08-18-2008 01:26 PM
Hello!
I have a mail-in database which is primarily used to recieved weekly and monthly reports genereted from our 2 C350s. However, the mail-in database is also "spammed" by delivery failure reports which cannot be delivered because the recieving user does not exist. I get the following failures:
Delivery Failure Report
Your document: IronPort Spam Quarantine Notification
was not delivered to: john.doe@example.com
because: 5.1.0 - Unknown address error 550-'john.doe@example.com... No such user' (delivery attempts: 0)
Does anyone know what I need to configure in order to possibly drop these e-mails instead?
Thx in advance!
08-19-2008 12:27 AM
If there are recipient addresses that you don't want to have receive the digest quarantine notification, why don't you create a new incoming mail policy where the recipient is a member of this new policy. Disable anti-spam/anti-virus for this new policy and put in a content filter that doesn't have a condition and just drops the mail.
Here are the steps:
1. Create a new incoming mail policy, i.e "Drop_Recipients"
2. Add the recipient email address that you don't want to have receive the quarantine digest notification as a member of this new policy.
3. Disable anti-spam and anti-virus for this new policy.
4. Create a incoming content filter that does not have any conditions. The only action is a drop().
5. Then able this incoming content filter on this new policy.
Let me know if this is what you're looking for or if there is a reason why this doesn't address your issue.
By the way, the purpose of the above steps is so that the messages for this recipient doesn't get quarantined.
Hello!
I have a mail-in database which is primarily used to recieved weekly and monthly reports genereted from our 2 C350s. However, the mail-in database is also "spammed" by delivery failure reports which cannot be delivered because the recieving user does not exist. I get the following failures:
Delivery Failure Report
Your document: IronPort Spam Quarantine Notification
was not delivered to: john.doe@example.com
because: 5.1.0 - Unknown address error 550-'john.doe@example.com... No such user' (delivery attempts: 0)
Does anyone know what I need to configure in order to possibly drop these e-mails instead?
Thx in advance!
08-28-2008 07:32 AM
I apologize for the late reply. Im not really sure if this is the right way to do it. Let me further explain my issue.
I have a alert recipent which i created to mainly recieve weekly reports containing e-mail statistics, hardware alerts, system alerts etc. This same alert recipent seems to be the one sending the suspected spam quarantine notifications, which are sent to email adresses within our domain. However, these users dont exist, so they bounce back. For example, suspected mail is recieved by ironport and a mail notification (spam notification) about this is then delivered to user john@example.com, however, john@example.com does not exist. So this email(spam notification) bounces back to my alert recipent address. But i feel that the suspected spam shouldnt make it that far, because when it first hits Ironport an LDAP query should be sent? if the user does not exist, there is no need to send a suspected spam notification to a user does not exist. Ironport is also configured to send an ldap query to our mail server to check if the user exists, but im not sure if it applys to all sorts of email, spam or not. Any suggestions?
08-28-2008 07:42 AM
Sounds like LDAP Accept Query is not working correctly, because if it was working correctly, those invalid recipients would be dropped before the anti-spam scanning occurs.
Generally, if a non-existent recipient email (i.e. fake-user@yourcompany.com) gets a spam notification, that must mean somehow it passed the ldap accept query or ldap is not enabled.
You can test if ldap is working correctly or not by going to "System Administration > Trace"
For the IP, use "1.2.3.4"
Host: test.com
Envelope Sender: test@test.com
Envelope Recipient: john@example.com or another recipient email that is not suppose to be valid.
Body of message:
Subject: test 123
The result you should be getting is that the message is dropped or bounced if the "envelope recipient" is invalid. If it gets through the whole scanning part and then delivered, then ldap is not working correctly since the recipient is fake.
08-28-2008 09:59 AM
These are the results of my "fake" trace. Seems like the RAT table rejects it, but should this occur before or after the LDAP query?
Trace Results
Host Access Table Processing (Listener: IncomingMail)
Matched On: sbrs[none]
Sender Group: UNKNOWN
Named Policy: CONTROLLED
Connection Behavior: ACCEPT
Fully Qualified Domain Name:
SenderBase Network Owner ID: N/A
SenderBase Reputation Score: N/A
Policy Parameters:
Max. Messages Per Connection: 5
Max. Recipients Per Message: 25
Max. Message Size: 50M
Max. Concurrent Connection From a Single IP: 5
Use TLS: No Default
Accept Untagged bounces: No
Max. Recipients Per Hour: 30
Use SenderBase: Yes Default
Use Spam Detection: Yes Default
Use Virus Detection: Yes Default
Envelope Sender Processing
Envelope Sender: test@test.com
Default Domain Processing: No Change
Envelope Sender Verification: Resolved test.com successfully
Envelope Recipient Processing
Envelope Recipient: john@example.com
Default Domain Processing: No Change
Domain Map Processing: No Change
Recipient Access Table Processing: Behavior: REJECT Matched On: john@example.com
Alias Expansion: No Change
08-28-2008 10:23 AM
Think i found what was wrong. Under my listener settings - LDAP queries (network > listener) , the "accept query" option was set to none, instead of the server profile i had created. I have set the "accept query" option to the profile I had created and now I have the option to select bounce or drop. Which option is preferred from a security perspective? Is it possible for spammers to exploit the fact that if I choose to bounce it, it confirms that something is there listening and they might keep on trying to with other adresses, or some other way? Or should i just drop it? If i do choose to drop it, then legitimate e-mails where the sender by accident mispelled an email adress wouldnt get a notification that the e-mail wasn't delivered, is this correct? Please advise.
08-28-2008 03:45 PM
.... and now I have the option to select bounce or drop. Which option is preferred from a security perspective?
If i do choose to drop it, then legitimate e-mails where the sender by accident mispelled an email adress wouldnt get a notification that the e-mail wasn't delivered, is this correct?
08-29-2008 12:49 PM
Well, we decided to go with the bounce option. Atleast for now :)
However, my next problem indicates that our LDAP query is incorrect, because whenever I edit my listeners and change them so they use the LDAP profile I have setup, (Listeners >> I click on my listener >> LDAP queries >> Accept ) , mail to our mailing lists are bounced, which is not quite the purpose. Im not very good at designing LDAP queries, but it basically looks like this now: (mail={a}) . Unfortunately, it doesn't seem to match all addresses, so obviously it needs to be rewritten. Any suggestions/tips? We are using Lotus Domino.
Thanks in advance.
08-29-2008 02:20 PM
Well, we decided to go with the bounce option. Atleast for now :)
However, my next problem indicates that our LDAP query is incorrect, because whenever I edit my listeners and change them so they use the LDAP profile I have setup, (Listeners >> I click on my listener >> LDAP queries >> Accept ) , mail to our mailing lists are bounced, which is not quite the purpose. Im not very good at designing LDAP queries, but it basically looks like this now: (mail={a}) . Unfortunately, it doesn't seem to match all addresses, so obviously it needs to be rewritten. Any suggestions/tips? We are using Lotus Domino.
Thanks in advance.
10-14-2008 03:28 PM
...Sorry for the very late reply, I have been extremely busy and unfortunately not been able to proritize this issue..
However, I used the softerra browser and It seems to me that I have the correct attributes in my schema.
I have modified my LDAP query to match even more addresses, and what seem to be left is addresses with and _ (underscore), for example, when I test my query for test_test@test.com I would get:
Success — Action: drop or bounce (depending on listener settings)
Reason: no matching LDAP record was found
If I try an address without an underscore, it passes the test.
Any ideas on how to create an LDAP query that somehow accepts mail attributes containing underscores?
10-14-2008 05:48 PM
Can you paste in the LDAP Accept Query string that you are using?
Also, enable the ldap debug logs and run through two tests.
1. test_test@test.com
2. testtest@test.com
and then paste in the ldap debug log results.
The snippet that you provided,
Success — Action: drop or bounce (depending on listener settings)
Reason: no matching LDAP record was found
appears to be a successful query that just resulted in the record not being there. I'd be interested in the ldap debug results and your accept query though.
...Sorry for the very late reply, I have been extremely busy and unfortunately not been able to proritize this issue..
However, I used the softerra browser and It seems to me that I have the correct attributes in my schema.
I have modified my LDAP query to match even more addresses, and what seem to be left is addresses with and _ (underscore), for example, when I test my query for test_test@test.com I would get:
Success — Action: drop or bounce (depending on listener settings)
Reason: no matching LDAP record was found
If I try an address without an underscore, it passes the test.
Any ideas on how to create an LDAP query that somehow accepts mail attributes containing underscores?
10-14-2008 07:05 PM
Here is the LDAP query I am using at the moment. Unfortunately, I'm not sure that it is correct and appreciate all the help I can get to construct a correct one, or even maybe be tipped about some good LDAP resources where I can learn more about this topic.
Anyway, (|(mail={a})(uid={a})) is the query. As mentioned before, an address like john_doe@example.com would generate "no matching LDAP record was found", even though it does exist, whilst john.doe@example.com would not.
