问题:
如何使用LDAP接受查询验证使用Microsoft Active Directory (LDAP)的入站邮件的收件人?
注意:以下示例与标准Microsoft Active Directory部署集成,尽管这些原则可应用于许多类型的LDAP实施。
您将首先创建一个LDAP服务器条目,此时必须指定目录服务器以及邮件安全设备将执行的查询。 然后,在传入(公共)侦听程序上启用或应用查询。这些LDAP服务器设置可以由不同的侦听程序以及配置的其他部分(例如最终用户隔离区访问)共享。
为便于在IronPort设备上配置LDAP查询,我们建议您使用LDAP浏览器,以便查看您的架构以及可查询所依据的所有属性。
对于Microsoft Windows,您可以使用:
-
Softterra的LDAP浏览器
-
Ldp
-
Adsiedit
对于Linux或UNIX,您可以使用ldapsearch命令。
首先,您需要定义要查询的LDAP服务器。在本示例中,为myldapserver.example.com LDAP服务器指定了昵称“PublicLDAP”。查询被定向到TCP端口389(默认)。
注意:如果您的Active Directory实施包含子域,您将无法使用根域的基本DN查询子域中的用户。但是,使用Active Directory时,您还可以根据TCP端口3268上的全局目录(GC)服务器查询LDAP。GC包含Active Directory林中*所有*对象的部分信息,并在需要更多信息时提供到相关子域的引用。如果无法“查找”子域中的用户,请将基础DN保留在根目录并设置IronPort以使用GC端口。
GUI:
- 使用以前从目录服务器(系统管理> LDAP)找到的值创建新的LDAP服务器配置文件。例如:
- 服务器配置文件名称:PublicLDAP
- 主机名:myldapserver.example.com
- 身份验证方法:使用密码:已启用
- 用户名:cn=ESA,cn=Users,dc=example,dc=com
- 密码:密码
- 服务器类型:Active Directory
- 端口:3268
- BaseDN:dc=example,dc=com
继续之前,请确保使用“测试服务器”按钮验证您的设置。 成功的输出应如下所示:
Connecting to myldapserver.example.com at port 3268
Bound successfullywithDNCN=ESA,CN=Users,DC=example,DC=com
Result: succeeded
使用同一屏幕定义LDAP接受查询。 以下示例根据更常见的属性检查收件人地址,即“mail”或“proxyAddresses”:
- 名称:PublicLDAP.accept
- 查询字符串:(|(mail={a})(proxyAddresses=smtp:{a}))
您可以使用“测试查询”(Test Query)按钮验证搜索查询是否返回有效帐户的结果。 搜索服务帐户地址“esa.admin@example.com”的成功输出应如下所示:
Query results for host:myldapserver.example.com
Query (mail=esa.admin@example.com) >to server PublicLDAP (myldapserver.example.com:3268)
Query (mail=esa.admin@example.com) lookup success, (myldapserver.example.com:3268) returned 1 results
Success: Action: Pass
- 将此新的接受查询应用于入站监听程序(“网络”(Network) >“监听程序”(Listeners))。 展开选项LDAP Queries > Accept,然后选择您的查询PublicLDAP.accept。
- 最后,提交更改以启用这些设置。
CLI:
- 首先,使用ldapconfig命令定义设备绑定的LDAP服务器,并配置收件人接受(ldapaccept子命令)、路由(ldaprouting子命令)和伪装(masquerade子命令)查询。
mail3.example.com> ldapconfig
No LDAP server configurations.
Choose the operation you want to perform:
- NEW - Create a new server configuration.
