Ironport reject connection when recipient not found by LDAP query

Stefan Nowak · ‎03-29-2017

How do we configure the listener to drop/reject/close the connection, when a recipient is not found by the LDAP query? Drop and Bounce are the only possible options offered by the ESA.

Thank you and best regards-

Ken Stieers · ‎03-29-2017

Drop and bounce are the only options if you're doing it in the work queue.

Select "SMTP Conversation" to do it at the connection level. (see below)

You may want to turn on Rejected Message Tracking under Security Services/Message Tracking so you can track down things like "I can't mail from client X" and you can diagnose that they're misspelling someone's email address...

Stefan Nowak · ‎03-30-2017

It works. Thank you very much.

Libin Varghese · ‎03-29-2017

Hi Stefan,

You can configure to perform the LDAP accept query check at the SMTP conversation instead of the workqueue. From the GUI Network -> Listeners -> Name of the Listener.

The RAT LDAP check would then drop the connections based on the configuration under Mail Policies -> RAT.

For Accept queries, select the query to use from the list. You can specify whether the LDAP Accept occurs during the work queue processing or during the SMTP conversation.

For LDAP Accept during the work queue processing, specify the behavior for non-matching recipients: bounce or drop.

For LDAP Accept during the SMTP conversation, specify how to handle mail if the LDAP server is unreachable. You can elect to allow messages or drop the connection with a code and custom response. Finally, select whether or not to drop connections if the Directory Harvest Attack Prevention (DHAP) threshold is reached during an SMTP conversation.

Performing recipient validation in the SMTP conversation can potentially reduce the latency between multiple LDAP queries. Therefore, you might notice an increased load on your directory server when you enable conversational LDAP Accept.

Thank You!

Libin Varghese