LDAP acceptance

Similar Messages

• LDAP accept query (space within email) got pass

  Version: 5.1.2-005
  ldap accept query is very effective here and have been using since day-1.
  Recently, we discover some backend mta log that rejecting invalid address.
  We haven't change ironport or the backend ldap software for a while. So it is not something that due to recent change.
  Here is a funny finding, note the space.
  > ldaptest
  Select which LDAP query to test:
  1. MXLDAP.accept
  2. MXLDAP.smtpauth
  3. VDELDAP.accept
  4. group
  [1]> 1
  Address to use in query:
  []> sys [email protected]
  LDAP query test results:
  Query: MXLDAP.accept
  Address: sys [email protected]
  Action: pass
  LDAP query test finished.
  I run a ldapsearch on the backend LDAP server and the ldapsearch does not return the 'sys [email protected]' as valid LDAP entry. So it seems it is not related to LDAP.
  This is our ldap accept query
  (&(|(mail={a})(mailalternateaddress={a}))(mailboxstatus=A)
  Our ldap backend is Openwave MX LDAP directory.
  We do considering upgrading to 5.5 version but it was not due to this problem. but rather than try to keep our version reasonably up-to-date.

  In the latest version it is also accepting addresses that contain spaces. However, the exact behavior depends on how address parsing is configured on your listener.
  If it is set to "loose parsing", it accepts but actually delivers the message to .
  When using "strict parsing", it doesn't alter the recipient address and the message gets delivered to .
  In the LDAP accept query however, it seems to ignore that setting. It always strips spaces from the address before it sends the query (you can see this in ldap debug).
  I don't know whether all this is by design or not. Especially the ldapaccept part looks more like a bug to me, i'd expect it to check the address its going to use to deliver the mail. Its probably best to create a support request for this.

• Ideas for features needed in new Conversational LDAP Accept

  Mark, sorry should have given you this list months ago. My guess is you've already thought of all of these and more.
  Everyone else, feel free to add to the list or tell me I'm nuts... or better yet ask what for.
  1) A good DHAP (directory harvest attack prevention) solution. I'm guessing this would be along the same lines as current post-conversation LDAP Accept. - completely obvious
  2) Sender Group specific settings, also like the current DHAP. This allows for different bounce/drop rates based on Sender Group or SRBS. Also the ability to Drop vs. Bounce based on Sender Group, not just a global setting.
  3) The ability to do conversational bounces based on the MAIL FROM: in addition to the RCPT TO:. This allows for conversational bounces for Internet inbound emails where the MAIL FROM: may be your own domain (spoofed).
  4) LDAP Accept still needs to be post HAT, Domain Map and RAT processing.
  5) Rates and counts added to the Mail Flow monitor stats, specifically: Invalid LDAP rates: Total, Bounce and Drop.
  6) LDAP lookup status, very much like DNS with cache hit/miss rates, number of lookups, etc. Also rates along with counts.
  7) Warnings when LDAP lookup timeout is exceeded, vs. server connection failures. Configurable LDAP lookup timeout.
  8) If connection to LDAP server fails or times out, emails are accepted by default.

  Erich,
  This is all very good feedback. The vast majority of it will be included in the conversational LDAPACCEPT feature coming in a maintenance release in the short term.
  There are a couple items that we'll have to get to in a later release:
  - Drop vs. bounce in the sender group. Good idea, beyond what we'll be able to do in this release. But you'll be able to enable/disable and set thresholds per sender group.
  - Conversational bounces on the Envelope Sender. This is coming in the Hard Rock release, planned for Q405.
  - LDAP lookup status will be in the Hard Rock release
  Everything else looks to be in there.
  Peter Schlampp
  Sr. Dir., Product Management
  IronPort Systems

• LDAP Acceptance Query

  Hello everybody,
  I would like to know if it's possible to enable a "LDAP Acceptance query" only for one domain protected by Ironport?
  I explain myself:
  Our Ironport is used by 3 companies. One company has an exchange server and so LDAP is possible - and it works well. But (badly but) the others has another product as mail server which does not support LDAP query.
  So I would like to enable LDAP acceptance query for the first company and nothing fir the 2 others.
  Last, I would like to enable LDAP authentication for Spam Quarantine if possible.
  Regards,
  GALLEZ Antony

  Hi there, Bypass LDAP Accept is the easiest way, but a way to give you more control would be to create a seperate MX record for each company.
  On the IronPort have an individual listener for each company, that way you can have multiple routing, accept and group queries for each company.
  But as you have already found the Bypass LDAP in the RAT is the easiest option :lol:
  Different MX Records means that we need different public IP adresses and we only have one. So, I'll use the "Bypass LDAP Accept" option.
  BTW, thanks for your response, I haven't thought at different MX Record...

• C100 LDAP accept to multiple AD domains?

  Hi All,
  Just been settings up our Ironport c100 and noticed that per listener you can only have one LDAP lookup host (or many in failover) however what we require is the following:
  Inbound e-mail for [email protected] c100 lookups AD (LDAP) of domainA.com for the user and accepts or denies, now at the same time another inbound e-mail comes in but for [email protected] this needs to the do the lookup against the domainB.com AD server which is a completly different host to domainA.com (infact different network/customer).
  From what i can see at the moment I would need to setup a separate Listener for each domain with 2 IPs each which would soon get very out of hand.
  Has anybody done this before or have any idea how this could be done??
  Just a side note I setup an ADAM server and used the AD to ADAM syncronizer to get a copy of the domain into a partition in the ADAM server and then another domain into its own partition but seeing as the C100 needs a base DN this makes this impossible, unless anybody again has some ideas about this....

  Torsten is correct, the feature that you need for supporting either different LDAP servers per domain or tiered LDAP lookups is due in the 5.5 release slated for Q3/2007 so this will be addressed.
  With regards to ADAM I personally haven't done an installation with ADAM however I will stated that it's not required to put a base DN into the LDAP profile. So you might want to consider removing the base DN from your ADAM profile and see if the query will work for you.
  Another good step might be to download the Softerra LDAP browser utility and take a look at the ADAM server to idenify relevent pieces of LDAP information...assuming that it doesn't conform to AD's (|mail={a})(proxyAddresses=smtp:{a})) query string.
  Sincerely,
  Jay Bivens
  IronPort Systems

• LDAP Accept query for "catch all" domains

  I'm far from an LDAP expert so I'm posting this both as a "look what I did!" and an "is there a better way?"
  The query feels fairly typical until the end where I look for "absolute-catchall@[the domain]". Effectively this accepts "anything"@"domain." Is this what you do? Is there a better way? Is this already in the manual somewhere :)
  (|(|(gecos={u})(|(mail={a})(mail={u})))(mail=absolute-catchall@{d}))

  I don't think these kind of tricks are in the handbook, but you're not the only one using something like this. A similar query was posted here: http://www.ironportnation.com/forums/viewtopic.php?p=718#718
  I'm using this to skip recipient checking for domains where i'm only acting as backup MX and can't verify the addresses.

• Ironport C370 Ldap Accept problems

  Hello all,
  I'm having problems using ldap queries to validate recipients from my Cisco Ironport C370.
  I'm receiving permanent Warning message like this:
  The query CP_LDAP.accept failed with result inquiry timed out
  I need to know how C370 establish TCP sessions for each Ldap host (one session for query, one session for all queries..). Ldap administrators are seeing lots of Established TCP connections fron Ironport C370 event though I've configured "Maximum number of simultaneous connections for each host" to 10.
  I've checked it running the netstat command on C370 appliance (around 20 for each).
  Is this a normal behaviour?
  Thanks a lot.
  Best Regards,
  Alfonso Moneo

  Hi Alfonso,
  Do you have any kind of FW on the path or built-in FW on the email server?
  In regards to your other question, the ESA will mantain a number of active TCP conns to your LDAP server (6 hours or 10,000 queries, what happens first).
  HTH
  Luis Silva
  "If you need PDI (Planning, Design, Implement) assistance feel free to reach"
  http://www.cisco.com/web/partners/tools/pdihd.html