[]> new
Please create a name for this server configuration (Ex: "PublicLDAP"):
[]> PublicLDAP
Please enter the hostname:
[]> myldapserver.example.com
Use SSL to connect to the LDAP server? [N]> n
Please enter the port number:
[389]> 389
Please enter the base:
[dc=example,dc= com]>dc=example,dc=com
Select the authentication method to use for this server configuration:
1. Anonymous
2. Password based
[1]> 2
Please enter the bind username:
[cn=Anonymous]>cn=ESA,cn=Users,dc=example,dc=com
Please enter the bind password:
[]> password
Name: PublicLDAP
Hostname: myldapserver.example.com Port 389
Authentication Type: password
Base:dc=example,dc=com
- 第二,您需要定义要针对刚配置的LDAP服务器执行的查询。
Choose the operation you want to perform:
- SERVER - Change the server for the query.
- LDAPACCEPT - Configure whether a recipient address should be accepted or bounced/dropped.
- LDAPROUTING - Configure message routing. - MASQUERADE - Configure domain masquerading.
- LDAPGROUP - Configure whether a sender or recipient is in a specified group.
- SMTPAUTH - Configure SMTP authentication.
[]> ldapaccept
Please create a name for this query:
[PublicLDAP.ldapaccept]> PublicLDAP.ldapaccept
Enter the LDAP query string:
[(mailLocalAddress= {a})]>(|(mail={a})(proxyAddresses=smtp:{a}))
Please enter the cache TTL in seconds:
[900]>
Please enter the maximum number of cache entries to retain:
[10000]>
Do you want to test this query? [Y]> n
Name: PublicLDAP
Hostname: myldapserver.example.com Port 389
Authentication Type: password
Base:dc=example,dc=com
LDAPACCEPT: PublicLDAP.ldapaccept
- 配置LDAP查询后,需要将LDAPaccept策略应用于入站监听程序。
example.com> listenerconfig
Currently configured listeners:
1. Inboundmail (on PublicNet, 192.168.2.1) SMTP TCP Port 25 Public
2. Outboundmail (on PrivateNet, 192.168.1.1) SMTP TCP Port 25 Private
Choose the operation you want to perform:
- NEW - Create a new listener.
- EDIT - Modify a listener.
- DELETE - Remove a listener.
- SETUP - Change global settings.
[]> edit
Enter the name or number of the listener you wish to edit.
[]> 1
Name: InboundMail
Type: Public
Interface: PublicNet (192.168.2.1/24) TCP Port 25
Protocol: SMTP
Default Domain:
Max Concurrency: 1000 (TCP Queue: 50)
Domain Map: Disabled
TLS: No
SMTP Authentication: Disabled
Bounce Profile: Default
Use SenderBase For Reputation Filters and IP Profiling: Yes
Footer: None
LDAP: Off
Choose the operation you want to perform:
- NAME - Change the name of the listener.
- INTERFACE - Change the interface.
- LIMITS - Change the injection limits.
- SETUP - Configure general options.
- HOSTACCESS - Modify the Host Access Table.
- RCPTACCESS >- Modify the Recipient Access Table.
- BOUNCECONFIG - Choose the bounce profile to use for messages injected on this listener.
- MASQUERADE - Configure the Domain Masquerading Table.
- DOMAINMAP - Configure domain mappings.
- LDAPACCEPT - Configure an LDAP query to determine whether a recipient address should be
accepted or bounced/dropped.
- LDAPROUTING - Configure an LDAP query to reroute messages.
[]> ldapaccept Available Recipient Acceptance Queries
1. None
2. PublicLDAP.ldapaccept
[1]> 2
Should the recipient acceptance query drop recipients or bounce them?
NOTE: Directory Harvest Attack Prevention may cause recipients to be
dropped regardless of this setting.
1. bounce
2. drop
[2]> 2
Name: InboundMail
Type: Public
Interface: PublicNet (192.168.2.1/24) TCP Port 25
Protocol: SMTP
Default Domain:
Max Concurrency: 1000 (TCP Queue: 50)
Domain Map: Disabled
TLS: No
SMTP Authentication: Disabled
Bounce Profile: Default
Use SenderBase For Reputation Filters and IP Profiling: Yes
Footer: None
LDAP: ldapaccept (PublicLDAP.ldapaccept)
- 要激活对监听程序所做的更改,请提交更改。
反馈