Professional Documents
Culture Documents
LDAP
LDAP
Module 9
Module Objectives
By the end of this module, you will be able to:
Configure a FortiMail system to perform recipient address verification by querying
an existing LDAP server
Set up group-based email inspection using group attributes defined in an existing
LDAP server
06-50000-0221-20130726
LDAP
LDAP Profile
The FortiMail unit can be configured to consult an LDAP server for
many items that you would normally configure locally such as:
User Query
Group Query
User Authentication
User Alias
Mail Routing
Address Mapping
Domain lookup
LDAP Profile
Main section of every LDAP profile is User Query Options
Contains key elements such as class attributes to query, bind and base DN
06-50000-0221-20130726
LDAP
06-50000-0221-20130726
LDAP
1
2
LDAP Search Request
Base Object: CN=Users,DC=trainingAD,DC=training,DC=lab
LDAP Search: (&(|objectClass=User)(objectClass=publicFolder))
(|(proxyAddresses=smtp:user2@internal1.lab)(mail=user2@internal1.lab)))
AD Server
FortiMail Unit
LDAP SearchResEntry
Object Name: CN=User1,CN=Users,DC=trainingAD,DC=training,DC=lab
06-50000-0221-20130726
LDAP
1
2
LDAP Search Request
Base Object: CN=Users,DC=trainingAD,DC=training,DC=lab
LDAP Search: (&(|objectClass=User)(objectClass=publicFolder))
(|(proxyAddresses=smtp:user2@internal1.lab)(mail=user2@internal1.lab)))
AD Server
FortiMail Unit
Group Query
The LDAP directory can be queried for group membership
This functionality provides the ability to clearly identify if an object is
part of a group
10
06-50000-0221-20130726
LDAP
11
User Authentication
Users credentials can be verified using LDAP by configuring User
Authentication Options
12
06-50000-0221-20130726
LDAP
User Alias
User Alias option is used to dynamically resolve email aliases to real
email addresses by querying a Directory Server
One advantage of this option is the handling of quarantine reports
because the FortiMail unit maintains a single quarantine mailbox at
each users primary email account
13
User Alias
14
06-50000-0221-20130726
LDAP
User Alias
15
16
06-50000-0221-20130726
LDAP
Mail Routing
Email can be routed to a backend SMTP server that differs from the
one associated to the MX record or statically configured in the
protected domain section
The field Mail host attribute defines the MTA (FQDN or IP) where the
email should be sent
The field Mail routing address attribute matches the recipient address
When an email for this attribute is received the email will be routed to the MTA
specified for Mail host attribute
17
Lab Network
18
06-50000-0221-20130726
LDAP
Lab 8 LDAP
Objectives
To verify recipient email addresses against an LDAP server and use the LDAP
group attribute to enforce the same security policy to a group of users
Tasks
Ex 1: Recipient Address Verification
Ex 2: Group Based Spam Inspection
19
06-50000-0221-20130726
10