You are on page 1of 10

Course 221 - FortiMail Email Filtering

LDAP

LDAP
Module 9

2013 Fortinet Inc. All rights reserved.


The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
1
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc. 06-50000-0221-20130726

Module Objectives
By the end of this module, you will be able to:
Configure a FortiMail system to perform recipient address verification by querying
an existing LDAP server
Set up group-based email inspection using group attributes defined in an existing
LDAP server

06-50000-0221-20130726

Course 221 - FortiMail Email Filtering

LDAP

LDAP Profile
The FortiMail unit can be configured to consult an LDAP server for
many items that you would normally configure locally such as:
User Query
Group Query
User Authentication
User Alias
Mail Routing
Address Mapping
Domain lookup

LDAP Profile
Main section of every LDAP profile is User Query Options
Contains key elements such as class attributes to query, bind and base DN

06-50000-0221-20130726

Course 221 - FortiMail Email Filtering

LDAP

User Query Options


User Query Options area is also used to define the attributes to search
for an objects DN starting from its email address
This functionality can be used in the following scenarios:
Recipient address verification
Automatic removal of invalid quarantine accounts
Domain verification

Browse Directory Tree


An administrator can browse the directory tree from User Query
Options

06-50000-0221-20130726

Course 221 - FortiMail Email Filtering

LDAP

Browse Directory Tree Sample Output

Valid Recipient LDAP Search Sequence

LDAP Bind Request


Bind DN: CN=Administrator,CN=Users,DC=trainingAD,DC=training,DC=lab
Bind<password>

1
2
LDAP Search Request
Base Object: CN=Users,DC=trainingAD,DC=training,DC=lab
LDAP Search: (&(|objectClass=User)(objectClass=publicFolder))
(|(proxyAddresses=smtp:user2@internal1.lab)(mail=user2@internal1.lab)))

AD Server

FortiMail Unit

LDAP Bind Response Success

LDAP SearchResEntry
Object Name: CN=User1,CN=Users,DC=trainingAD,DC=training,DC=lab

06-50000-0221-20130726

Course 221 - FortiMail Email Filtering

LDAP

Invalid Recipient LDAP Search sequence

LDAP Bind Request


Bind DN: CN=Administrator,CN=Users,DC=trainingAD,DC=training,DC=lab
Bind<password>

1
2
LDAP Search Request
Base Object: CN=Users,DC=trainingAD,DC=training,DC=lab
LDAP Search: (&(|objectClass=User)(objectClass=publicFolder))
(|(proxyAddresses=smtp:user2@internal1.lab)(mail=user2@internal1.lab)))

AD Server

FortiMail Unit

LDAP Bind Response Success

LDAP SearchResDone Success 0 Results

Group Query
The LDAP directory can be queried for group membership
This functionality provides the ability to clearly identify if an object is
part of a group

All the users located in the


same container will be
considered part of the
same group

10

06-50000-0221-20130726

Course 221 - FortiMail Email Filtering

LDAP

Group Query Verify


You can query the LDAP directory to verify LDAP connectivity and
lookup results as follows:
1

11

User Authentication
Users credentials can be verified using LDAP by configuring User
Authentication Options

12

06-50000-0221-20130726

Course 221 - FortiMail Email Filtering

LDAP

User Alias
User Alias option is used to dynamically resolve email aliases to real
email addresses by querying a Directory Server
One advantage of this option is the handling of quarantine reports
because the FortiMail unit maintains a single quarantine mailbox at
each users primary email account

13

User Alias

Attribute name that


contains the list of real
email addresses
Attribute that uniquely
identifies the object used
for the alias resolution

14

06-50000-0221-20130726

Course 221 - FortiMail Email Filtering

LDAP

User Alias

15

LDAP Advanced Options


To optimize the usage of the LDAP queries, enable the caching
capabilities from Advanced Options

16

06-50000-0221-20130726

Course 221 - FortiMail Email Filtering

LDAP

Mail Routing
Email can be routed to a backend SMTP server that differs from the
one associated to the MX record or statically configured in the
protected domain section
The field Mail host attribute defines the MTA (FQDN or IP) where the
email should be sent
The field Mail routing address attribute matches the recipient address
When an email for this attribute is received the email will be routed to the MTA
specified for Mail host attribute

17

Lab Network

18

06-50000-0221-20130726

Course 221 - FortiMail Email Filtering

LDAP

Lab 8 LDAP
Objectives
To verify recipient email addresses against an LDAP server and use the LDAP
group attribute to enforce the same security policy to a group of users

Tasks
Ex 1: Recipient Address Verification
Ex 2: Group Based Spam Inspection

Estimated time to complete the lab: 30 minutes

19

06-50000-0221-20130726

10