Scribd Logo
Upload

Welcome to Scribd!

  • Module Objectives by The End of This Module, You Will Be Able To

    Uploaded by

    yousef512
    602 views10 pages
    ldap

    Original Title

    FortiMail-09-LDAP

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    ldap

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    602 views10 pages

    Module Objectives by The End of This Module, You Will Be Able To

    Uploaded by

    yousef512
    ldap

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    Course 221 - FortiMail Email Filtering

    LDAP

    LDAP
    Module 9

    2013 Fortinet Inc. All rights reserved.


    The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
    1
    or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
    or otherwise, for any purpose, without prior written permission of Fortinet Inc. 06-50000-0221-20130726

    Module Objectives
    By the end of this module, you will be able to:
    Configure a FortiMail system to perform recipient address verification by querying
    an existing LDAP server
    Set up group-based email inspection using group attributes defined in an existing
    LDAP server

    06-50000-0221-20130726

    Course 221 - FortiMail Email Filtering

    LDAP

    LDAP Profile
    The FortiMail unit can be configured to consult an LDAP server for
    many items that you would normally configure locally such as:
    User Query
    Group Query
    User Authentication
    User Alias
    Mail Routing
    Address Mapping
    Domain lookup

    LDAP Profile
    Main section of every LDAP profile is User Query Options
    Contains key elements such as class attributes to query, bind and base DN

    06-50000-0221-20130726

    Course 221 - FortiMail Email Filtering

    LDAP

    User Query Options


    User Query Options area is also used to define the attributes to search
    for an objects DN starting from its email address
    This functionality can be used in the following scenarios:
    Recipient address verification
    Automatic removal of invalid quarantine accounts
    Domain verification

    Browse Directory Tree


    An administrator can browse the directory tree from User Query
    Options

    06-50000-0221-20130726

    Course 221 - FortiMail Email Filtering

    LDAP

    Browse Directory Tree Sample Output

    Valid Recipient LDAP Search Sequence

    LDAP Bind Request


    Bind DN: CN=Administrator,CN=Users,DC=trainingAD,DC=training,DC=lab
    Bind<password>

    1
    2
    LDAP Search Request
    Base Object: CN=Users,DC=trainingAD,DC=training,DC=lab
    LDAP Search: (&(|objectClass=User)(objectClass=publicFolder))
    (|(proxyAddresses=smtp:user2@internal1.lab)(mail=user2@internal1.lab)))

    AD Server

    FortiMail Unit

    LDAP Bind Response Success

    LDAP SearchResEntry
    Object Name: CN=User1,CN=Users,DC=trainingAD,DC=training,DC=lab

    06-50000-0221-20130726

    Course 221 - FortiMail Email Filtering

    LDAP

    Invalid Recipient LDAP Search sequence

    LDAP Bind Request


    Bind DN: CN=Administrator,CN=Users,DC=trainingAD,DC=training,DC=lab
    Bind<password>

    1
    2
    LDAP Search Request
    Base Object: CN=Users,DC=trainingAD,DC=training,DC=lab
    LDAP Search: (&(|objectClass=User)(objectClass=publicFolder))
    (|(proxyAddresses=smtp:user2@internal1.lab)(mail=user2@internal1.lab)))

    AD Server

    FortiMail Unit

    LDAP Bind Response Success

    LDAP SearchResDone Success 0 Results

    Group Query
    The LDAP directory can be queried for group membership
    This functionality provides the ability to clearly identify if an object is
    part of a group

    All the users located in the


    same container will be
    considered part of the
    same group

    10

    06-50000-0221-20130726

    Course 221 - FortiMail Email Filtering

    LDAP

    Group Query Verify


    You can query the LDAP directory to verify LDAP connectivity and
    lookup results as follows:
    1

    11

    User Authentication
    Users credentials can be verified using LDAP by configuring User
    Authentication Options

    12

    06-50000-0221-20130726

    Course 221 - FortiMail Email Filtering

    LDAP

    User Alias
    User Alias option is used to dynamically resolve email aliases to real
    email addresses by querying a Directory Server
    One advantage of this option is the handling of quarantine reports
    because the FortiMail unit maintains a single quarantine mailbox at
    each users primary email account

    13

    User Alias

    Attribute name that


    contains the list of real
    email addresses
    Attribute that uniquely
    identifies the object used
    for the alias resolution

    14

    06-50000-0221-20130726

    Course 221 - FortiMail Email Filtering

    LDAP

    User Alias

    15

    LDAP Advanced Options


    To optimize the usage of the LDAP queries, enable the caching
    capabilities from Advanced Options

    16

    06-50000-0221-20130726

    Course 221 - FortiMail Email Filtering

    LDAP

    Mail Routing
    Email can be routed to a backend SMTP server that differs from the
    one associated to the MX record or statically configured in the
    protected domain section
    The field Mail host attribute defines the MTA (FQDN or IP) where the
    email should be sent
    The field Mail routing address attribute matches the recipient address
    When an email for this attribute is received the email will be routed to the MTA
    specified for Mail host attribute

    17

    Lab Network

    18

    06-50000-0221-20130726

    Course 221 - FortiMail Email Filtering

    LDAP

    Lab 8 LDAP
    Objectives
    To verify recipient email addresses against an LDAP server and use the LDAP
    group attribute to enforce the same security policy to a group of users

    Tasks
    Ex 1: Recipient Address Verification
    Ex 2: Group Based Spam Inspection

    Estimated time to complete the lab: 30 minutes

    19

    06-50000-0221-20130726

    10

    You might also like