LDAP recipient acceptance validation suggestions

Hi All,

   I'm looking for suggestions on how to perform conversational recipient acceptance validation to Active Directory servers via LDAP in multidomain environment with Ironport gateway appliance.


- Andrew.

Hello Andrew,

I am including some detailed information on configuration of LDAP Accept for use with AD below. Additionally information on this subject is available on the appliance within the web interface if you click on help in the upper right hand corner and online help. Once selected you can search for LDAP accept or just LDAP within the search pane on your left.

The  following example integrates with a standard Microsoft Active Directory  deployment, although the principles can be applied to many types of  LDAP implementations.

You will first create an LDAP server entry,  at which point you must specify your directory server as well as the  query that the IronPort appliance will perform.  The query is then  enabled or applied on your incoming (public) listener.


  • These  LDAP server settings can be shared by different listeners and other  parts of the configuration such as end-user quarantine access.
  • You can not use this method to validate outbound senders on outgoing  (private) listeners or on hosts whose Mail Flow Policy behavior is set  to "relay."  More on how to work around this limitation is in KB article  (needs external link).

To facilitate the  configuration of the LDAP queries on your IronPort appliance, we  recommend that you use an LDAP browser; an LDAP browser allows you to  take a look at your schema as well as all the attributes upon which you  can query against.

On Windows, you can use:

  • Softterra's LDAP browser
  • Ldp
  • Adsiedit

On Linux or UNIX, you can use the ldapsearch command.

First,  you need to define the LDAP server to query. In this example, the  nickname of "PublicLDAP" is given for the LDAP  server. Queries are directed to TCP port 389 (the default).

NOTE:  If your Active Directory implementation contains subdomains, you will  not be able to query for users in a sub domain using the base DN of the  root domain. However, when using Active Directory, you may also query  LDAP against the Global Catalog (GC) Server on TCP port 3268. The GC  contains partial information for *all* objects in the Active Directory  forest and provides referrals to the subdomain in question when further  information is required. If you cannot "find" users in your subdomains,  leave the base DN at the root and set the IronPort to use the GC port.


1)  Create a new LDAP Server Profile with values located previously from  your directory server (System Administration > LDAP).  For example:
- Server Profile Name: PublicLDAP
- Host Name:
- Authentication Method:
Use Password: Enabled
Password: password
- Server Type: Active Directory
- Port: 3268
- BaseDN:dc=example,dc=com

Make sure to use the "Test Server(s)" button to verify your settings before continuing.  Successful output should look like:

Connecting to server at port 3268
Result: succeeded

2)  Use the same screen to define the LDAP accept query.  The following  example checks the recipient address against the more common attributes,  either "mail" OR "proxyAddresses":
- Name: PublicLDAP.accept
- QueryString:(|(mail={a})(proxyAddresses=smtp:{a}))

You  can use the "Test Query" button to verify your search query returns  results for a valid account.  Successful output searching for the  service account's address "" should look like:

Query results for
Query ( to server PublicLDAP (
Query ( lookup success, ( returned 1 results
Success: Action: Pass

3)  Apply this new accept query to the Inbound Listener (Network >  Listeners).  Expand the options LDAP Queries > Accept, and choose  your query PublicLDAP.accept.

4) Finally, commit the changes to enable these settings.


1)  First, you use the ldapconfig command to define an LDAP server for the  appliance to bind to, and queries for recipient acceptance (ldapaccept  subcommand), routing (ldaprouting subcommand), and masquerading  (masquerade subcommand) are configured.> ldapconfig

No LDAP server configurations.

Choose the operation you want to perform:
- NEW - Create a new server configuration.
[]> new

Please create a name for this server configuration (Ex: "PublicLDAP"):
[]> PublicLDAP

Please enter the hostname:

Use SSL to connect to the LDAP server? [N]> n
Please enter the port number:
[389]> 389

Please enter the base:
[dc=example,dc= com]>dc=example,dc=com

Select the authentication method to use for this server configuration:
1. Anonymous
2. Password based
[1]> 2

Please enter the bind username:

Please enter the bind password:
[]> password

Name: PublicLDAP
Hostname: Port 389
Authentication Type: password

2) Second, you need to define the query to perform against the LDAP server you have just configured.

Choose the operation you want to perform:
- SERVER - Change the server for the query.
- LDAPACCEPT - Configure whether a recipient address should be accepted or bounced/dropped.
- LDAPROUTING - Configure message routing.
- MASQUERADE - Configure domain masquerading.
- LDAPGROUP - Configure whether a sender or recipient is in a specified group.
- SMTPAUTH - Configure SMTP authentication.
[]> ldapaccept

Please create a name for this query:
[PublicLDAP.ldapaccept]> PublicLDAP.ldapaccept

Enter the LDAP query string:
[(mailLocalAddress= {a})]>(|(mail={a})(proxyAddresses=smtp:{a}))

Please enter the cache TTL in seconds:

Please enter the maximum number of cache entries to retain:

Do you want to test this query? [Y]> n
Name: PublicLDAP

Hostname: Port 389
Authentication Type: password
LDAPACCEPT: PublicLDAP.ldapaccept

3) Once you have configured the LDAP query, you need to apply the LDAPaccept policy to your Inbound Listener.> listenerconfig

Currently configured listeners:
1. Inboundmail (on PublicNet, SMTP TCP Port 25 Public
2. Outboundmail (on PrivateNet, SMTP TCP Port 25 Private

Choose the operation you want to perform:
- NEW - Create a new listener.
- EDIT - Modify a listener.
- DELETE - Remove a listener.
- SETUP - Change global settings.
[]> edit

Enter the name or number of the listener you wish to edit.
[]> 1

Name: InboundMail
Type: Public
Interface: PublicNet ( TCP Port 25
Protocol: SMTP
Default Domain:
Max Concurrency: 1000 (TCP Queue: 50)
Domain Map: Disabled
SMTP Authentication: Disabled
Bounce Profile: Default
Use SenderBase For Reputation Filters and IP Profiling: Yes
Footer: None

Choose the operation you want to perform:
- NAME - Change the name of the listener.
- INTERFACE - Change the interface.
- LIMITS - Change the injection limits.
- SETUP - Configure general options.
- HOSTACCESS - Modify the Host Access Table.
- RCPTACCESS - Modify the Recipient Access Table.
- BOUNCECONFIG - Choose the bounce profile to use for messages injected on this listener.
- MASQUERADE - Configure the Domain Masquerading Table.
- DOMAINMAP - Configure domain mappings.
- LDAPACCEPT - Configure an LDAP query to determine whether a recipient address should be accepted or bounced/dropped.
- LDAPROUTING - Configure an LDAP query to reroute messages.
[]> ldapaccept

Available Recipient Acceptance Queries
1. None
2. PublicLDAP.ldapaccept
[1]> 2

Should the recipient acceptance query drop recipients or bounce them?
NOTE: Directory Harvest Attack Prevention may cause recipients to be
dropped regardless of this setting.
1. bounce
2. drop
[2]> 2

Name: InboundMail
Type: Public
Interface: PublicNet ( TCP Port 25
Protocol: SMTP
Default Domain:
Max Concurrency: 1000 (TCP Queue: 50)
Domain Map: Disabled
SMTP Authentication: Disabled
Bounce Profile: Default
Use SenderBase For Reputation Filters and IP Profiling: Yes
Footer: None
LDAP: ldapaccept (PublicLDAP.ldapaccept)

4) To activate the changes made to the listener, commit your changes.

For more information about LDAP Queries, see the AsyncOS User Guide on the IronPort Support Portal.


Christopher C Smith

Cisco IronPort Customer Support 

Thank you Christopher.  Very detailed info.