Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
751
Views
0
Helpful
2
Replies

IronPort accessing LDAP server in suspicious behaviour

mizwan.saib-c
Level 1
Level 1

‎06-29-2017 09:15 AM

Hi Cisco Support Community,

We found that connection between IronPort and LDAP server through port 3268 suddenly spike up. This anomaly still happened until now.

System status shown that there no spike out of E-mail sending and received activity that may caused above issue happened.

Kindly advice us how should to troubleshoot this issue

Thanks

Labels:
0 Helpful
2 Replies 2

Ken Stieers
VIP
VIP

‎06-29-2017 09:32 AM

That connection gets used when it needs to lookup email addresses for inbound mail to see if they're valid address. 

If the LDAP query on the inbound listener is set to happen in the SMTP conversation, and NOT the Work Queue, you won't see the message counters go up, as it kills the connection before the message is completely received.

0 Helpful

mizwan.saib-c
Level 1
Level 1
In response to Ken Stieers

‎06-29-2017 07:05 PM

Hi Ken Stieers,

Thank you on your response. Any suggestion to verify this is legitimate activity?

One more question, let say in a E-mail. There is CC list containing 10 receipients, do IronPort will refer LDAP server for each on the following receipient? And if yes, do this each validating processs considered one connection to LDAP?

0 Helpful
Customers Also Viewed These Support Documents