close
Mailspect Documentation
Mailspect LDAP Support

Contents

Introduction

At Mailspect we field many questions about LDAP and Active Directory integration with Mailspect Archive, Defense and Connect so here is a brief article that should answer most questions.

LDAP Authentication for Spam Quarantine and Email Archive Access

Mailspect can authenticate a user to LDAP or Active Directory. Upon login Mailspect will automatically gather their email address and aliases from the directory and display the correct email archive and spam quarantine. Mailspect supports varied authentication sources for domains.

LDAP for SMTP Address Verification

Mailspect Defense can verify SMTP recipient addresses against any LDAP Directory or Active Directory using our Access Lists feature. This is configured in the Mailspect daemon, mppd. Mppd supports multiple LDAP servers for address verification for both failover and per-domain address verification.

LDAP for Mailspect Policy Selection

Mailspect can query an LDAP directory to find which service policy to apply to an email. Mailspect can check the directory using the sender and recipient address, domain or IP to find the correct policy to apply to an email

How Does LDAP work in mppd.conf.xml?

LDAP Servers are defined in mppd.conf.xml, each with a unique id. The server definition includes the LDAP access information needed for a particular function, such as verify addresses for a domain or policy selection. When server name is then called in either ACL or Policy Selection configurations and the correct LDAP query is performed using the attributes defined in the LDAP server. Soon this will all be in the GUI!!

Sample LDAP Configuration - Verifying SMTP addresses with a generic LDAP Directory

Use the following code in mppd.conf.xml to check a generic LDAP server for the validity of SMTP addresses; 

<group id="default>
   <access_list_members_addresslist type="both">ldap://acl_sample</access_list_members_addresslist>
 </group>
         <ldap id="acl_sample">
                     <base_dn>dc=example,dc=com</base_dn>
                     <server>192.168.0.1</server>
                     <server_timeout>30000</server_timeout>
                     <port>389</port>
                     <bind_dn>cn=Manager,dc=example,dc=com</bind_dn>
                     <bind_pw>secret</bind_pw>           
                     <mail_attribute>mail</mail_attribute>
                     <cache_size>1024</cache_size>
                     <cache_ttl>30</cache_ttl>
                     <search_scope>2</search_scope>
                     <version>3</version>
             </ldap>

Sample Configuration: Verify SMTP Addresses using Active Directory with Mailspect Defense

For Exchange 2003/2007 we have the following LDAP attributes required
 (example with AD domain devel.local)
LDAP bind dn: cn=Administrator,cn=Users,dc=devel,dc=local
LDAP bind pw: admin pass
Mail Attribute: mail
------------------
<group id="default>
   <access_list_members_addresslist type="both">ldap://acl_activedirectory</access_list_members_addresslist>
 </group>
<ldaps>
   <ldap id="acl_activedirectory">
      <base_dn>cn=Users,dc=devel,dc=local</base_dn>
      <server>win2003.sob.local</server>
      <bind_dn>cn=Administrator,cn=Users,dc=devel,dc=local</bind_dn>
      <bind_pw>190009</bind_pw>
      <mail_attribute>mail</mail_attribute>
    </ldap>
</ldaps>

For Microsoft SBS SMTP Address verification, the base DN for users is other:
    <ldap id="acl_sbs">
        <base_dn>ou=SBSUsers,ou=Users,ou=MyBusiness,dc=sbs,dc=local</base_dn>
       <server>sbs.sob.local</server>
       <bind_dn>cn=Administrator,ou=SBSUsers,ou=Users,ou=MyBusiness,dc=sbs,dc=local</bind_dn>
      <bind_pw>190009</bind_pw>
      <mail_attribute>mail</mail_attribute>
    </ldap>
Retrieved from "http://wiki.mailspect.com/index.php?title=Mailspect_LDAP_Support&oldid=1760"