05-10-2008 08:07 AM
Version: 5.1.2-005
ldap accept query is very effective here and have been using since day-1.
Recently, we discover some backend mta log that rejecting invalid address.
We haven't change ironport or the backend ldap software for a while. So it is not something that due to recent change.
Here is a funny finding, note the space.
> ldaptest
Select which LDAP query to test:
1. MXLDAP.accept
2. MXLDAP.smtpauth
3. VDELDAP.accept
4. group
[1]> 1
Address to use in query:
[]> sys adm@ourisp.com
LDAP query test results:
Query: MXLDAP.accept
Address: sys adm@ourisp.com
Action: pass
LDAP query test finished.
I run a ldapsearch on the backend LDAP server and the ldapsearch does not return the 'sys adm@ourisp.com' as valid LDAP entry. So it seems it is not related to LDAP.
This is our ldap accept query
(&(|(mail={a})(mailalternateaddress={a}))(mailboxstatus=A)
Our ldap backend is Openwave MX LDAP directory.
We do considering upgrading to 5.5 version but it was not due to this problem. but rather than try to keep our version reasonably up-to-date.
05-10-2008 08:22 AM
The hidden external issue is that, spammer can manipulate this "hole (from dont know where) and got mail accept into core mta and bounce outward...
so i hope this is only a configuration issue with handling "space" correctly between query and ldap server.
05-10-2008 02:38 PM
In the latest version it is also accepting addresses that contain spaces. However, the exact behavior depends on how address parsing is configured on your listener.
If it is set to "loose parsing", it accepts but actually delivers the message to
When using "strict parsing", it doesn't alter the recipient address and the message gets delivered to .
In the LDAP accept query however, it seems to ignore that setting. It always strips spaces from the address before it sends the query (you can see this in ldap debug).
I don't know whether all this is by design or not. Especially the ldapaccept part looks more like a bug to me, i'd expect it to check the address its going to use to deliver the mail. Its probably best to create a support request for this.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: