Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1665
Views
0
Helpful
1
Replies

Ironport recipient validation with LDAP and fall back to smtp call ahead

rolelael
Level 1
Level 1

‎03-19-2019 05:42 AM

Hello is the following an option :

 

- we use ldap for recipient vaidation ( the RAT contains our specific domains to validate ). So whenever an external mail arives at the esa ( for one of those domains ) we do a recipient check against a LDAP server. This works fine. Default action is set to temp. refuse mails when LDAP server is unavailable..

 

We want a fall back scenario were we can use SMTP call ahead if the ldap server is unavailble ( so not to let all mail in, but still do a recipient check based on call ahead )

 

Tried this one but seems not to work ( created SMTP call ahead profile , assigned it to the pubic listener etc, then renamed the ldap server dns name to something which doesn't exist ) … but mails got rejected

 

Tue Mar 19 13:31:03 2019 Critical: LDAP: query DNS result DNS Hard Error looking up x.x.x.x (A): NXDomain
Tue Mar 19 13:31:26 2019 Critical: LDAP: query XXX-shared-LDAP_LDAPS.accept result LDAP server misconfigured or unreachable

 

I also tried setting the ldap query to allow mail in, when LDAP is unreachable. Same behaviour when I rename the ldap server..

 

So is this a working solution : LDAP recipient vaidation with failover to SMTP call ahead?

 

Regs

Labels:
0 Helpful
1 Reply 1

Paul Thomas Cyblue
Level 1
Level 1

‎03-22-2019 08:40 AM

No.

RAT is checked first.
LDAP acceptance supplements this.
Then SMTP call-ahead is performed.

So leave working LDAP setup that accepts mail when LDAP not available.
Turn off LDAP server, then see what happens.
But ultimately SMTP Call-ahead is going to be used all the time with LDAP accept, not only when LDAP fails.


What I don't know - you could try - is what the default behavior for LDAP accept in the Workqueue when LDAP is not available.
If this is to allow mail to be delivered, then you can perform SMTP call-head first, then LDAP query in the Workqueue.

If you don't have multiple mail systems / LDAP directories, you will probably be getting the same acceptance results.
So you may want to make a judgement call on which option to use.
I used SMTP call-ahead with LDAP to solve a rather complex multi-mail system deployment where not all recipients were available in LDAP. 

I also have not done an intensive load comparison between SMTP call-ahead and LDAP acceptance to see how this affects general message processing duration, CPU and ultimately workqueue throughput.  You may need to consider the impact, especially in a DR scenario. 

0 Helpful
Customers Also Viewed These Support Documents