How to configure LDAP Authentication for Incoming SMTP Traffic

I have a problem with backscatter RBL. I have a SMTP server which relays all mail to my 2 exchange servers on different domains. This smtp server is the one sending the NDR's. Thus, I ended up on backscatter.

I was wondering how can I configure LDAP to query the 2 different domains from this single server?

I need to query AD and the valid email addresses on the SMTP server. Unfortunately I cannot have mail arrive direct to exchange.

my smtp server is not part of any domain. It simply forwards mail to my exchange servers on separate domains.

thx
t
tobe1424Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
What is the SMTP server? You can certainly query using LDAP, but it depends on what you are using as the SMTP gateway as to whether it can be done natively or needs a third party tool.

Simon.
0
Daniel HelgenbergerCommented:
Hello,

please tell us more about the relaying MTA! When you say linux, I suppose it is Postfix?

If so, you have to set up alias domains domains and the a users.cf. This could look like this in your main.cf:
virtual_mailbox_domains = example.com, example.org, example.net
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf

Open in new window


Then create these files, ldap-users.cf and ldap-aliases.cf:
cat /etc/postfix/ldap-users.cf
server_host = 192.168.0.100
search_base = ou=Users,dc=example,dc=local
version = 3
bind = yes
bind_dn = cn=zarafa,ou=Users,dc=example,dc=local
bind_pw = secret
scope = sub
query_filter = (&(objectClass=user)(mail=%s))
result_attribute = mail

cat /etc/postfix/ldap-aliases.cf
server_host = 192.168.0.100
search_base = ou=Users,dc=example,dc=local
version = 3
bind = yes
bind_dn = cn=zarafa,ou=Users,dc=example,dc=local
bind_pw = secret
scope = sub
query_filter = (&(objectClass=user)(otherMailbox=%s))
result_attribute = mail

Open in new window


The important parts are the query filters, the examples above are for AD. Also, you need to make sure the ldap connection is working correctly (firewall?). Set up a user which does the binds and use SSL encrypted connections.

Also, it would make sense to set up all the rest of the filtering like RBL's already in your relaying MTAs if you start with address filtering (there you can setup greylisting; witch you can't with Exchange, for instance!)

I did set this up a while ago, using the Zarafa guide for postfix; worked right away. Just ignore all the zarafa specific stuff, esp. the virtual_transport:
http://doc.zarafa.com/7.1/Administrator_Manual/en-US/html/_MTAIntegration.html#_configure_zcp_postfix_integration_with_active_directory
0
tobe1424Author Commented:
thx for the feedback. i mentioned Linux in the tags just for fun..although I do maintain Linux server, we have no Linux server in this scenario


The SMTP server is where my mx record points to. This windows 2003 server relays incoming mail to the one of my two domains - contoso.com exchange server or the prontoso.com exchange box.

The only SMTP configs i see on this server reside in IIS 6.0. There is an SMTP virtual server in here which relays traffic to my exchange domains.

I have never implemented any ldap solutions. So i am a bit confused as to how to carry on..
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Simon Butler (Sembee)ConsultantCommented:
IIS cannot do LDAP lookup on its own. Therefore you will either need to change the MTA, or use a third party tool. Vamsoft ORF can do LDAP lookup as part of its featureset and most standalone Antispam appliances should be able to do the same thing as well. However I don't know how well they will cope with multiple domains going to different forests.

Simon.
0
tobe1424Author Commented:
thx again.

We have Sym mail security for Exchange on (smsmse6.5) I think if the mail hits my exchange server first instead of hitting the mta, then exchange..the spam engine and recipient filtering would be more effective

I suppose i can dedicate an IP to this exchange if i have one available.

Would Vamsoft ORF support multil forest domains? I wonder if smsme would..
0
Daniel HelgenbergerCommented:
Think you need to change the MTA. Maybe setup postfix for your need; might be fun ;)
0
tobe1424Author Commented:
hmm i see..i sort of need a quicker solution. Are you sayin gto get rid of my server(mta) that relays mail to exchange ? then setup a linux box to handle postfix?
0
tobe1424Author Commented:
we need to implement a microsoft solution. no linux unfortunatley - not my call.


