Question
How do you use LDAP Accept Query to validate the sender of relayed messages?
WARNING: You can only perform an LDAP Accept Query on the envelope 'mail from' address if the message arrives on a Public Listener. The Private Listener does not allow for the usage of LDAP Accept Queries. LDAP Accept Query is applied only to inbound connections. For this reason the 'Connection Behavior' of the Mail Flow Policy must NOT be set to Relay for this setup to work.
Below are the steps needed to setup LDAP Accept Query sender validation:
- To Allow/Deny internal senders from relaying out to the Internet, depending upon the existence of their mail address in the LDAP, your Private Listener will have to be replaced with a Public Listener. In this example the new Public Listener will be named "Outbound_Sender_Validation".
- Create a new LDAP Server Profile and setup a LDAP Accept Query for this profile. To get the LDAP Accept Query to validate the envelope Mail From address you will need to substitute {a} with {f} in the query string. Details on how to configure and use LDAP can be found in the Advanced User Guide.
Example.: (mail={a}) => (mail={f})
- Enable the configured LDAP Accept Query on the "Outbound_Sender_Validation" Listener.
- Go to "Mail Policies > Recipient Access Table(RAT)" and switch to the new Public Listener, "Outbound_Sender_Validation". To allow for relay, set "All Other Recipients" to Accept, and ensure that this is the only entry in the RAT.
- Go to the "HAT Overview" and switch to the "Outbound_Sender_Validation" Listener. Here, you only need one Sender Group. To avoid the risk of an open mail relay, it is advisable to set up this Sender Group to only match for the IP addresses of MTA(s) that are allowed to relay.
- It is important that the 'Connection Behavior' of the assigned Mail Flow Policy is NOT set to Relay as this otherwise would disable the use of the LDAP Accept Query.
- To ensure that no other MTA(s) can connect via the "Outbound_Sender_Validation" set the Policy of the default "ALL" Sender Group to BLOCKED.
What Is Seen In The Logs
WARNING: Based on this setup, the rejection is not done before the envelope Rcpt To address has been received. This is because the LDAP Accept Query originally was intended for recipient rather than sender validation. This also shows up in the mail logs, where the LDAP reject is stated on the same logging line as the recipient address:
Wed Feb 18 16:16:19 2009 Info: New SMTP ICID 2643 interface Management
(10.0.0.100) address 10.0.0.200 reverse dns host unknown verified no
Wed Feb 18 16:16:19 2009 Info: ICID 2643 ACCEPT SG RELAY_HOSTS match 10.0.0.200
rfc1918
Wed Feb 18 16:16:32 2009 Info: Start MID 2554 ICID 2643
Wed Feb 18 16:16:32 2009 Info: MID 2554 ICID 2643
From: <do_not_exist@example.test>
Wed Feb 18 16:16:39 2009 Info: MID 2554 ICID 2643 To: <good_user@example.com>
Rejected by LDAPACCEPT
Wed Feb 18 16:17:14 2009 Info: ICID 2643 close
Looking at this log entry would lead you to believe that the rejected address is 'good_user@example.com' even though it is actually 'do_not_exist@example.test' that is rejected.
Feedback