On Fri, Mar 08, 2013 at 05:23:27PM +0200, Geoff Shang wrote:
> On Fri, 8 Mar 2013, Bastian Blank wrote:
> >On Fri, Mar 08, 2013 at 03:45:57PM +0200, Geoff Shang wrote:
> >And password verification is not necessary for looking up stuff.
> Not if you bind anonymously. But if you bind with a specific
> account (i.e. log in with a username and password), this will need
> to be verified. This is no big deal if it happens once but can be a
> performance drain if it has to happen for every single lookup.
Then just don't do it. You IPSEC or so if you want network security.
> The other issue is TLS negociation. If it can be set up once, this
> is fine. Frequent TLS negotiations will likewise be a performance
> hit.
Don't do that.
> We could do anonymous binds in the clear, but we're taking this as a
> last resort position.
As always: don't shoot the messenger.
> >Add a LDAP replica on each postfix and dovecot server. This is a good
> >idea for scallability and rudandancy anyway.
> Not sure how wild people will be about this idea.
And why? You need the information at this location and already have
access.
> >>mydestination = mx.ourdomain.com, localhost
> >>myhostname = mx.ourdomain.com
> >I don't think this is correct. Maybe mx.example.com.
> It's correct. All hosted domains will be relay_domains.
No, it is not correct:
| $ drill mx.ourdomain.com any
| ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 40228
There is no mx.ourdomain.com in the public DNS.
Bastian
--
War isn't a good life, but it's life.
-- Kirk, "A Private Little War", stardate 4211.8
