Ironport directory harvest for distributed deployment.

ggalteroo · ‎11-20-2014

Hello everyone

We have running multiple ESAs and one SMA. The ESAs cannot access LDAP, but the SMA can. Is there a way to strengthen directory harvest protection without ESAs LDAP integration?

Thanks a lot!

Guido

Ken Stieers · ‎11-21-2014

No...

But there are a couple of ways to get LDAP closer to them...

I'm guessing that the ESAs are in a DMZ, and you're not letting stuff in the DMZ access the LDAP boxes, right?

Not sure if you're using Exchange, but you could put an Edge box in place, and setup Edgesync. EdgeSync uses your internal HT boxes to push out just enough AD info (eg valid email addresses) to an ADAM instance on the Edge box. You wouldn't have to feed it mail, but you could just point the ESAs at the ADAM instance for LDAP lookups...

Or you could roll your own LDAP sync somehow, using ADAM as your LDAP box in the DMZ. Or a *nix with an LDAP server on it that just has valid email addresses...

ggalteroo · ‎12-02-2014

Hello Ken

You're right. DMZ cannot access LDAP and we're using Exchange. Though I was thinking a solution from the Ironport stand point, your approach is worth considering.

Thanks a lot for your time.

Regards

Guido

Mathew Huynh · ‎01-18-2015

Without the utilization of LDAP on the ESA's for recipient validation.

The ESA falls back into it's defaulted recipient acceptance (by domain) else reject on the RAT table.

This will block by recipient domains not added into the RAT.

Else you could attempt to use SMTP Call-ahead for recipient validation as well where the ESA will connect to the destination host or a static call-ahead server and send the rcpt-to: command with the recipient, and if the destination host/static server is doing recipient validation, it can deny these recipient to commands the ESA sends thus the ESA rejecting the recipient as well on itself.