FortiMail-09-LDAP

Course 221 - FortiMail Email Email Filtering

LDAP

LDAP Module 9

© 2013 Fortinet Inc. All r ights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams 1 or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 06-50000-0221-20130726 

Module Objectives • By the end of this module, you will be able to: » Configure a FortiMail system to perform recipient address verification by querying an existing LDAP server  » Set up group-based email inspection using group attributes defined in an existing LDAP server 

2

06-50000-0221-20130726

1

Course 221 - FortiMail Email Email Filtering

LDAP

LDAP Profile • The FortiMail unit can be configured to consult an LDAP server for many items that you would normally configure locally such as: » User Query » Group Query » User Authentication » User Alias » Mail Routing » Address Mapping Mapping » Domain lookup

3

LDAP Profile • Main section of every LDAP profile is User Query Options • Contains key elements such as class attributes to query, bind and base DN

4

06-50000-0221-20130726

2

Course 221 - FortiMail Email Email Filtering

LDAP

User Query Options • User Query Options area is also used to define the attributes to search for an object’s DN starting from its email address • This functionality can be used in the following scenarios: » Recipient address verification » Automatic removal removal of invalid invalid quarantine accounts » Domain verification

5

Browse Directory Tree • An administrator can browse browse the directory tree from User Query Options

6

06-50000-0221-20130726

3

Course 221 - FortiMail Email Email Filtering

LDAP

Browse Directory Tree Sample Output

7

Valid Recipient LDAP Search Sequence

LDAP Bind Request Bind DN: CN=Administrator,CN=Users,DC=trainingAD,DC=training,DC=lab Bind Bind

1     t     i    n     U     l     i    a     M     i     t    r    o     F

LDAP Bind Response Success

2 LDAP Search Request Base Object: CN=Users,DC=trainingAD,DC=training,DC=lab LDAP Search: (&(|objectClass=User)(objectClass=publicFolder)) (|(proxyAddresses=smtp:[email protected])([email protected])))

3

   r    e    v    r    e     S     D     A

LDAP SearchResEntry Object Name: CN=User1,CN=Users,DC=trainingAD,DC=training,DC=lab

4

8

06-50000-0221-20130726

4

Course 221 - FortiMail Email Email Filtering

LDAP

Invalid Recipient LDAP Search sequence

LDAP Bind Request Bind DN: CN=Administrator,CN=Users,DC=trainingAD,DC=training,DC=lab Bind Bind

1 LDAP Bind Response Success

    t     i    n     U     l     i    a     M     i     t    r    o     F

2

   r    e    v    r    e     S     D     A

LDAP Search Request Base Object: CN=Users,DC=trainingAD,DC=training,DC=lab LDAP Search: (&(|objectClass=User)(objectClass=publicFolder)) (|(proxyAddresses=smtp:[email protected])([email protected])))

3

LDAP SearchResDone Success 0 Results

4

9

Group Query • The LDAP directory can be queried for group membership • This functionality provides the ability to clearly identify if an object is part of a group

 All the users located located in the same container will be considered part of the same group

10

06-50000-0221-20130726

5

Course 221 - FortiMail Email Email Filtering

LDAP

Group Query Verify • You can query the LDAP directory to verify LDAP connectivity and lookup results as follows: 1

2

3

11

User Authentication • User’s credentials can be verified using LDAP by configuring User  Authentication Options

12

06-50000-0221-20130726

6

Course 221 - FortiMail Email Email Filtering

LDAP

User Alias • User Alias option is used to dynamically resolve email aliases to real email addresses by querying a Directory Server  • One advantage of this option is the handling of quarantine reports because the FortiMail unit maintains a single quarantine mailbox at each user’s primary email account

13

User Alias

 Attribute name that that contains the list of real email addresses  Attribute that uniquely uniquely identifies the object used for the alias resolution

14

06-50000-0221-20130726

7

Course 221 - FortiMail Email Email Filtering

LDAP

User Alias

15

LDAP Advanced Options • To optimize the usage of the LDAP queries, enable the caching capabilities from Advanced Options Option s

16

06-50000-0221-20130726

8

Course 221 - FortiMail Email Email Filtering

LDAP

Mail Routing • Email can be routed to a backend SMTP server that differs from the one associated to the MX record or statically configured in the protected domain section • The field Mail host attribute defines the MTA (FQDN or IP) where the email should be sent • The field Mail routing address attribute matches the recipient address » When an email for this attribute is received the email will be routed to the MTA specified for Mail host attribute

17

Lab Network

18

06-50000-0221-20130726

9

Course 221 - FortiMail Email Email Filtering

LDAP

Lab 8 LDAP

•

Objectives  – To verify recipient email addresses against an LDAP server and use the LDAP group attribute to enforce the same security policy to a group of users

•

Tasks  – Ex 1: Recipient Address Verification  – Ex 2: Group Based Spam Inspection

•

Estimated time to complete the lab: 30 minutes

19

06-50000-0221-20130726

10