How to configure LDAP Authentication for Incoming SMTP Traffic
I have a problem with backscatter RBL. I have a SMTP server which relays all mail to my 2 exchange servers on different domains. This smtp server is the one sending the NDR's. Thus, I ended up on backscatter.
I was wondering how can I configure LDAP to query the 2 different domains from this single server?
I need to query AD and the valid email addresses on the SMTP server. Unfortunately I cannot have mail arrive direct to exchange.
my smtp server is not part of any domain. It simply forwards mail to my exchange servers on separate domains.
thx
t
I was wondering how can I configure LDAP to query the 2 different domains from this single server?
I need to query AD and the valid email addresses on the SMTP server. Unfortunately I cannot have mail arrive direct to exchange.
my smtp server is not part of any domain. It simply forwards mail to my exchange servers on separate domains.
thx
t
Hello,
please tell us more about the relaying MTA! When you say linux, I suppose it is Postfix?
If so, you have to set up alias domains domains and the a users.cf. This could look like this in your main.cf:
Then create these files, ldap-users.cf and ldap-aliases.cf:
The important parts are the query filters, the examples above are for AD. Also, you need to make sure the ldap connection is working correctly (firewall?). Set up a user which does the binds and use SSL encrypted connections.
Also, it would make sense to set up all the rest of the filtering like RBL's already in your relaying MTAs if you start with address filtering (there you can setup greylisting; witch you can't with Exchange, for instance!)
I did set this up a while ago, using the Zarafa guide for postfix; worked right away. Just ignore all the zarafa specific stuff, esp. the virtual_transport:
http://doc.zarafa.com/7.1/Administrator_Manual/en-US/html/_MTAIntegration.html#_configure_zcp_postfix_integration_with_active_directory
please tell us more about the relaying MTA! When you say linux, I suppose it is Postfix?
If so, you have to set up alias domains domains and the a users.cf. This could look like this in your main.cf:
virtual_mailbox_domains = example.com, example.org, example.net
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cfThen create these files, ldap-users.cf and ldap-aliases.cf:
cat /etc/postfix/ldap-users.cf
server_host = 192.168.0.100
search_base = ou=Users,dc=example,dc=local
version = 3
bind = yes
bind_dn = cn=zarafa,ou=Users,dc=example,dc=local
bind_pw = secret
scope = sub
query_filter = (&(objectClass=user)(mail=%s))
result_attribute = mail
cat /etc/postfix/ldap-aliases.cf
server_host = 192.168.0.100
search_base = ou=Users,dc=example,dc=local
version = 3
bind = yes
bind_dn = cn=zarafa,ou=Users,dc=example,dc=local
bind_pw = secret
scope = sub
query_filter = (&(objectClass=user)(otherMailbox=%s))
result_attribute = mailThe important parts are the query filters, the examples above are for AD. Also, you need to make sure the ldap connection is working correctly (firewall?). Set up a user which does the binds and use SSL encrypted connections.
Also, it would make sense to set up all the rest of the filtering like RBL's already in your relaying MTAs if you start with address filtering (there you can setup greylisting; witch you can't with Exchange, for instance!)
I did set this up a while ago, using the Zarafa guide for postfix; worked right away. Just ignore all the zarafa specific stuff, esp. the virtual_transport:
http://doc.zarafa.com/7.1/Administrator_Manual/en-US/html/_MTAIntegration.html#_configure_zcp_postfix_integration_with_active_directory
ASKER
thx for the feedback. i mentioned Linux in the tags just for fun..although I do maintain Linux server, we have no Linux server in this scenario
The SMTP server is where my mx record points to. This windows 2003 server relays incoming mail to the one of my two domains - contoso.com exchange server or the prontoso.com exchange box.
The only SMTP configs i see on this server reside in IIS 6.0. There is an SMTP virtual server in here which relays traffic to my exchange domains.
I have never implemented any ldap solutions. So i am a bit confused as to how to carry on..
The SMTP server is where my mx record points to. This windows 2003 server relays incoming mail to the one of my two domains - contoso.com exchange server or the prontoso.com exchange box.
The only SMTP configs i see on this server reside in IIS 6.0. There is an SMTP virtual server in here which relays traffic to my exchange domains.
I have never implemented any ldap solutions. So i am a bit confused as to how to carry on..
IIS cannot do LDAP lookup on its own. Therefore you will either need to change the MTA, or use a third party tool. Vamsoft ORF can do LDAP lookup as part of its featureset and most standalone Antispam appliances should be able to do the same thing as well. However I don't know how well they will cope with multiple domains going to different forests.
Simon.
Simon.
ASKER
thx again.
We have Sym mail security for Exchange on (smsmse6.5) I think if the mail hits my exchange server first instead of hitting the mta, then exchange..the spam engine and recipient filtering would be more effective
I suppose i can dedicate an IP to this exchange if i have one available.
Would Vamsoft ORF support multil forest domains? I wonder if smsme would..
We have Sym mail security for Exchange on (smsmse6.5) I think if the mail hits my exchange server first instead of hitting the mta, then exchange..the spam engine and recipient filtering would be more effective
I suppose i can dedicate an IP to this exchange if i have one available.
Would Vamsoft ORF support multil forest domains? I wonder if smsme would..
Think you need to change the MTA. Maybe setup postfix for your need; might be fun ;)
ASKER
hmm i see..i sort of need a quicker solution. Are you sayin gto get rid of my server(mta) that relays mail to exchange ? then setup a linux box to handle postfix?
ASKER
we need to implement a microsoft solution. no linux unfortunatley - not my call.
In short. I have exchange 2003 ..so perhaps its time to upgrade.
but is there anything else I may able to do with my current equipment? That does not involve the need to purchase third party software to handle ldap?
Also, ive heard of ldap servers only been able to handle one domain at a time - please correct me if i am wrong.
thx
t
In short. I have exchange 2003 ..so perhaps its time to upgrade.
but is there anything else I may able to do with my current equipment? That does not involve the need to purchase third party software to handle ldap?
Also, ive heard of ldap servers only been able to handle one domain at a time - please correct me if i am wrong.
thx
t
I have just checked Vamsoft ORF and it can only work with one domain at a time.
Although it can also work with Text files, but that will be a pain to manage.
Ultimately you are looking at one of two options.
1. Seperate out the email relay so that each domain has its own. That will require a second IP address. Then you can have two servers doing the job.
2. Use something else as an MTA.
You could look at ASSP, but I don't know if that will do multiple LDAPs or not. It will run on Windows.
http://sourceforge.net/projects/assp/
Simon.
Although it can also work with Text files, but that will be a pain to manage.
Ultimately you are looking at one of two options.
1. Seperate out the email relay so that each domain has its own. That will require a second IP address. Then you can have two servers doing the job.
2. Use something else as an MTA.
You could look at ASSP, but I don't know if that will do multiple LDAPs or not. It will run on Windows.
http://sourceforge.net/projects/assp/
Simon.
But if you use exchange and do have to use ms - why not do it the supposed way and install edge transport? Here is a guide for exchange 2007; it works the same in exchange 2010 but was scraped from exchange 2013:
http://www.techrepublic.com/article/configuring-exchange-2007-to-be-an-edge-transport-server/
http://www.techrepublic.com/article/configuring-exchange-2007-to-be-an-edge-transport-server/
I don't think the Edge role can do recipient filtering for two completely independent forests. It can do recipient filtering and can forward the email off, but not do recipient validation.
Plus it is a very expensive way of doing things - an Exchange licence for Edge is a waste of money in my opinion.
Simon.
Plus it is a very expensive way of doing things - an Exchange licence for Edge is a waste of money in my opinion.
Simon.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello tymes - ee, thanks for the input..
Indeed, you highlighted my issue..
"I would like you to check a couple of dozen things backscattering and check if they are users or not, because if they are users then LDAP would not fix anything... what you really probably is need to filter messages before you accept them. I actually imagine that legitimate users are getting spam that you're rejecting and those valid recipients are producing the backscatter rather than a small amount of non-users that you want to filter away via some LDAP solution."
..which is the only reason I am interested in LDAP. Plus, i do have a vacant IP.
I guess my final question would be if Symantec Mail Security for Microsoft Exchange (SMSME), which we already own, would be better than Vamsoft ORF?
Indeed, you highlighted my issue..
"I would like you to check a couple of dozen things backscattering and check if they are users or not, because if they are users then LDAP would not fix anything... what you really probably is need to filter messages before you accept them. I actually imagine that legitimate users are getting spam that you're rejecting and those valid recipients are producing the backscatter rather than a small amount of non-users that you want to filter away via some LDAP solution."
..which is the only reason I am interested in LDAP. Plus, i do have a vacant IP.
I guess my final question would be if Symantec Mail Security for Microsoft Exchange (SMSME), which we already own, would be better than Vamsoft ORF?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks, simon.
I have SMSME on both of the exchange servers - separate forest.
I guess i will test by directing mail straight to my exchange server which is where the symantec spam proxy resides..it catches tons of SPAM..
..I just hope exchange 2003 doesn't have any glitches.
I have SMSME on both of the exchange servers - separate forest.
I guess i will test by directing mail straight to my exchange server which is where the symantec spam proxy resides..it catches tons of SPAM..
..I just hope exchange 2003 doesn't have any glitches.
Simon.