• Regular Expressions/Wildcards in IronPort ESA Recipient Accept Table

  Is it possible to define Recipient Accept Table entries using Regular Expressions or wildcards ?
  For example, given a very large email address space in the format [email protected], where x ∈ [0..9], for which one needs to bypass LDAP Accept, could RAT entries be added like: abc-1[0-9]{9}@domain.com or at least abc-1*@domain.com or it's just literals ?
  Thanks. :)

  No.  It will not read the entry as a regex for the RAT.
  The following formats are allowed:
  Hostnames such as "example.com", "[1.2.3.4]", "[2001:420:80:1::5]"
  Partial hostnames such as ".example.com"
  Usernames such as "postmaster@"
  Full email addresses such as "[email protected]", "joe@[1.2.3.4]" or "joe@[ipv6:2001:420:80:1::5]"
  Separate multiple addresses with commas.

• C170 Ironport error "The query domain.name.accept failed

  Dear Community,
  I have two Cisco C170 Ironport devices.  Each is throwing the following error:
  "The query <domain.name.accept> failed with result inquiry timed out."
  I have been unable to decipher it and was hoping anyone might possibly have a clue to look for the resolution.
  I would be very grateful Community.
  Thanks.
  Rocky

  Hey Rocky,
  This seems to be an error on an LDAP accept query that is configured on the appliance.
  If you have indeed created an LDAP accept query, please check connectivity from the appliance to your AD servers currently set.
  Please go to GUI > System Admin > LDAP
  Here you can check connectivity to the AD servers and also run a test accept query.
  Please attempt these tests and let us know the results.
  Judging from the error, I am assuming that the LDAP accept query test will fail resulting in a time out, if it does this usually indicates either the AD server was not properly setup on the appliance, if so, you will need to ensure that your firewalls if any are in place is allowing the query traffic from the appliance to the AD server
  Please let us know.
  Regards,
  Matthew

• LDAP Routing Query

  Hi,
  we have the following scenario:
  There is just one single mail domain.
  500 Mailboxes are on an Microsoft Exchange server with Active Directory, 500 Mailboxes are on a different server hosting POP3 Mailboxes.
  Obviously I cannot use a LDAP Accept Query, as the AD doesn't have any knowledge about the POP3 mailboxes. The question is, can I still use LDAP for mailrouting, even if some account are not in the AD?

  Well.... there are more LDAP directories that MS-Active Directory.
  If I understand you right your main problem is how to route 50% of your recipient addresses to Exchange and 50% of them to the POP3 system. If you could, it would be nice to have a message accept policy that is LDAP driven.
  I suggest you try to install a dedicated LDAP server for your Ironport(s). That LDAP server should be updated daily with the details from your AD and an export from the POP3 system. On the LINUX platform there are several options (OpenLDAP, Apache Directory, Fedora 389, etc).
  If you make sure your import scripts also provisions the mail addresses of all users and (at least) an attribute like "mailHost" (your Exchange based 50% of your recipients would have a static value of "your.exchange.server" (=hostname of your Exchange bridgehead) as value, the other 50% would have "your.pop3.server" (=hostname of your POP3 server) as value.
  After that you can create a mail routing LDAP query that makes sure the messages are routed correctly. The mailHost attribute will be used to determine where the message should be routed to. If needed, you can also run a message acceptance query against that same LDAP. That query would reject all mail addresses that are unknown to the directory.
  If you have more questions about this, jus send me a message; I have some experience with this matter.
  Steven

• LDAP question

  Please help me to solve this issue, your help will be highly appreciated
  User1 ([email protected]) send email to User2 ([email protected]), but User1 change Email Address and also Reply-To field to [email protected]
  As the result, when the User2 reply to that email, email will be sent to Boss.
  Question: I want to check field Email Address and Reply-To whether it match with account User1 in domain viking.com or not. If not then drop that email.
  Thanks.

  You'll want to implment "LDAP Accept" for the inbound listener on your C-series appliance. Log into the Support Portal and download the AsyncOS Advanced User Guide.
  The PDF goes into detail on how to set up ldap and use the LDAP Accept to validate email addresses against an Active Directory/domain controller.

