SORBS a PITA on spam backscatter ...

Glenn Steen glenn.steen at
Wed Jun 13 23:14:39 IST 2007

On 13/06/07, Andrew MacLachlan <andy.mac at> wrote:
> The problem I can see with this is the customer allowing an inbound LDAP
> connection straight through the DMZ to their AD DC - it's not quite best
> practice is it...

For a lot of setups the distance between the "outside" MS box and the
"inside" M-Sexchange box is very short (1 hop or so:-), for the ones
you express concern over, there are a wealth of possible solutions
(including intelligent FW rules, "offline" dumping of AD and
subsequent transferal by ... other means)... Or you could use a
wellbehaved SAV (with a modern, well-behaved MSEX).

> As an alternative, you could do two things after explaining the problem
> to them:
> - Block all NDRs from their Exchange Server
... provided you do outbound filtering too.
> - Ask them to supply a properly formatted list of valid recipients
> extracted from AD on a regular basis (maybe they could FTP/SCP it to you
> a few times a day).
Kind of suggestion 1b above;-).
(I'm not really disagreeing with you Andy;).

-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list