cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1412
Views
0
Helpful
2
Replies

LDAP accept query (space within email) got pass

Version: 5.1.2-005

ldap accept query is very effective here and have been using since day-1.
Recently, we discover some backend mta log that rejecting invalid address.

We haven't change ironport or the backend ldap software for a while. So it is not something that due to recent change.

Here is a funny finding, note the space.

> ldaptest

Select which LDAP query to test:
1. MXLDAP.accept
2. MXLDAP.smtpauth
3. VDELDAP.accept
4. group
[1]> 1

Address to use in query:
[]> sys adm@ourisp.com

LDAP query test results:

Query: MXLDAP.accept
Address: sys adm@ourisp.com
Action: pass

LDAP query test finished.

I run a ldapsearch on the backend LDAP server and the ldapsearch does not return the 'sys adm@ourisp.com' as valid LDAP entry. So it seems it is not related to LDAP.

This is our ldap accept query

(&(|(mail={a})(mailalternateaddress={a}))(mailboxstatus=A)

Our ldap backend is Openwave MX LDAP directory.

We do considering upgrading to 5.5 version but it was not due to this problem. but rather than try to keep our version reasonably up-to-date.

2 Replies 2

The hidden external issue is that, spammer can manipulate this "hole (from dont know where) and got mail accept into core mta and bounce outward...

so i hope this is only a configuration issue with handling "space" correctly between query and ldap server.

Bart_ironport
Level 1
Level 1

In the latest version it is also accepting addresses that contain spaces. However, the exact behavior depends on how address parsing is configured on your listener.
If it is set to "loose parsing", it accepts but actually delivers the message to .
When using "strict parsing", it doesn't alter the recipient address and the message gets delivered to .

In the LDAP accept query however, it seems to ignore that setting. It always strips spaces from the address before it sends the query (you can see this in ldap debug).

I don't know whether all this is by design or not. Especially the ldapaccept part looks more like a bug to me, i'd expect it to check the address its going to use to deliver the mail. Its probably best to create a support request for this.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: