > > > proxyaddresses >tempfile.txt`; open fh,"<tempfile.txt"; > > > > %uniqueemail=(); %ciuniqueemail=(); foreach $thisline (<fh>) { > > > > if ($thisline=~/.+: *([EMAIL PROTECTED] <mailto:[EMAIL PROTECTED])/> )/) > > > > { > > > > $uniqueemail{$1}=1; > > > > $ciuniqueemail{lc($1)}=1; > > > > } > > > > } > > > > > > > > print "\n\nUnique Email Addresses\n" > > > > map {print "$_\n"} sort keys %uniqueemail; > > > > > > > > print "\n\nCase Insensitive Unique Email Addresses\n" > > > > map {print "$_\n"} sort keys %ciuniqueemail; __END SCRIPT__ > > > > > > > > > > > > It uses adfind (www.joeware.net > <http://www.joeware.net> on the > > > > free win32 tools page) to query a global catalog to get > > all of the > > > > objects with either mail attribute populated OR SMTP > > starting one of > > > > the values in proxyaddresses and also retrieves those > > attributes. It > > > > sends this to a file both because I don't know how big > > your forest > > > > is and your memory in your pc is. If you have something > > smaller for > > > > a forest or a big box you can pull straight into memory with > > > > > > > > @output=`adfind -t 50000 -gc -b -f > > > > \"&(mail=*)(proxyaddresses=SMTP:*)\" mail proxyaddresses`; > > > > > > > > > > > > Also the base is nothing which means search the entire > > directory, if > > > > you wanted a single domain you could set -b parameter to > > some value > > > > like dc=child1,dc=domain,dc=com. > > > > > > > > > > > > It also will give you two hashes of unique IDs. One is case > > > > sensitive, one is case insensitive. Shouldn't matter and I > > > > personally would do everything case insensitive but not > > sure exactly > > > > what you are looking for so did it both ways. If you want case > > > > insensitive, kill any line with uniqueemail in it and leave the > > > > lines with ciuniqueemail in it. > > > > > > > > ex: > > > > > > > > __START SCRIPT__ > > > > `adfind -t 50000 -gc -b -f > > \"&(mail=*)(proxyaddresses=SMTP:*)\" mail > > > > proxyaddresses >tempfile.txt`; open fh,"<tempfile.txt"; > > > > %ciuniqueemail=(); foreach $thisline (<fh>) { if > ($thisline=~/.+: > > > > *([EMAIL PROTECTED])/ <mailto:[EMAIL PROTECTED])/> ) > > > > {$ciuniqueemail{lc($1)}=1}}; print > > > > "\n\nCase Insensitive Unique Email Addresses\n" > > > > map {print "$_\n"} sort keys %ciuniqueemail; __END SCRIPT__ > > > > > > > > > > > > Oh one quick thing, I hate it when I don't easily see > > what a regular > > > > expression is doing so the regex above ($thisline=~/.+: > *([EMAIL PROTECTED])/ > > > > <mailto:[EMAIL PROTECTED])/> ) breaks down like this > > > > > > > > $thisline=~/.+: *(.+)/ > > > > > > > > $thisline=~ Take the $thisline variable and run a > > > > match against > > > > it.... > > > > /.+: *([EMAIL PROTECTED] <mailto:[EMAIL PROTECTED])/> )/ This is the > > > > match. > > > > Match any line > > > > that has a : and an @ sign in it. On a match take the > > info following > > > > the : > > > > or a : with a trailing space and save it. > > > > > > > > This will match any of the following lines: > > > > > > > > >mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > > >proxyaddresses: SMTP:[EMAIL PROTECTED] > > > > >proxyaddresses: smtp:[EMAIL PROTECTED] > > > > > > > > and save the email address piece in the variable $1. > > > > > > > > > > > > > > > > If you need to match up the dn to the email addresses > > this gets more > > > > involved but is still pretty easy. The following script > > will create > > > > a semi colon delimited list with the DN as the first > > field and all > > > > other fields email addresses for the specified dn. > > > > > > > > > > > > __START SCRIPT__ > > > > `adfind -t 50000 -gc -b -f > > \"&(mail=*)(proxyaddresses=SMTP:*)\" mail > > > > proxyaddresses >tempfile.txt`; open fh,"<tempfile.txt"; > > > > %ciuniqueemail=(); foreach $thisline (<fh>) { > > > > if ($thisline=~/dn:(.+)/) {$cdn=lc($1)}; > > > > if ($thisline=~/.+: *([EMAIL PROTECTED])/ <mailto:[EMAIL PROTECTED])/> ) > > > > {$ciuniqueemail{$cdn}{lc($1)}=1; } > > > > > > > > print "\n\nCase Insensitive Unique Email Addresses\n" > > > > foreach $dn (sort keys $ciuniqueemail) { > > > > print "$dn;"; > > > > map {print "$_;"} sort keys %{$ciuniqueemail{$dn}}; > > > > print "\n"; > > > > } > > > > __END SCRIPT__ > > > > > > > > > > > > want to match to display names or whatever else instead? > > > > Simply add the > > > > field to the search and change the line picking out the current > > > > "key". I really like dn as that is guaranteed unique in > a forest, > > > > anything else and you need to scope your search better to avoid > > > > non-unique hits which would skew the output incorrectly. > > > > > > > > > > > > > > > > Does that meet the requirements? > > > > > > > > > > > > joe > > > > > > > > > > > > > > > > > > > > > > > > _____ > > > > > > > > Wrom: JGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZX > > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > > [EMAIL PROTECTED] > > > > Sent: Friday, January 09, 2004 2:20 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: [ActiveDir] ldifde and/or csdve Im hoping > > someone on here > > > > might be able to help me. I have a request to create a > file that > > > > contains all my users smtp addresses. Im running in an > > AD windows > > > > 2000 environment. I need to ensure that the list contains all > > > > addresses for each person. I.e. in some cases the same > > person might > > > > have three different smtp addresses for whatever reason. > > Ive done > > > > some csdve commands such as: > > > > > > > > Csvde -f GAlSync.csv -d > > > > "OU=Contacts,OU=whatever,DC=CORP,DC=companyname,DC=com > > > > > > > > Which generates me a csv with the data in it but the > > cleanup to get > > > > to just the smtp addy's will be almost unbearable. Does anyone > > > > happen to know a better way to get just those smtp > addy's out of > > > > there? > > > > > > > > Thanks, > > > > > > > > Travis > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > List info : > > > http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
