Solved: Re: SMA: SPAM notifications to only users in LDAP group query

hardik3946 · ‎08-29-2017

Hello ,

This is specifically regarding 'SMA' SPAM notification configuration.

I am trying to configure SPAM notifications only to specific LDAP groups ( when members of those groups will receive any SPAM). My issue is - when I select 'ALL users' under SPAM notifications > Notify To -- then notifications seems working okay BUT it dosent work when i select option 'Select users from LDAP query'.

I obviously created LDAP group query on SMA and called it under 'Select users from LDAP query'. Then I have called around three different LDAP groups and moved it to right by putting them in blank box of 'Group' just under the option 'Select users from LDAP query'.

I have confirmed that my LDAP group query works when i tested it via 'test queries' feature and also confirmed that users to whom i am sending test SPAM messages are also part of those groups which have been called as mentioned in second para. Can somebody suggest where else i have to do any further settings? on ESA listner or anywhere else in SMA itself ?

regards,

HD

hardik3946 · ‎10-09-2017

Hi Libin/ all

I wanted to post it earlier but got delayed , so let me complete this thread now. I am marking this resolved now and below is what i had to do to resolve it.

I had to use DN of the LDAP group in 'spam notification' section under 'Edit SPAM quarentine'. So when you choose 'Select group from LDAP query' to send SPAM notifications - rather than using CN of the LDAP group, you got to use DN ( full path - somth like CN =xx, OU=xx, DC=xx, DC=xx) of the LDAP group name and it will work like charm.

Hardik.

View solution in original post

Libin Varghese · ‎08-29-2017

Hi,

Those are the only configurable options that I'm aware of. If everything on the appliance appears to be configured correctly, you could verify the logs to confirm the notification is not being generated.

Take a look at the euq_logs.

Thu May 19 06:00:29 2011 Info: ISQ: Notification config: send_to=2 bounce_addres s="postmaster@labcisco.com" format_code=2: base_url="https://spam.labcisco.com/"
Thu May 19 06:00:29 2011 Info: ISQ: Notification querying: firstemail@address.com....lastemail@address.com Thu May 19 06:00:29 2011 Info: ISQ: Notification sent: #recipients=0 #messages=0
Thu May 19 06:00:29 2011 Info: ISQ: [notification] Task ended: (4639097-4639097)

The MID's mentioned after "Task ended" along with "Notification sent: #recipients=0 #messages=0" should give you an idea if ISQ notifications are being generated.

If you see spam emails being delivered to the spam quarantine on the SMA for the users matching the LDAP group I would expect the ISQ notification to be generated and corresponding details of notification being delivered in the mail_logs on the SMA.

Regards,
Libin Varghese

hardik3946 · ‎08-29-2017

hi Libin,

Thanks for reply,

Seems notifications are not being sent.

Tue Aug 29 11:00:57 2017 Info: ISQ: Notification sent: #recipients=0 #messages=0
Tue Aug 29 13:01:03 2017 Info: ISQ: Notification sent: #recipients=0 #messages=0

Now the question is, whether i am entering LDAP group names in correct format? do i have to enter DN of the group? to me it looks like SMA is not able to query the correct group somehow. any idea?

HD

Libin Varghese · ‎08-29-2017

Since notifications work fine without LDAP group integration it would appear to be an issue on the LDAP side, however it would be difficult to confirm the same without looking at it.

You could also review the LDAP debug logs on the appliance to see if there are any LDAP related errors.

The default LDAP query syntax are available in the end user guides.

You can use the following tokens in your LDAP queries:
• {a} username@domainname
• {d} domain
• {dn} distinguished name
• {g} group name
• {u} user name
• {f} MAILFROM: address

When you configure the LDAP profile to query for group membership, enter the base DN for the directory level where group records can be found, the attribute that holds the group member’s user name, and the attribute that contains the group name.

I would recommend opening a TAC case to get it checked further.

Regards,
Libin Varghese

hardik3946 · ‎08-29-2017

Yes, let me see LDAP logs and then TAC case if required. I thank you for your quick suggestions.

HD.

hardik3946 · ‎08-30-2017

Hi Libin,

sorry for initiating again..

but I see this statement in SMA user guide, which seems missing part of the configuration...

------

Configuring an Outbound IP Interface on the Security Management Appliance
Configure an interface on the Security Management appliance to send quarantine-related messages
(including notifications and released email) to the Email Security appliance for delivery.

-------

Is above interface really required and in which conditions? Because i was still able to receive notifications without it initially when i configured notifications for 'ALL users'. moreover when i release the spam manually, i still receive it on mailbox without this interface configuration.

HD

Libin Varghese · ‎08-30-2017

There should be an IP interface already present on the SMA since you are accessing it using https.

The SMA would use the existing IP interface and routing to deliver any emails or notifications.

As without LDAP group it works fine, I do not see this as a possible cause.

- Libin V

hardik3946 · ‎10-09-2017

Hi Libin/ all

I wanted to post it earlier but got delayed , so let me complete this thread now. I am marking this resolved now and below is what i had to do to resolve it.

I had to use DN of the LDAP group in 'spam notification' section under 'Edit SPAM quarentine'. So when you choose 'Select group from LDAP query' to send SPAM notifications - rather than using CN of the LDAP group, you got to use DN ( full path - somth like CN =xx, OU=xx, DC=xx, DC=xx) of the LDAP group name and it will work like charm.

Hardik.

Libin Varghese · ‎10-09-2017

Glad it was resolved after adding the complete path for the LDAP group.

Thank you for updating the post.

- Libin V