LDAP accept query (space within email) got pass

Unanswered Question
May 10th, 2008

Version: 5.1.2-005

ldap accept query is very effective here and have been using since day-1.
Recently, we discover some backend mta log that rejecting invalid address.

We haven't change ironport or the backend ldap software for a while. So it is not something that due to recent change.

Here is a funny finding, note the space.

> ldaptest

Select which LDAP query to test:
1. MXLDAP.accept
2. MXLDAP.smtpauth
3. VDELDAP.accept
4. group
[1]> 1

Address to use in query:
[]> sys [email protected]

LDAP query test results:

Query: MXLDAP.accept
Address: sys [email protected]
Action: pass

LDAP query test finished.

I run a ldapsearch on the backend LDAP server and the ldapsearch does not return the 'sys [email protected]' as valid LDAP entry. So it seems it is not related to LDAP.

This is our ldap accept query

(&(|(mail={a})(mailalternateaddress={a}))(mailboxstatus=A)

Our ldap backend is Openwave MX LDAP directory.

We do considering upgrading to 5.5 version but it was not due to this problem. but rather than try to keep our version reasonably up-to-date.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mychrislo_ironport Sat, 05/10/2008 - 08:22

The hidden external issue is that, spammer can manipulate this "hole (from dont know where) and got mail accept into core mta and bounce outward...

so i hope this is only a configuration issue with handling "space" correctly between query and ldap server.

Bart_ironport Sat, 05/10/2008 - 14:38

In the latest version it is also accepting addresses that contain spaces. However, the exact behavior depends on how address parsing is configured on your listener.
If it is set to "loose parsing", it accepts but actually delivers the message to .
When using "strict parsing", it doesn't alter the recipient address and the message gets delivered to .

In the LDAP accept query however, it seems to ignore that setting. It always strips spaces from the address before it sends the query (you can see this in ldap debug).

I don't know whether all this is by design or not. Especially the ldapaccept part looks more like a bug to me, i'd expect it to check the address its going to use to deliver the mail. Its probably best to create a support request for this.

Actions

This Discussion