Cisco Cisco Email Security Appliance X1070 User Guide
24-31
Cisco AsyncOS 8.5.5 for Email Security User Guide
Chapter 24 LDAP Queries
Configuring AsyncOS for SMTP Authentication
Configuring AsyncOS for SMTP Authentication
AsyncOS provides support for SMTP authentication. SMTP Auth is a mechanism for authenticating
clients connected to an SMTP server.
clients connected to an SMTP server.
The practical use of this mechanism is that users at a given organization are able to send mail using that
entity’s mail servers even if they are connecting remotely (e.g. from home or while traveling). Mail User
Agents (MUAs) can issue an authentication request (challenge/response) when attempting to send a
piece of mail.
entity’s mail servers even if they are connecting remotely (e.g. from home or while traveling). Mail User
Agents (MUAs) can issue an authentication request (challenge/response) when attempting to send a
piece of mail.
Users can also use SMTP authentication for outgoing mail relays. This allows the appliance to make a
secure connection to a relay server in configurations where the appliance is not at the edge of the
network.
secure connection to a relay server in configurations where the appliance is not at the edge of the
network.
AsyncOS supports two methods to authenticate user credentials:
•
You can use an LDAP directory.
•
You can use a different SMTP server (SMTP Auth forwarding and SMTP Auth outgoing).
Figure 24-11
SMTP Auth Support: LDAP Directory Store or SMTP Server
Configured SMTP Authentication methods are then used to create SMTP Auth profiles via the
smtpauthconfig
command for use within HAT mail flow policies (see
).
Configuring SMTP Authentication
If you are going to authenticate with an LDAP server, select the SMTPAUTH query type on the Add or
Edit LDAP Server Profile pages (or in the
Edit LDAP Server Profile pages (or in the
ldapconfig
command) to create an SMTP Authentication
query. For each LDAP server you configure, you can configure a SMTPAUTH query to be used as an
SMTP Authentication profile.
SMTP Authentication profile.
There are two kinds of SMTP authentication queries: LDAP bind and Password as attribute. When you
use password as attribute, the appliance will fetch the password field in the LDAP directory. The
password may be stored in plain text, encrypted, or hashed.When you use LDAP bind, the appliance
attempts to log into the LDAP server using the credentials supplied by the client.
use password as attribute, the appliance will fetch the password field in the LDAP directory. The
password may be stored in plain text, encrypted, or hashed.When you use LDAP bind, the appliance
attempts to log into the LDAP server using the credentials supplied by the client.
Specifying a Password as Attribute
The convention in OpenLDAP, based on RFC 2307, is that the type of coding is prefixed in curly braces
to the encoded password (for example, “{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=”). In this
example, the password portion is a base64 encoding of a plain text password after application of SHA.
to the encoded password (for example, “{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=”). In this
example, the password portion is a base64 encoding of a plain text password after application of SHA.