Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
25-33
Cisco AsyncOS 9.0 for Email User Guide
Chapter 25 LDAP Queries
Configuring AsyncOS for SMTP Authentication
Related Topics
•
•
•
•
•
•
•
Configuring SMTP Authentication
If you are going to authenticate with an LDAP server, select the SMTPAUTH query type on the Add or
Edit LDAP Server Profile pages (or in the
Edit LDAP Server Profile pages (or in the
ldapconfig
command) to create an SMTP Authentication
query. For each LDAP server you configure, you can configure a SMTPAUTH query to be used as an
SMTP Authentication profile.
SMTP Authentication profile.
There are two kinds of SMTP authentication queries: LDAP bind and Password as attribute. When you
use password as attribute, the appliance will fetch the password field in the LDAP directory. The
password may be stored in plain text, encrypted, or hashed.When you use LDAP bind, the appliance
attempts to log into the LDAP server using the credentials supplied by the client.
use password as attribute, the appliance will fetch the password field in the LDAP directory. The
password may be stored in plain text, encrypted, or hashed.When you use LDAP bind, the appliance
attempts to log into the LDAP server using the credentials supplied by the client.
Related Topics
•
Specifying a Password as Attribute
The convention in OpenLDAP, based on RFC 2307, is that the type of coding is prefixed in curly braces
to the encoded password (for example, “{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=”). In this
example, the password portion is a base64 encoding of a plain text password after application of SHA.
to the encoded password (for example, “{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=”). In this
example, the password portion is a base64 encoding of a plain text password after application of SHA.
The appliance negotiates the SASL mechanism with the MUA before getting the password, and the
appliance and the MUA decide on what method (LOGIN, PLAIN, MD5, SHA, SSHA, and CRYPT SASL
mechanisms are supported). Then, the appliance queries the LDAP database to fetch a password. In
LDAP, the password can have a prefix in braces.
appliance and the MUA decide on what method (LOGIN, PLAIN, MD5, SHA, SSHA, and CRYPT SASL
mechanisms are supported). Then, the appliance queries the LDAP database to fetch a password. In
LDAP, the password can have a prefix in braces.
•
If there is no prefix, the appliance assumes that the password was stored in LDAP in plaintext.
•
If there is a prefix, the appliance will fetch the hashed password, perform the hash on the username
and/or password supplied by the MUA, and compare the hashed versions. The appliance supports
SHA1 and MD5 hash types based on the RFC 2307 convention of prepending the hash mechanism
type to the hashed password in the password field.
and/or password supplied by the MUA, and compare the hashed versions. The appliance supports
SHA1 and MD5 hash types based on the RFC 2307 convention of prepending the hash mechanism
type to the hashed password in the password field.
•
Some LDAP servers, like the OpenWave LDAP server, do not prefix the encrypted password with
the encryption type; instead, they store the encryption type as a separate LDAP attribute. In these
cases, you can specify a default SMTP AUTH encryption method the appliance will assume when
comparing the password with the password obtained in the SMTP conversation.
the encryption type; instead, they store the encryption type as a separate LDAP attribute. In these
cases, you can specify a default SMTP AUTH encryption method the appliance will assume when
comparing the password with the password obtained in the SMTP conversation.
The appliance takes an arbitrary username from the SMTP Auth exchange and converts that to an LDAP
query that fetches the clear or hashed password field. It will then perform any necessary hashing on the
password supplied in the SMTP Auth credentials and compare the results with what it has retrieved from
LDAP (with the hash type tag, if any, removed). A match means that the SMTP Auth conversation shall
proceed. A failure to match will result in an error code.
query that fetches the clear or hashed password field. It will then perform any necessary hashing on the
password supplied in the SMTP Auth credentials and compare the results with what it has retrieved from
LDAP (with the hash type tag, if any, removed). A match means that the SMTP Auth conversation shall
proceed. A failure to match will result in an error code.