Tuesday, March 28, 2017

Fortimail recipient verification using Jumpcloud LDAP

In this last series  of working examples and by using the  jumpCloud  LDAP-aaS,   I will demonstrate  having  a fortinet EmailSecurityAppliance & the concept of  verifying recipient  email-address.

A   email has a RCPT TO: header which will be in the protected  email-domain that we will verify.

This is common-practices with ESAs or email-gateways  to verify &  eliminate  spam   for  an user that does not exist in the local email domain.com.

Just like in the my previous  earlier  blogs, "    the  JumpCloud LDAP-aaS can  be use with these appliances to verify the recipient  address " . The steps are out line here below and with diagram of possible deployments solutions.

1st create  a LDAP profile as shown in one of  my  earlier blog postings.

http://socpuppet.blogspot.com/2017/03/jumpcloud-ldap-aas-with-fortimail.html

check here for an example of  jump cloud bind and basedn



2nd apply the named LDAP  profile for the email protect-domain

Mail Settings > Domains  > LDAP User Profile 







3rd VERY VERY IMPORTANT , apply a recipient policy and selected your LDAP profile under

Policy > Recipient 




Keep in mind that recipient policies are very important in the FortiMail  mail-processing , and please  be cautious of the pecking order. Move and re-adjust the policies as required.

Send a test-email  , in my case the email address ldap2@socpuppets.com  is not a local mailbox on a fortimail acting as a mail-server  so it was bounced





: LOGS:








1st match wins. So like in a firewall-policy specify the  most specific 1st

e.g top-2-bottom ordering.

   RCP-policy 111  info@socpuppets.com  { no  verification }
   RCP-policy 12         *@socpuppets.com  { verification  via LDAP  profile  & w/jumpCloud }
   RCP-policy 18  googleblogger@socpuppets.com  { no  verification }


The latter will  never be match due to the "*" wildcard policy preceding it. So the  ordering of the  policy-id regardless of the  assigned numbers are very very important !

And my final tip,  always review the logs on the FortiMail ESA. If you have  any matches,  the  event logs will reflect the policy # for that match and disposition.


A user  that has not been verified will generate a bounce back and no delivery  to any inside exchange servers .









By  deploy a LDAP services and profile and using a LDAP-aaS provider like JumpCloud , will allow you to apply good anti-spam filtering and secure email delivery.

https://jumpcloud.com


Now here' some  deployment diagrams. The 1st is  supplement  your local LDAP server  with Jumpcloud as a fallback. Great for a  enterprise.Org that's rebuilding or upgrading it local AD server but needs to have a active LDAP services available. Here we achieve this with   SLB and  priortizing ldap queries to the local LDAP server and fallback to JumpCloud when the local services are not functional , down or interrupted.








The next diagram shows a simple  diagram that solely  uses  a single  JumpCloud instance for  recipient verifications purposes with multiple MUAs sending mail to valid and non-Valid  Recipients.




And lastly,   in a email-hosting provider  arena &  where you might have  single or pair of ESA email-appliance that needs multiple hosted  email protect-domains. Here you could craft multiple  JumpCloud org-id and build  multiple LDAP profile  that's unique for each hosted  email-domain.



A unique  ldap-administrator could be assigned for each instance and controls his/her  own scope and manage the  ldap org tree  and have a unique org-id and ldap-service account for that domain.




And  for diagnostics ensure you  test for ldap connectivity and the corrent  syntax. Here we are using curl for testing LDAPS to  jumpcloud








Always ensure the correct credentials and use the "-k" if your using cUrl and have not save the  jump cloud public-cert.






Ken



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \


Saturday, March 25, 2017

FTNT CSB FGT90E

The new series of FGT90E has a not so funny CSB out that I thought was  strange to say the least.

Does not build confidence in these  hardware platforms.




The fact that they state it's a degrading issues, does not ned replacement but we are fully committed. Make you wonder how much commitment FTNT really has





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Wednesday, March 22, 2017

how to extract MS azure DCs subnets for a batch of address Fortigate

Here's a simple means for extracting the ranges of address that MS AZURE POSTs for it's geo-datacenters listings.



