Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1372
Views
0
Helpful
3
Replies

LDAP query with headers

jtw_ironport
Level 1
Level 1

‎05-01-2008 06:48 PM

Hi. The problem I'm trying to solve is preventing Internet senders from specifying a distribution list in either the Cc: or Bcc: headers. It's trivial to prevent the envelope recipient from being a distribution list by modifying the accept query, but I can't think of a way to invoke an LDAP query against a header.

Anyone have a solution to this other than setting up content filters for "other headers" and manually typing in distribution list addresses by hand?

Labels:
0 Helpful
3 Replies 3

steven_geerts
Level 1
Level 1

‎05-06-2008 11:25 PM

Hello jtw,

As far as I know the actual address that triggers the filter in Ironport is the RCPT TO address in the header, before the DATA command.
Specifying is an address is a TO, CC or BCC address is done by specifying (or leaving it out, in case of BCC) the appropriate field after the DATA command.
So I should expect the LDAP query to do the same, which means you do not have to make any distinct between TO, CC and BCC in your policies and LDAP queries.

(Please shoot when I’m wrong citizens…)

Best regards Steven

0 Helpful

Donald Nash
Level 3
Level 3

‎05-06-2008 11:43 PM

LDAP queries are always in terms of the envelope sender or recipient addresses, not the header addresses.

Steven: if I'm understanding jtw properly, what he's trying to do is suppress messages containing certain header recipient addresses (in this case distribution lists), by using LDAP queries. There doesn't seem to be any way to do this with AsyncOS. The error you're making is assuming that everything in the recipient headers will be reflected in the envelope. That's not always the case. However, it does bring up a relevant question for jtw to answer: What exactly are you trying to accomplish? In other words, why are you trying to suppress the use of distribution lists in the recipient headers rather than in the envelope? The envelope is what affects actual delivery. The headers only affect what the recipient sees in his mail client.

0 Helpful

jaigill
Cisco Employee
Cisco Employee

‎05-12-2008 05:34 PM

When you specify email addresses in the Cc: or Bcc: field of your MUA(Outlook, thunderbird, etc), your MUA will convert them to envelope 'RCPT TO' addresses when it delivers the message to the next hop mail server.

So you can essentially use LDAP to block messages Cc'ed or Bcc'ed to distribution lists. However, if someone just spoofs the Cc header, then you are dealing with another issue.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents