LDAP Accept Query for AD

Unanswered Question
Mar 18th, 2008
User Badges:

I'd like to set up an LDAP Accept query against AD & Exchange to verify recipient addresses. When I test the query, I'm getting a configuration error. I'm using the following query string - (|(mail={a})(proxyAddresses=smtp:{
a})). I'm an Ironport newbie so am probably overlooking something simple.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jparker32 Wed, 03/19/2008 - 09:53
User Badges:

This what i am using for accept query


Also tested:


both seem to work

The other thing to look at are you using authentication or anonymous for LDAP? If if you are using a username and password check that the details are correct.

staylor_ironport Wed, 03/19/2008 - 16:05
User Badges:

Also double check what port is being used, if you only have one AD server then you may be able to communicate on both 3268 and 389.
One way of testing network connectivity is to telnet from the command line on both ports, once you know they work you can start testing on username/password for the BIND procedure(authentication).
You can just enter username and not domain\username.

Apart from that the query string looks fine, it will simply check both attributes for the rcpt-to value.

ddockter_ironport Wed, 03/19/2008 - 16:27
User Badges:

I discovered I had to use the IP address of the LDAP server instead of the Host name. All is working well now. Thanks for the help.

ddockter_ironport Wed, 03/19/2008 - 19:57
User Badges:

I'm noticing the following error message in my mail_logs file. Does this just indicate Ironport was not able to find a match for the sender address when querying AD or is it a problem that I need to be concerned about?

Wed Mar 19 13:34:22 2008 Critical: LDAP: query DNS result DNS Hard Error looking up (A): NXDomain

staylor_ironport Wed, 03/26/2008 - 22:53
User Badges:

OK, so what happens on every connection is that the IronPort performs a forward and reverse lookup.
I'm having a stab in the dark that you are not using your own internal dns server on the IronPort. if this is the case then you probably need to swap it over.
If this continues I would log a support ticket

ddockter_ironport Thu, 03/27/2008 - 15:55
User Badges:

You are correct. I'm using the Internet's Root DNS Servers and unitedtrust.com is our internal domain name. Our internal DNS is set to forward unresolved DNS queries to the DNS servers of our ISP. If I change IronPort to point to our internal DNS server, can you think of any negative ramifications?


This Discussion