Topic: Adding pseudonyms to LDAP

[stabilys]

Hi:

Situation: current 7.3 system with <30 users. They have a Barracuda spam firewall in front since their three-letter domain name was previously owned by a spammer

They get 30K + spams a day (10 M in 2 Y). They have a lot of user churn 5/6 p.a.

To tighten the rules I would like to use the Barracuda facility to authenticate users by LDAP. This works fine but unfortunately the pseudonyms are not in the LDAP db so mail to these is rejected if this authentication is set up.

Is there a canonical way to add the pseudonyms to the LDAP with these being auto regenerated on user changes?

We have created an in-memory modified LDAP db with the pseudonyms added to the users as alternate names and this does not seem to have broken anything yet and works just fine. However, it will of course be overwritten on reboot.

The only full list of accepted names seems to be at /var/service/qpsmtpd/config/goodrcptto

TIA for any help.

MeJ   

[cactus]

Hi:

Situation: current 7.3 system with <30 users. They have a Barracuda spam firewall in front since their three-letter domain name was previously owned by a spammer

They get 30K + spams a day (10 M in 2 Y). They have a lot of user churn 5/6 p.a.

To tighten the rules I would like to use the Barracuda facility to authenticate users by LDAP. This works fine but unfortunately the pseudonyms are not in the LDAP db so mail to these is rejected if this authentication is set up.

Is there a canonical way to add the pseudonyms to the LDAP with these being auto regenerated on user changes?

We have created an in-memory modified LDAP db with the pseudonyms added to the users as alternate names and this does not seem to have broken anything yet and works just fine. However, it will of course be overwritten on reboot.

The only full list of accepted names seems to be at /var/service/qpsmtpd/config/goodrcptto

TIA for any help.

MeJ   

Why not let SME Server do the spam fighting itself? It has excellent tools for it, see also: http://wiki.contribs.org/Email#Spam

I have followed these instructions a long time ago (inlcuding the bayes filtering) and am pretty satisfied with the outcome: http://www.sonoracomm.com/index.php?option=com_content&task=view&id=49&Itemid=32

[stabilys]

Thanks for the reply. The Barracuda was added about 3 years ago when there were over 100K spams a day and the qmail-smtpd at that time accepted all email before rejecting it (which is why mailfront was added, I believe) and the DSL line was saturated by this.

(As an aside: I do not and never have liked qmail and the way it handles mail: the only justification is, of course that it works very adequately if surrounded by fixes for its weirder behaviours. I am not a Bernstein enthusiast Much of the backscatter email we are rejecting is bounced off qmail servers...)

The Barracuda is in a different league to the basic e-smith capability when faced with this much spam; the Barracuda gets updates every hour (for a subscription price of course). It does:

• Network Denial of Service Protection
• Rate Control
• IP Reputation Analysis
• Sender Authentication
• Recipient Verification
• Virus Scanning
• Policy (User-specified rules)
• Spam Fingerprint Check
• Intent Analysis
• Image Analysis
• Bayesian Analysis
• Rule-based Scoring

It does NOT do backscatter.

It's a special purpose device and it works well in these circumstances. But I'm not trying to sell you one

The current e-smith oops SME Server handles normal spam levels quite adequately at other sites, but this is a special case.

Anyway, - any comments re my question?

 


MeJ

[kruhm]

http://forums.contribs.org/index.php?topic=37844.0

[CharlieBrady]

Is there a canonical way to add the pseudonyms to the LDAP with these being auto regenerated on user changes?

You'd need to rewite a custom action script and then link it into the user-create, user-modify and user-delete event directories. Or pay someone to write such a script.

[stabilys]

Thank you kruhm and CharlieBrady for the most helpful responses.

Considering further...

MeJ

[stabilys]

You'd need to rewite a custom action script and then link it into the user-create, user-modify and user-delete event directories. Or pay someone to write such a script.

I have looked through the Developer's manual, and while there is much material on action scripts there is no full example worked through of adding a custom action script.

Would it be useful generally to have such a fully-worked example? I also feel that having all valid names in the LDAP database is in fact a preferred way for the system to work.

If so, then would any developer or documentation team member like to suggest a fee for:

- working up an action script to add the pseudonyms as alternate names to the LDAP database as dicussed above and
- add the worked example to the Developer doc?

We'll pay for this - assuming we can afford to

Contact me privately if you prefer, public is fine by me.

MeJ 

[CharlieBrady]

Contact me privately if you prefer, public is fine by me.

Since your contact information appears to be private, perhaps you'd prefer to contact me.