• LDAP - AD - Referral following yielded no result

  Hi,
  I have some problems with LDAP Queries.
  I want to querie my Active Directory on port 389 from our Ironport C350 which stands in the DMZ. Firewall has been opened for this connection.
  When I configure the LDAP accept querie an test it, I get an error
  "Referral following yielded no result".
  Does anyone know what this means and how I can solve this problem?
  FyI:
  I have configured our Ironport in our LAN with exactly the same configuration. This works fine.
  Regards
  Andre

  here ist the tail from ldap log
  Fri Apr 18 07:35:40 2008 Info: Version: 6.0.0-747 SN: 00188B52808E-6NP2JC1
  Fri Apr 18 07:35:40 2008 Info: Time offset from UTC: 7200 seconds
  Fri Apr 18 07:36:17 2008 Debug: LDAP: LDAPO:111.222.333.444(111.222.333.444: 389) (809) Connection closed (EOF)
  Fri Apr 18 07:36:17 2008 Debug: LDAP: LDAPO:111.222.333.444(111.222.333.444: 389) (809) Connection interrupted (writer)
  Fri Apr 18 07:36:17 2008 Debug: LDAP: LDAPO:111.222.333.444(111.222.333.444: 389) (819) connecting to server
  Fri Apr 18 07:36:17 2008 Debug: LDAP: LDAPO:111.222.333.444(111.222.333.444: 389) (819) connected to server
  Fri Apr 18 07:36:47 2008 Debug: LDAP: LDAPO:111.222.333.444(111.222.333.444: 389) (810) Connection closed (EOF)
  Fri Apr 18 07:36:47 2008 Debug: LDAP: LDAPO:111.222.333.444(111.222.333.444: 389) (810) Connection interrupted (writer)
  Fri Apr 18 07:36:47 2008 Debug: LDAP: LDAPO:111.222.333.444(111.222.333.444: 389) (820) connecting to server
  Fri Apr 18 07:36:47 2008 Debug: LDAP: LDAPO:111.222.333.444(111.222.333.444: 389) (820) connected to server
  Fri Apr 18 07:39:03 2008 Debug: LDAP: Clearing LDAP server-group "LDAPO" cache
  Fri Apr 18 07:39:03 2008 Debug: LDAP: Clearing LDAP server-group "LDAPO" cache
  Fri Apr 18 07:39:03 2008 Debug: LDAP: LDAPO:111.222.333.444(111.222.333.444:389) (1) connecting to server
  Fri Apr 18 07:39:03 2008 Debug: LDAP: LDAPO:111.222.333.444(111.222.333.444:389) (1) connected to server
  Fri Apr 18 07:39:04 2008 Debug: LDAP: (accept) Query (|([email protected])(proxyAddresses=smtp:[email protected])) to server LDAPO (111.222.333.444:389)
  Fri Apr 18 07:39:04 2008 Debug: LDAP: Could not find a server to follow referral: ldap://lan/DV=BASEDN,DC=BASEDN
  Fri Apr 18 07:39:04 2008 Debug: LDAP: Could not follow referral: ldap://lan/DV=BASEDN,DC=BASEDN
  Fri Apr 18 07:39:04 2008 Debug: LDAP: (accept) Query (|([email protected])(proxyAddresses=smtp:[email protected])) lookup failed: Referral following yielded no result.
  Fri Apr 18 07:39:04 2008 Critical: LDAP: query LDAPO.accept result Referral following yielded no result.
  Fri Apr 18 07:39:09 2008 Debug: LDAP: LDAPO:111.222.333.444(111.222.333.444:389) (1) Connection interrupted (writer)

• LDAP and Security Communications

  Hello everybody !
  we're using SunOne DirSer 5.2 and we're thinking to restrict security policies. Our LDAP accept bind connections and uid/pwd are transmitted clearly on the net. We would like to code this info.
  Sorry for question but I'm a novice...
  Is there a simple way to enable LDAP SSL communication WITHOUT certificates installation ( server+clients ) ??
  If I choose to install certificate on server only, must I store clear password inside ldap tree ( DIGEST-MD5 force to store clear pwd in ldap tree ) ??
  Thank you very much,
  Silvio

  Hello everybody !
  we're using SunOne DirSer 5.2 and we're thinking to
  restrict security policies. Our LDAP accept bind
  connections and uid/pwd are transmitted clearly on
  the net. We would like to code this info.
  orry for question but I'm a novice...
  Is there a simple way to enable LDAP SSL
  communication WITHOUT certificates installation (
  server+clients ) ??No there is no way - you need to have a server certificate installed!!
  There are dozens of free tools (openSSL, ...) which can be used to generate such certificate. Of course, you may also obtain/buy one from an official CA.
  There is an excellent and extensive documentation about that topic available online @
  http://docs.sun.com/source/816-6698-10/ssl.html (Sun Dir Server Admin Guide Implementing Security)
  and
  http://docs.sun.com/source/816-6704-10/ssl.html (Using SSL and TLS with Sun ONE Servers)
  So if you have some spare time - go read it!
  If I choose to install certificate on server only,
  must I store clear password inside ldap tree (
  DIGEST-MD5 force to store clear pwd in ldap tree )
  ??Which password do you mean???
  By default, user (BIND) passwords are stored according to your passwordStorageScheme setting of the global password policy (dn: cn=Password Policy,cn=config), which is SSHA. So they are stored hashed by default!
  >
  Thank you very much,
  Silvio

• Question: how do you handle mail coming in via relays

  I discovered a problem I'd like your opinions on.
  Assume my external DNS entries look like
  mydomain.com MX 10 mail.mydomain.com
  mydomain.com MX 20 mail.myprovider.com
  The first entry points to an Ironport, well protected. But the spammers know that, so they deliberately pick the second - the provider's sendmail. That accepts everything and tries to get it off to mail.mydomain.com. Of course, there will be a lot of unknown recipients, so the directory harvest protection kicks in and blocks. As a result, the queues fill up there with thousands of mails.
  Now you could say: just drop all mail coming in that way. But of couse I cannot. There might be the odd legitimate mail in there.
  What now?
  Option a) Accept all mail coming in from that host even if the recipient is invalid an drop it silently. Don't know how to do that. Apparently the listener cannot discriminate between connecting hosts.
  Option b) get rid of that secondary MX. Won't help anyway, as it is always cluttered with junk.
  Option c) host your own secondary MX. Ok if you have redundant connections as well. But not if you need a buffer for mails in case your connection is down.
  Option d) pick a provider that offers Spam-protection. Well, what would I need the Ironport for then?
  Share your thoughts. Give me a hint. Tell me the page in the manual I overlooked.
  Cheers
  Henrik

  Create a sender group under the Host Access Table to cover the IP range of your providers's mail servers and then apply a mailflow policy with the DHAP set to an unlimited number of invalid recipients (in effect turns off DHAP for your providers's servers). The HAT is processed in the email pipeline before the LDAP acceptance. Once you have set that up - I would configure incoming relays to recognise your provider's mail servers so that the "real" host sender SBRS information can be used to determine spam messages more accurately.

• AD Query String for Group Membership

  Hi
  I have found that inbound mail to distributions groups (Ex07) are not being delivered. Running a trace, I am seeing they are failing on LDAP match. I tracked it down to the qroup query not working. We are using the default query. Running a test, it fails. I think that is the problem. I can mail the group internally just fine.
  Anyone have a good query string that will check for distribution groups? Below is the query being used. Thanks for the help.
  (&(memberOf={g})(proxyAddresses=smtp:{a}))

  Can you go to the LDAP section and provide all the fields that are relevant?
  I'll need the LDAP configuration fields (minus the password of course) and what you're using for the LDAP Accept.
  Well I opened a ticket with support, and it appears that I have them stumped. From what they tell me it isn't the ldap group query that is failing, but rather the ldap accept query failing.
  Sending to the group does work internally so It looks like ldap is good with the the proxy address, but ironport is failing on the query.
  Snippit from trace:
  Envelope Recipient Processing
  Envelope Recipient: [email protected]
  LDAP Accept Lookup: Result: failed
  Default Domain Processing: No Change
  Domain Map Processing: No Change
  Recipient Access Table Processing: Behavior: ACCEPT Matched On: [email protected]
  Alias Expansion: No Change