A email has a RCPT TO: header which will be in the protected email-domain that we will verify.
This is common-practices with ESAs or email-gateways to verify & eliminate spam for an user that does not exist in the local email domain.com.
Just like in the my previous earlier blogs, " the JumpCloud LDAP-aaS can be use with these appliances to verify the recipient address " . The steps are out line here below and with diagram of possible deployments solutions.
1st create a LDAP profile as shown in one of my earlier blog postings.
http://socpuppet.blogspot.com/2017/03/jumpcloud-ldap-aas-with-fortimail.html
check here for an example of jump cloud bind and basedn2nd apply the named LDAP profile for the email protect-domain
Mail Settings > Domains > LDAP User Profile
3rd VERY VERY IMPORTANT , apply a recipient policy and selected your LDAP profile under
Policy > Recipient
Keep in mind that recipient policies are very important in the FortiMail mail-processing , and please be cautious of the pecking order. Move and re-adjust the policies as required.
Send a test-email , in my case the email address ldap2@socpuppets.com is not a local mailbox on a fortimail acting as a mail-server so it was bounced
: LOGS:
1st match wins. So like in a firewall-policy specify the most specific 1st
e.g top-2-bottom ordering.
RCP-policy 111 info@socpuppets.com { no verification }
RCP-policy 12 *@socpuppets.com { verification via LDAP profile & w/jumpCloud }
RCP-policy 18 googleblogger@socpuppets.com { no verification }
The latter will never be match due to the "*" wildcard policy preceding it. So the ordering of the policy-id regardless of the assigned numbers are very very important !
And my final tip, always review the logs on the FortiMail ESA. If you have any matches, the event logs will reflect the policy # for that match and disposition.
A user that has not been verified will generate a bounce back and no delivery to any inside exchange servers .
By deploy a LDAP services and profile and using a LDAP-aaS provider like JumpCloud , will allow you to apply good anti-spam filtering and secure email delivery.
https://jumpcloud.com
Now here' some deployment diagrams. The 1st is supplement your local LDAP server with Jumpcloud as a fallback. Great for a enterprise.Org that's rebuilding or upgrading it local AD server but needs to have a active LDAP services available. Here we achieve this with SLB and priortizing ldap queries to the local LDAP server and fallback to JumpCloud when the local services are not functional , down or interrupted.
The next diagram shows a simple diagram that solely uses a single JumpCloud instance for recipient verifications purposes with multiple MUAs sending mail to valid and non-Valid Recipients.
And lastly, in a email-hosting provider arena & where you might have single or pair of ESA email-appliance that needs multiple hosted email protect-domains. Here you could craft multiple JumpCloud org-id and build multiple LDAP profile that's unique for each hosted email-domain.
And for diagnostics ensure you test for ldap connectivity and the corrent syntax. Here we are using curl for testing LDAPS to jumpcloud
Ken
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment