Cisco Cisco Email Security Appliance X1070 Mode D'Emploi
Chapter 3 LDAP Queries
3-48
Cisco IronPort AsyncOS 7.5 for Email Advanced Configuration Guide
OL-25137-01
The Cisco IronPort appliance negotiates the SASL mechanism with the MUA
before getting the password, and the appliance and the MUA decide on what
method (LOGIN, PLAIN, MD5, SHA, SSHA, and CRYPT SASL mechanisms are
supported). Then, the appliance queries the LDAP database to fetch a password.
In LDAP, the password can have a prefix in braces.
before getting the password, and the appliance and the MUA decide on what
method (LOGIN, PLAIN, MD5, SHA, SSHA, and CRYPT SASL mechanisms are
supported). Then, the appliance queries the LDAP database to fetch a password.
In LDAP, the password can have a prefix in braces.
•
If there is no prefix, the appliance assumes that the password was stored in
LDAP in plaintext.
LDAP in plaintext.
•
If there is a prefix, the appliance will fetch the hashed password, perform the
hash on the username and/or password supplied by the MUA, and compare
the hashed versions. The Cisco IronPort appliance supports SHA1 and MD5
hash types based on the RFC 2307 convention of prepending the hash
mechanism type to the hashed password in the password field.
hash on the username and/or password supplied by the MUA, and compare
the hashed versions. The Cisco IronPort appliance supports SHA1 and MD5
hash types based on the RFC 2307 convention of prepending the hash
mechanism type to the hashed password in the password field.
•
Some LDAP servers, like the OpenWave LDAP server, do not prefix the
encrypted password with the encryption type; instead, they store the
encryption type as a separate LDAP attribute. In these cases, you can specify
a default SMTP AUTH encryption method the appliance will assume when
comparing the password with the password obtained in the SMTP
conversation.
encrypted password with the encryption type; instead, they store the
encryption type as a separate LDAP attribute. In these cases, you can specify
a default SMTP AUTH encryption method the appliance will assume when
comparing the password with the password obtained in the SMTP
conversation.
The Cisco IronPort appliance takes an arbitrary username from the SMTP Auth
exchange and converts that to an LDAP query that fetches the clear or hashed
password field. It will then perform any necessary hashing on the password
supplied in the SMTP Auth credentials and compare the results with what it has
retrieved from LDAP (with the hash type tag, if any, removed). A match means
that the SMTP Auth conversation shall proceed. A failure to match will result in
an error code.
exchange and converts that to an LDAP query that fetches the clear or hashed
password field. It will then perform any necessary hashing on the password
supplied in the SMTP Auth credentials and compare the results with what it has
retrieved from LDAP (with the hash type tag, if any, removed). A match means
that the SMTP Auth conversation shall proceed. A failure to match will result in
an error code.