In short. I have exchange 2003 ..so perhaps its time to upgrade.

but is there anything else I may able to do with my current equipment? That does not involve the need to purchase third party software to handle ldap?

Also, ive heard of ldap servers only been able to handle one domain at a time - please correct me if i am wrong.

thx
t
0
Simon Butler (Sembee)ConsultantCommented:
I have just checked Vamsoft ORF and it can only work with one domain at a time.
Although it can also work with Text files, but that will be a pain to manage.

Ultimately you are looking at one of two options.
1. Seperate out the email relay so that each domain has its own. That will require a second IP address. Then you can have two servers doing the job.
2. Use something else as an MTA.

You could look at ASSP, but I don't know if that will do multiple LDAPs or not. It will run on Windows.
http://sourceforge.net/projects/assp/

Simon.
0
Daniel HelgenbergerCommented:
But if you use exchange and do have to use ms - why not do it the supposed way and install edge transport? Here is a guide for exchange 2007; it works the same in exchange 2010 but was scraped from exchange 2013:
http://www.techrepublic.com/article/configuring-exchange-2007-to-be-an-edge-transport-server/
0
Simon Butler (Sembee)ConsultantCommented:
I don't think the Edge role can do recipient filtering for two completely independent forests. It can do recipient filtering and can forward the email off, but not do recipient validation.

Plus it is a very expensive way of doing things - an Exchange licence for Edge is a waste of money in my opinion.

Simon.
0
tymesCommented:
The bigger problem is that you're accepting mail then forwarding somewhere who reject it?

If you really wanted you could have scripts that would run when the users changed (someone was added or removed) that would be exported to update the users in the IIS smtp to only accept valid recipients... the ldap is just something to be live.., but even if you did that I don't know if that would prevent your backscatter...

I would like you to check a couple of dozen things backscattering and check if they are users or not, because if they are users then LDAP would not fix anything... what you really probably is need to filter messages before you accept them.  I actually imagine that legitimate users are getting spam that you're rejecting and those valid recipients are producing the backscatter rather than a small amount of non-users that you want to filter away via some LDAP solution.

So, I would absolutely get rid of stupid SMTP relay and get a second IP so each server got the messages directly, but I wouldn't even to that, I'd remove any internal mail filter or virus checking and outsource to frontbridge or postini (well neither of those two idiots) or whomever externally -- there are dozen of options.

Otherwise ASSP as mentioned above is a superior option... what you need is something to block messages before they enter your network and you absolutely must get rid of the stupid IIS smtp relay reguardless of ldap or not...


hmm, if you're desperate for LDAP you could write an "CDOSYS SMTP Event Sink" (google it) that either acts like a Proxy to validate addresses via LDAP or SMTP before accepting them...  I wrote one years ago to add disclaimers to all messages travelling through an IIS SMTP relay, but that may be re-inventing the wheel and probably a bit of work.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tobe1424Author Commented:
Hello tymes - ee, thanks for the input..

Indeed, you highlighted my issue..

"I would like you to check a couple of dozen things backscattering and check if they are users or not, because if they are users then LDAP would not fix anything... what you really probably is need to filter messages before you accept them.  I actually imagine that legitimate users are getting spam that you're rejecting and those valid recipients are producing the backscatter rather than a small amount of non-users that you want to filter away via some LDAP solution."

..which is the only reason I am interested in LDAP. Plus, i do have a vacant IP.

I guess my final question would be if Symantec Mail Security for Microsoft Exchange (SMSME), which we already own, would be better than Vamsoft ORF?
0
Simon Butler (Sembee)ConsultantCommented:
In my experience, running nothing at all is better than Symantec's products in general. The only good thing about Symantec is they bring me lots of business cleaning up the mess.

You need to check whether the product can do recipient validation or not. If it can, then use it, if it cannot then you will have to use something else. Vamsoft ORF cannot do multiple seperate domain validation, so you would either have to use two different servers (And Ip addresses) or another product.

Simon.
0
tobe1424Author Commented:
thanks, simon.

I have SMSME on both of the exchange servers - separate forest.

I guess i will test by directing mail straight to my exchange server which is where the symantec spam proxy resides..it catches tons of SPAM..

..I just hope exchange 2003 doesn't have any glitches.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.