Course 221 - FortiMail Email Email Filtering
LDAP
LDAP Module 9
© 2013 Fortinet Inc. All r ights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams 1 or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 06-50000-0221-20130726
Module Objectives • By the end of this module, you will be able to: » Configure a FortiMail system to perform recipient address verification by querying an existing LDAP server » Set up group-based email inspection using group attributes defined in an existing LDAP server
2
06-50000-0221-20130726
1
Course 221 - FortiMail Email Email Filtering
LDAP
LDAP Profile • The FortiMail unit can be configured to consult an LDAP server for many items that you would normally configure locally such as: » User Query » Group Query » User Authentication » User Alias » Mail Routing » Address Mapping Mapping » Domain lookup
3
LDAP Profile • Main section of every LDAP profile is User Query Options • Contains key elements such as class attributes to query, bind and base DN
4
06-50000-0221-20130726
2
Course 221 - FortiMail Email Email Filtering
LDAP
User Query Options • User Query Options area is also used to define the attributes to search for an object’s DN starting from its email address • This functionality can be used in the following scenarios: » Recipient address verification » Automatic removal removal of invalid invalid quarantine accounts » Domain verification
5
Browse Directory Tree • An administrator can browse browse the directory tree from User Query Options
6
06-50000-0221-20130726
3
Course 221 - FortiMail Email Email Filtering
LDAP
Browse Directory Tree Sample Output
7
Valid Recipient LDAP Search Sequence
LDAP Bind Request Bind DN: CN=Administrator,CN=Users,DC=trainingAD,DC=training,DC=lab Bind
Bind
1 t i n U l i a M i t r o F
LDAP Bind Response Success
2 LDAP Search Request Base Object: CN=Users,DC=trainingAD,DC=training,DC=lab LDAP Search: (&(|objectClass=User)(objectClass=publicFolder)) (|(proxyAddresses=smtp:[email protected])([email protected])))
3
r e v r e S D A
LDAP SearchResEntry Object Name: CN=User1,CN=Users,DC=trainingAD,DC=training,DC=lab
4
8
06-50000-0221-20130726
4
Course 221 - FortiMail Email Email Filtering
LDAP
Invalid Recipient LDAP Search sequence
LDAP Bind Request Bind DN: CN=Administrator,CN=Users,DC=trainingAD,DC=training,DC=lab Bind Bind
1 LDAP Bind Response Success
t i n U l i a M i t r o F
2
r e v r e S D A
LDAP Search Request Base Object: CN=Users,DC=trainingAD,DC=training,DC=lab LDAP Search: (&(|objectClass=User)(objectClass=publicFolder)) (|(proxyAddresses=smtp:[email protected])([email protected])))
3
LDAP SearchResDone Success 0 Results
4
9
Group Query • The LDAP directory can be queried for group membership • This functionality provides the ability to clearly identify if an object is part of a group
All the users located located in the same container will be considered part of the same group
10
06-50000-0221-20130726
5
Course 221 - FortiMail Email Email Filtering
LDAP
Group Query Verify • You can query the LDAP directory to verify LDAP connectivity and lookup results as follows: 1
2
3
11
User Authentication • User’s credentials can be verified using LDAP by configuring User Authentication Options
12
06-50000-0221-20130726
6
Course 221 - FortiMail Email Email Filtering
LDAP
User Alias • User Alias option is used to dynamically resolve email aliases to real email addresses by querying a Directory Server • One advantage of this option is the handling of quarantine reports because the FortiMail unit maintains a single quarantine mailbox at each user’s primary email account
13
User Alias
Attribute name that that contains the list of real email addresses Attribute that uniquely uniquely identifies the object used for the alias resolution
14
06-50000-0221-20130726
7
Course 221 - FortiMail Email Email Filtering
LDAP
User Alias
15
LDAP Advanced Options • To optimize the usage of the LDAP queries, enable the caching capabilities from Advanced Options Option s
16
06-50000-0221-20130726
8
Course 221 - FortiMail Email Email Filtering
LDAP
Mail Routing • Email can be routed to a backend SMTP server that differs from the one associated to the MX record or statically configured in the protected domain section • The field Mail host attribute defines the MTA (FQDN or IP) where the email should be sent • The field Mail routing address attribute matches the recipient address » When an email for this attribute is received the email will be routed to the MTA specified for Mail host attribute
17
Lab Network
18
06-50000-0221-20130726
9
Course 221 - FortiMail Email Email Filtering
LDAP
Lab 8 LDAP
•
Objectives – To verify recipient email addresses against an LDAP server and use the LDAP group attribute to enforce the same security policy to a group of users
•
Tasks – Ex 1: Recipient Address Verification – Ex 2: Group Based Spam Inspection
•
Estimated time to complete the lab: 30 minutes
19
06-50000-0221-20130726
10