Tue Oct 14 19:41:06 2008 Info: Begin Logfile
Tue Oct 14 19:41:06 2008 Info: Version: 6.3.5-009 SN: xxxxxxxxxx-xxxxxxx
Tue Oct 14 19:41:06 2008 Info: Time offset from UTC: 7200 seconds
Tue Oct 14 19:42:11 2008 Debug: LDAP: Clearing LDAP server-group "xxxxxxxx" cache
Tue Oct 14 19:42:11 2008 Debug: LDAP: Clearing LDAP server-group "xxxxxxxx" cache
Tue Oct 14 19:42:11 2008 Debug: LDAP: xxxxxxxx:xxx.xxx.xxx.xxx(xxx.xxx.xxx.xxx:389) (1) connecting to server
Tue Oct 14 19:42:11 2008 Debug: LDAP: xxxxxxxx:xxx.xxx.xxx.xxx(xxx.xxx.xxx.xxx:389) (1) connected to server
Tue Oct 14 19:42:12 2008 Debug: LDAP: (accept) Query (|(mail=xxx_xx_xxxxxxxxxx@xxxxxxxx.se)(uid=xxx_xx_xxxxxxxxxx@xxxxxxxx.se)) to server xxxxxxxx (xxx.xxx.xxx.xxx:389)
Tue Oct 14 19:42:12 2008 Debug: LDAP: (accept) Query (|(mail=xxx_xx_xxxxxxxxxx@xxxxxxxx.se)(uid=xxx_xx_xxxxxxxxxx@xxxxxxxx.se)) lookup success, (xxx.xxx.xxx.xxx:389) returned 0 results
Tue Oct 14 19:42:17 2008 Debug: LDAP: xxxxxxxx:xxx.xxx.xxx.xxx(xxx.xxx.xxx.xxx:389) (1) Connection interrupted (writer)
Tue Oct 14 19:46:15 2008 Debug: LDAP: Clearing LDAP server-group "xxxxxxxx" cache
Tue Oct 14 19:46:15 2008 Debug: LDAP: Clearing LDAP server-group "xxxxxxxx" cache
Tue Oct 14 19:46:15 2008 Debug: LDAP: xxxxxxxx:xxx.xxx.xxx.xxx(xxx.xxx.xxx.xxx:389) (1) connecting to server
Tue Oct 14 19:46:15 2008 Debug: LDAP: xxxxxxxx:xxx.xxx.xxx.xxx(xxx.xxx.xxx.xxx:389) (1) connected to server
Tue Oct 14 19:46:16 2008 Debug: LDAP: (accept) Query (|(mail=xxxxxx.xxxxx@xxxxxxxxdata.com)(uid=xxxxxx.xxxxx@xxxxxxxxdata.com)) to server xxxxxxxx (xxx.xxx.xxx.xxx:389)
Tue Oct 14 19:46:16 2008 Debug: LDAP: (accept) Query (|(mail=xxxxxx.xxxxx@xxxxxxxxdata.com)(uid=xxxxxx.xxxxx@xxxxxxxxdata.com)) lookup success, (xxx.xxx.xxx.xxx:389) returned 1 results
Tue Oct 14 19:46:21 2008 Debug: LDAP: xxxxxxxx:xxx.xxx.xxx.xxx(xxx.xxx.xxx.xxx:389) (1) Connection interrupted (writer)
10-14-2008 09:13 PM
Tokens:
You can use the following tokens in your LDAP queries:
• {a} username@domainname
• {d} domainname
• {g} groupname
• {u} username
• {f} MAIL FROM: address
Note — The {f} token is valid in acceptance queries only.
Instead of this
(|(mail={a})(uid={a}))
Try this:
(|(mail={a})(uid={u}))
It may be that the username portion of "john_doe@example.com" is set in the uid as this:
uid=john_joe
-Kevin
Here is the LDAP query I am using at the moment. Unfortunately, I'm not sure that it is correct and appreciate all the help I can get to construct a correct one, or even maybe be tipped about some good LDAP resources where I can learn more about this topic.
Anyway, (|(mail={a})(uid={a})) is the query. As mentioned before, an address like john_doe@example.com would generate "no matching LDAP record was found", even though it does exist, whilst john.doe@example.com would not.
10-15-2008 07:24 AM
Unfortunately your query did not work, I have tried it before, and its because its not in the uid attribute, but in the mail attribute, I have confirmed this with the softerra browser.
Any more tips on how to solve this? :(
10-15-2008 03:31 PM
If you don't mind, can you provide the LDIF export for john_doe@company.com? In Softerra, if you right click on the user, there is an option for to a LDIF export.
Unfortunately your query did not work, I have tried it before, and its because its not in the uid attribute, but in the mail attribute, I have confirmed this with the softerra browser.
Any more tips on how to solve this? :(
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: