Solved: Ironport Content Filter: Match sender to LDAP Group

florian.burger · ‎03-07-2022

Dear community,

I want to create a content filter, which adds a text footer to an email, if the sender is in an existing LDAP group. The content filter itself is no problem.

I just need to know how I have to put in the group name for the condition "envelope sender matches ldap group".

I already tried to put in the displayname of the group, I tried with "cn=group" and also "cn=group,OU=company,DC=company,DC=local".

I have a ldap-query where the group query delivers a positive match with the query "(&(memberOf={g})(proxyAddresses=SMTP:{a}))"

Any help would be appreciated!

Kind regards

Florian

florian.burger · ‎03-09-2022

Hi Ken,

the log was already set up as debug-log. I found this one line, that seems so fit to my problem:

Thu Mar 10 08:25:57 2022 Critical: LDAP: Listener OutgoingMail does not reference a valid group query, comparison in filter will evaluate as false

So I took a look at the listener settings and at the bottom I found an option in the advanced settings, where i was able to define the ldap group query. After that my group query worked as expected.

Thank you very much for your help!

Kind regards

Florian

View solution in original post

jkoenemann · ‎03-07-2022

+1 for having the same issue with Group Queries. Accept Queries are currently working, however group queries are failing when testing. Also new emails not cached in prior lookups are falling outside of content policies.

Ken Stieers · ‎03-07-2022

As in new users aren't getting picked up by the LDAP query?
In your LDAP config, there's an "Advanced" entry that will allow you to tweak the cache TTL.
You can also tweak how it talks to your LDAP servers.

Ken Stieers · ‎03-07-2022

I'm just guessing here, but if I remember right, its case sensitive.
Your group name should have all of the CN/OU/DC in caps? Or an exact match with whatever is in AD.
Open ADUC, click on View/Advanced Features, go to the group in the OU (search results won't show it).
Open the group, click on the Attribute Editor tab and find the distinguishedName field, copy and paste its contents into the filter on the ESA.

florian.burger · ‎03-08-2022

Hi Ken,

thanks for your reply. I'm not sure if I wrote it right in my first post. I think I already put the distinguishedName in caps / copy/pasted it from ad attributes. I repeated it a few minutes ago but it still does not work.

Are there any other suggestions?

Kind regards

Florian

Ken Stieers · ‎03-08-2022

So, I tried to test it, and at first glance it failed... because I'd forgotten to enable it in an incoming policy...

So, have you verified that you added it to a policy, and that there isn't a content filter with a "Skip Remaining Content Filters" above it?

florian.burger · ‎03-08-2022

The filter is added to a policy. I see that the filter gets not hit, because the next filter gets hit. We have several content filters that add disclaimers to our emails. We have a working filter that adds our default disclaimer to all outgoing emails. I placed a filter above that, which should add a modified disclaimer. So I think the "logical" aspects should be ok. The filter also works if I put in my email-address instead of the group name.

Ken Stieers · ‎03-09-2022

Hey Florian...
Yep, I was just covering the bases...
Go to log subscriptions and set the LDAP logging to debug. Let that sit a minute or 2, then send some mail in...
Let's see if that tells us anything.
Ken

florian.burger · ‎03-09-2022

Hi Ken,

the log was already set up as debug-log. I found this one line, that seems so fit to my problem:

Thu Mar 10 08:25:57 2022 Critical: LDAP: Listener OutgoingMail does not reference a valid group query, comparison in filter will evaluate as false

So I took a look at the listener settings and at the bottom I found an option in the advanced settings, where i was able to define the ldap group query. After that my group query worked as expected.

Thank you very much for your help!

Kind regards

Florian