Gateways and LDAP Verification

LDAP - Lightweight Directory Access Protocol

LDAP Verification Introduction

Gateway filters can be under tremendous load since they accept all email destine for the served domain. Any email, no matter what the recipient is accepted, filtered and if not blocked as spam, forwarded onto MS Exchange (or other server). A full featured mail server/gateway such as MDaemon will have LDAP verification functionality, so that email destine for the gateway undergoes LDAP verification before being accepted, filtered, and forwarded on to Exchange. Using LDAP for authentication is another subject covered later.

A discussion of LDAP and how it works is beyond the scope of this document, and is a difficult subject to get your arms around without having a solid project needing an LDAP schema implemented. What will be covered is the basics of how an Windows ActiveDirectory schema is typically arranged without needing to be an LDAP expert.

The best detailed source on LDAP is the OpenLDAP project. The OpenLDAP project contains a wealth of information and documentation on the LDAP protocol, as well as open source code for the OpenLDAP server.

LDAP Browsers

The directory structure of your corporate LDAP server is something that can not simply be divulged here. It all depends on how the directory structure was set up during installation. Fortunately, there are LDAP browsers that can make figuring out your schema much easier. Softerra LDAP Browser is available as a freeware download. The better browser of the two is Jarek Gawor - LDAP Browser/Editor. The latter is written in Java so the JRE is required, but already present on most PCs. It's much faster loading large directory structures than Softerra, and allows for editing an LDAP directory structure. This is the browser referred to in this document.

LDAP Browsing - discovering the LDAP directory structure

The best way to start with the LDAP browser is to create a new connection and use the Fetch DNs feature for discovery. Refer to the built in help system for instructions. You may need to use Anonymous Bind, but this should fetch a partial Base DN which will look something like dc=mycompany,dc=com where mycompany and com correspond to your domain name. The full BaseDN might contain some additional DC elements, for example dc=corp,dc=mycompany,dc=com.

The Bind DN or User DN will typically look something like:

cn=administrator,cn=users,dc=mycompany,dc=com
or
cn=administrator,cn=users,dc=corp,dc=mycompany,dc=com.

With these examples, you should be able to administer your way around Windows ActiveDirectory to figure out what the Base DN needs to look like.

With the Base DN figured out, you can prepend the cn=administrator,cn=users to derive the User DN or Bind DN. Next comes the password, for the User / Bind DN which hopefully, you know.

The point of this exercise is to be able to put together the correct Base DN and User or Bind DN so that you can browse the ActiveDirectory and be able to see all the users listed. If you don't get this part right with a browser, it wont be correct when you configure the gateway to use LDAP verification. If your gateway cannot verify, it will likely start rejecting all incoming emails, since every verification attempt will fail.

Configuring the gateway for LDAP verification

Once you are able to browse ActiveDirectory and you know the Base DN, you're ready to configure your gateway to perform LDAP verification lookups.

• Set Object class to top
• Set Bind and Base DNs according to what you discovered with your LDAP browser.
• If an Attribute containing email address is asked for, set it to mail, proxyAddress

That should be it. If you have a test button, don't worry if it complains that your configuration isn't working. Go ahead and turn it on real quick, and observe your log files to confirm that legitimate recipients are being verified, and that non recipient addresses are being rejected.