User Guide
25-2
AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide
Chapter 25 LDAP Queries
Overview of LDAP Queries
• Creating LDAP Server Profiles to Store Information About the LDAP Server, page 25-5
• Testing LDAP Servers, page 25-6
• Enabling LDAP Queries to Run on a Particular Listener, page 25-7
• Enhanced Support for Microsoft Exchange 5.5, page 25-9
Understanding LDAP Queries
If you store user information within LDAP directories in your network infrastructure, you can configure
the appliance to query your LDAP server for the following purposes:
• Acceptance Queries. You can use your existing LDAP infrastructure to define how the recipient
email address of incoming messages (on a public listener) should be handled. For more information,
see Using Acceptance Queries For Recipient Validation, page 25-19.
• Routing (Aliasing). You can configure the appliance to route messages to the appropriate address
and/or mail host based upon the information available in LDAP directories on your network. For
more information, see Using Routing Queries to Send Mail to Multiple Target Addresses,
page 25-20.
• Certificate Authentication. You can create a query that checks the validity of a client certificate in
order to authenticate an SMTP session between the user’s mail client and the Email Security
appliance. For more information, see Checking the Validity of a Client Certificate, page 26-51.
• Masquerading. You can masquerade Envelope Senders (for outgoing mail) and message headers
(for incoming mail, such as To:, Reply To:, From: or CC:). For more information about
masquerading, see Using Masquerading Queries to Rewrite the Envelope Sender, page 25-21.
• Group Queries. You can configure the appliance to perform actions on messages based on the
groups in the LDAP directory. You do this by associating a group query with a message filter. You
can perform any message action available for message filters on messages that match the defined
LDAP group. For more information, see Using Group LDAP Queries to Determine if a Recipient is
a Group Member, page 25-23.
• Domain-based Queries. You can create domain-based queries to allow the appliance to perform
different queries for different domains on a single listener. When the Email Security Appliance runs
the domain-based queries, it determines the query to use based on the domain, and it queries the
LDAP server associated with that domain.
• Chain Queries. You can create a chain query to enable the appliance to perform a series of queries
in sequence. When you configure a chain query, the appliance runs each query in sequence until the
LDAP appliance returns a positive result.
• Directory Harvest Prevention. You can configure the appliance to combat directory harvest attacks
using your LDAP directories. You can configure directory harvest prevention during the SMTP
conversation or within the work queue. If the recipient is not found in the LDAP directory, you can
configure the system to perform a delayed bounce or drop the message entirely. Consequently,
spammers are not able to differentiate between valid and invalid email addresses. See Using LDAP
For Directory Harvest Attack Prevention, page 25-29.
• SMTP Authentication. AsyncOS provides support for SMTP authentication. SMTP Auth is a
mechanism for authenticating clients connected to an SMTP server. You can use this functionality
to enable users at your organization to send mail using your mail servers even if they are connecting
remotely (e.g. from home or while traveling). For more information, see Configuring AsyncOS for
SMTP Authentication, page 25-32.