Cisco Cisco Email Security Appliance C160 Mode D'Emploi
3-29
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 3 LDAP Queries
Directory Harvest Attack Prevention within the SMTP Conversation
You can prevent DHAs by entering only domains in the Recipient Access Table (RAT), and performing
the LDAP acceptance validation in the SMTP conversation.
the LDAP acceptance validation in the SMTP conversation.
To drop messages during the SMTP conversation, configure an LDAP server profile for LDAP
acceptance. Then, configure the listener to perform an LDAP accept query during the SMTP
conversation.
acceptance. Then, configure the listener to perform an LDAP accept query during the SMTP
conversation.
Figure 3-12
Configuring the Acceptance Query in the SMTP Conversation
Once you configure LDAP acceptance queries for the listener, you must configure DHAP settings in the
mail flow policy associated with the listener.
mail flow policy associated with the listener.
Figure 3-13
Configuring the Mail Flow Policy to Drop Connections in the SMTP Conversation
In the mail flow policy associated with the listener, configure the following Directory Harvest Attack
Prevention settings:
Prevention settings:
•
Max. Invalid Recipients Per hour. The maximum number of invalid recipients per hour this
listener will receive from a remote host. This threshold represents the total number of RAT
rejections combined with the total number of messages to invalid LDAP recipients dropped in the
SMTP conversation or bounced in the work queue. For example, you configure the threshold as five,
and the counter detects two RAT rejections and three dropped messages to invalid LDAP recipients.
At this point, the Cisco IronPort appliance determines that the threshold is reached, and the
connection is dropped. By default, the maximum number of recipients per hour for a public listener
is 25. For a private listener, the maximum number of recipients per hour is unlimited by default.
Setting it to “Unlimited” means that DHAP is not enabled for that mail flow policy.
listener will receive from a remote host. This threshold represents the total number of RAT
rejections combined with the total number of messages to invalid LDAP recipients dropped in the
SMTP conversation or bounced in the work queue. For example, you configure the threshold as five,
and the counter detects two RAT rejections and three dropped messages to invalid LDAP recipients.
At this point, the Cisco IronPort appliance determines that the threshold is reached, and the
connection is dropped. By default, the maximum number of recipients per hour for a public listener
is 25. For a private listener, the maximum number of recipients per hour is unlimited by default.
Setting it to “Unlimited” means that DHAP is not enabled for that mail flow policy.