Cisco Cisco Email Security Appliance X1070 Guía Del Usuario
22-18
Cisco AsyncOS 8.0.2 for Email User Guide
Chapter 22 LDAP Queries
Using Acceptance Queries For Recipient Validation
Note that a server may be unreachable because the wrong port was entered in the server configuration,
or the port is not opened in the firewall. LDAP servers typically communicate over port 3268 or 389.
Active Directory uses port 3268 to access the global catalog used in multi-server environments (See
“Firewall Information” in the Cisco IronPort AsyncOS for Email Configuration Guide for more
information.) In AsyncOS 4.0, the ability to communicate to the LDAP server via SSL (usually over port
636) was added. For more information, see
or the port is not opened in the firewall. LDAP servers typically communicate over port 3268 or 389.
Active Directory uses port 3268 to access the global catalog used in multi-server environments (See
“Firewall Information” in the Cisco IronPort AsyncOS for Email Configuration Guide for more
information.) In AsyncOS 4.0, the ability to communicate to the LDAP server via SSL (usually over port
636) was added. For more information, see
A server may also be unreachable because the hostname you entered cannot be resolved.
You can use the Test Server(s) on the Add/Edit LDAP Server Profile page (or the
test
subcommand of
the
ldapconfig
command in the CLI) to test the connection to the LDAP server. For more information,
If the LDAP server is unreachable:
•
If LDAP Accept or Masquerading or Routing is enabled on the work queue, mail will remain within
the work queue.
the work queue.
•
If LDAP Accept is not enabled but other queries (group policy checks, etc.) are used in filters, the
filters evaluate to false.
filters evaluate to false.
Using Acceptance Queries For Recipient Validation
You can use your existing LDAP infrastructure to define how the recipient email address of incoming
messages (on an public listener) should be handled. Changes to user data in your directories are updated
the next time the Cisco appliance queries the directory server. You can specify the size of the caches and
the amount of time the Cisco appliance stores the data it retrieves.
messages (on an public listener) should be handled. Changes to user data in your directories are updated
the next time the Cisco appliance queries the directory server. You can specify the size of the caches and
the amount of time the Cisco appliance stores the data it retrieves.
Note
You may wish to bypass LDAP acceptance queries for special recipients (such as
administrator@example.com
). You can configure this setting from the Recipient Access Table (RAT).
For information about configuring this setting, see “Configuring the Gateway to Receive Email” in the
Cisco IronPort AsyncOS for Email Configuration Guide.
Cisco IronPort AsyncOS for Email Configuration Guide.
Sample Acceptance Queries
shows sample acceptance queries.
Table 22-2
Example LDAP Query Strings for Common LDAP Implementations: Acceptance
Query for:
Recipient validation
OpenLDAP
(mailLocalAddress={a})
(mail={a})
(mailAlternateAddress={a})
Microsoft Active Directory Address Book
Microsoft Exchange
(|(mail={a})(proxyAddresses=smtp:{a}))