Cisco Cisco Email Security Appliance C160 Mode D'Emploi

The SMTP Authentication LDAP query has an Allowance Query String that allows the Email Security 
appliance to check whether the user’s mail client is allowed to send mail through the appliance based on 
the user’s record in the LDAP directory. This allows users who don’t have a client certficate to send mail 
as long as their record specifies that it’s allowed.

You can also filter out results based on other attributes. For example, the query string 

(&(uid={u})(|(!(caccn=*))(cacexempt=*)(cacemergency>={t})))

 checks to see if any of the 

following conditions are true for the user:

CAC is not issued to the user (

caccn=*

)

CAC is exempt (

cacexempt=*

)

the time period that a user may temporarily send mail without a CAC expires in the future 
(

cacemergency>={t}

)

See 

 for more information on using the 

SMTP Authentication query.

Select System Administration > LDAP.

Define an LDAP profile. See 

 for more information.

Define an SMTP authentication query for the LDAP profile. 

Check the SMTP Authentication Query checkbox.

Enter the query name.

Enter the string to query for the user’s ID. For example, 

(uid={u}).

Select LDAP BIND for the authentication method.

Enter an allowance query string. For example, 

(&(uid={u})(|(!(caccn=*))(cacexempt=*)(cacemergency>={t})))

.

Submit and commit your changes.

The certificate-based SMTP authentication profile allows the Email Security appliance to authenticate 
an SMTP connection over TLS using a client certificate. When creating the profile, you select the 
Certificate Authentication LDAP query to use for verifying the certificate. You can also specify whether 
the Email Security appliance falls back to the SMTP AUTH command to authenticate the user if a client 
certificate isn’t available.

For information on authenticating an SMTP connection by using LDAP, see 

.