The link below lists the file in a a xml format which is posted every week or so.


https://www.microsoft.com/en-us/download/details.aspx?id=41653


{ script }

#!/bin/bash
#
#

#rev 1.0

#  azure dc ranges  prep script make for fortigate batch execution
# reference href https://www.microsoft.com/en-us/download/details.aspx?id=41653
#
#
if [ ! $1 ]; then
            echo " USAGE azuredcrange.sh filename"
            echo ""
            echo  " azuredcrange.sh PublicIPs.xml"
            exit 1
fi

#

#
#

for p in `cat $1 |  grep IpRange |  cut -d "=" -f2 | awk '{print$1}'  |  sed -e 's/"//g' ` ;


do echo -e " config  firewall address\n edit  $p\n   set subnet $p\n   set tag MSAZURE_DC\n   set comment MS_AZURE_DC\n   end\n" ;


done



You can catch the output in a text file and use  the batch cfg mode for execution within the webGUI




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
  


Thursday, March 9, 2017

jump cloud LDAP with a fortigate for user remote-user authentication

In this series of jumpcloud configurations, here's a basic  cfg for  a jump cloud LDAP-as-a -Service  .



1st you need to define the LDAP server cfgs.

NOTE: you need to set the cnid value to uid. It's a good thing to use LDAPS and not LDAP. The  fortigate will use the  SSL certificate on jump cloud LDAP-aaS server instance

Now, we set the group with the name JUMPCLOUD  server-profie.




And here's my simple user name jump01 set as a Super Admin;





Okay now you test using the following ;


diag test authserver ldap  <servernameLDAP>  <username> <password>


Or just login  via  the ssh or webgui






Ensure the fortigate has a clear path for communication  for LDAP or LDAPS 389/636.




You can use the jump utility script or ldapsearch to test  connectivity and bind user credentials, and filter or firewall policies


e.g



testing LDAPS




Image result for hintHINT





If you know the attribute your looking for or a range of attribute you can query just those attributes

e.g ( query for cn uid and sshKey )


e.g ( query user home directory )





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

decrypt junos $9 passwords

Here's three means for decrypting  $9$ passwords in juniper JunOS


1> later  JunOS versions has the ability to request system decrypt from the cli

2> or use a online decrypt tool such as;

https://www.m00nie.com/juniper-type-9-password-tool/


3>  another tool

http://junostools.com/pdecrypt



You don't have to rekey various  hash ( vrrp , psk, bgp etc...) if you use one of the three above methods for lost passwords.



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

Tuesday, March 7, 2017

Certificate with a limited subject field

 The age old story of what' need for a certificate subject  such as;   Country State Locale etc....


Here's a  basic  certificate with just  a CN

{A ms-RDP certificate}

Here's another example



{ A juniper SRX }

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

RADIUS TAGs with JumpCloud

In this post we will look at  account  controls by using  tags. Ben@jumpcloud suggested this is  the best way for  controlling user access,  and for turning off accounts without  actually "deleting" the user account from  the portal.

With tags, you bind the radius server &  users to a tag. So only users within that tag-combo have authentication access by that radius client profile.

In my example, we have  3 users name  ;     user1, user2, user3

The tag defined is at followed SOCBLOG01




Each user is bounded to that tag and the  radius-client




For LDAP-aaS you will need to click the  tag  button.





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \






jumpcloud LDAP-aaS with fortimail remote-authentications

Here's a blog started which will be a series of jumpcloud configurations  for the FTNT fortimail appliance.


This 1st up is a HOWTO with LDAP for authentication. The cfg is simple and can also be used for group and  user verification.






You can  authentication remote fortimail clients using  the Jumpcloud LDAP-as-a-Service cloud  hosted.

The   JumpCloud ldap servers are located at the following ipv4 address.The are hosted in a AWScloud instance

We have the LDAP servers at  the following URI

### URI/LDAP Server ###

ldaps://ldap.jumpcloud.com:636     ( secured )
ldap://ldap.jumpcloud.com:389       ( not secured )




You can find all of this  information in the jumpcloud utility shell script.
{ jumpcloud_test_utility.sh }







In my  cfg,  I'm using LDAPS for this configuration. This will ensure  communications and secured between LDAP client and the JumpCloud instance




1: We define our Base/Bind-DN and authentication users you will need the  Ldap bind-user account and group-id#.



2:  Than you need the following cfg details in


advance  options


3:  Than we can test using the ldap test.






Or just login and test;





Here's a simplified  view of how a cfg would encompass.






Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \