09-29-2008 03:10 PM
We are trying to add an LDAP Server Profile but everytime we try to test the Accept Query we get an
"Error - Error: configuration error" message.
We are using AD, top of the tree for base DN. dc=domain, dc=local.
We tried communicating with 2 different servers via telnet on ports 389, 3268, both are open.
Tried port 389 and 3268, no SSL, Anynomous and User Password authentication methods.
The error left us clueless since we followed the instructions on the user manual.
For the accept query we tried this query string: (proxyAddresses=smtp:{a})
Any ideas or pointers to what could be causing this are very appriciated.
Thanks.
Ed.
09-29-2008 05:57 PM
The first thing I would verify is if you can connect and traverse your Active Directory/Domain Controller using Softerra's free ldap browser.
1. Softerra ldap browser link
http://download.softerra.com/files/ldapbrowser26.msi
Put in the IP/hostname of the domain controller, use the same BASE DN, and user credentials that you used on the IronPort appliance.
I would highly recommend that you create a separate account for the IronPort. (i.e. ironportldap). Do this so that you don't have to worry about accidentially resetting the password and then forgetting to update the IronPort appliance.
2. Once you've verified that you can connect and see your tree, use the same settings from Softerra ldap browser and put them in the IronPort ldap interface.
Try this for your Accept query string
(|(mail={a})(proxyAddresses=smtp:{a}))
3. If it still fails, enable the ldap debug log if you haven't already and paste in the error.
We are trying to add an LDAP Server Profile but everytime we try to test the Accept Query we get an
"Error - Error: configuration error" message.
We are using AD, top of the tree for base DN. dc=domain, dc=local.
We tried communicating with 2 different servers via telnet on ports 389, 3268, both are open.
Tried port 389 and 3268, no SSL, Anynomous and User Password authentication methods.
The error left us clueless since we followed the instructions on the user manual.
For the accept query we tried this query string: (proxyAddresses=smtp:{a})
Any ideas or pointers to what could be causing this are very appriciated.
Thanks.
Ed.
09-29-2008 07:40 PM
We created an account to bind to the directory and tested it with Softterra, it worked without trouble.
After following your directions I came up with this on the cli.
Mon Sep 29 14:26:20 2008 Critical: LDAP: query DNS result DNS Hard Error looking up sjudc1.pupr.local (A): NXDomain
Mon Sep 29 14:26:26 2008 Critical: LDAP: query DNS result DNS Hard Error looking up sjudc1.pupr.local (A): NXDomain
Mon Sep 29 14:26:27 2008 Critical: LDAP: query DNS result DNS Hard Error looking up sjudc1.pupr.local (A): NXDomain
Mon Sep 29 14:26:27 2008 Critical: LDAP: query DNS result DNS Hard Error looking up sjudc1.pupr.local (A): NXDomain
Mon Sep 29 14:26:34 2008 Critical: LDAP: query DNS result DNS Hard Error looking up sjudc1.pupr.local (A): NXDomain
Now I'm a bit confused, because the DNS configuration on our C100 has the DNS IP's of our ISP to route email outside of our school.
Our appliance is a C100 and uses Data1 as outbound and Data2 as inbound.
Thanks for your advice.
The DNS configuration on the C100 only allows to set the IP of the DNS servers for Data1, Data2 or Auto, but not individually, that's confusing.
How to go about this?
Ed.
09-29-2008 07:51 PM
From the command line of the IronPort, try a dns lookup
nslookup sjudc1.pupr.local
Also, try using the IP
09-29-2008 09:16 PM
For the hostname I got: Non-existent hostname looking up A record for "sjudc1.pupr.local".
For the IP I got: Non-existent hostname looking up PTR record for "w.x.y.z.in-addr.arpa".
Ed.
09-29-2008 09:21 PM
How were you able to connect to the AD server on port 389 before?
We tried communicating with 2 different servers via telnet on ports 389, 3268, both are open.
Tried port 389 and 3268, no SSL, Anynomous and User Password authentication methods.
Ed.
09-29-2008 09:34 PM
Trying to troubleshoot the server, for any antivirus blocking access to the ports I did a telnet from my machine, not the C100 itself.
We haven't used AD before with the ironport and I tought it was a good idea to start using it for the benefit of DHAP.
We have an SMTP route to our mail exchanger. But it has the IP of the server.
09-29-2008 09:40 PM
1. Verify from the command line of the IronPort that you can connect to the ldap server on the correct IP.
- telnet
select the Interface that is allowed to connect to the LDAP server on your firewall
- IP_Address of ldap server
- 389 or 3268 (if you have Exchange 2003+)
2. If the above is successfully, make sure you update the LDAP settings (System Administration > LDAP > Ldap settings) and use the same interface.
3. Delete the profile and recreate it, then test again.
09-29-2008 10:11 PM
I could connect from the cli to the server using the IP on both ports.
Adding the ldap profile it asked me for the host name, what I did was add an override for the internal domain on the dns and now the C100 can resolve names for the internal domain.
Now something different is logged in the LDAP log you helped me create earlier.
Mon Sep 29 17:08:14 2008 Debug: LDAP: PUPR.local:sjudc1.pupr.local(192.168.26.1:389) (101) connecting to server
Mon Sep 29 17:08:14 2008 Debug: LDAP: PUPR.local:192.168.26.1(192.168.26.1:3268) (169) connecting to server
Mon Sep 29 17:08:14 2008 Debug: LDAP: PUPR.local:sjudc1.pupr.local(192.168.26.1:389) (101) auth failed
Mon Sep 29 17:08:14 2008 Debug: LDAP: PUPR.local:sjudc1.pupr.local(192.168.26.1:389) connection authentication error
Mon Sep 29 17:08:14 2008 Debug: LDAP: PUPR.local:sjudc1.pupr.local(192.168.26.1:389) this server marked DOWN
Mon Sep 29 17:08:14 2008 Debug: LDAP: Waiting period until next connection attempt is 3 seconds
Mon Sep 29 17:08:14 2008 Debug: LDAP: PUPR.local:192.168.26.1(192.168.26.1:3268) (169) auth failed
Mon Sep 29 17:08:14 2008 Debug: LDAP: PUPR.local:192.168.26.1(192.168.26.1:3268) connection authentication error
Mon Sep 29 17:08:14 2008 Debug: LDAP: PUPR.local:192.168.26.1(192.168.26.1:3268) this server marked DOWN
Mon Sep 29 17:08:14 2008 Debug: LDAP: Waiting period until next connection attempt is 3 seconds
Ed.
09-29-2008 10:21 PM
Seems like an auth error.
For the username, use this:
username: ironportldap@pupr.local
or
username: ironportldap@pupr.com
Mon Sep 29 17:08:14 2008 Debug: LDAP: PUPR.local:sjudc1.pupr.local(192.168.26.1:389) connection authentication error
Ed.
09-30-2008 12:35 AM
Success - Action: Pass.
Also checked in CLI got lookup success on 3 (2 valid and 1 invalid) addresses tested.
And this when trying an invalid recipient in GUI:
Success — Action: drop or bounce (depending on listener settings)
Reason: no matching LDAP record was found.
Now I gotta keep reading and lookup a topic about boucing or droping invalid recipients, I think I read in that topic that there is a way to get the best of both worlds, I want to read the manual and the topic and try to fully understand the process.
Kluu thank you very much for helping sir!
Very much appriciated.
09-30-2008 12:59 AM
Yeah, the AsyncOS Advanced User Guide is the best resource on all things LDAP.
Also, I would recommend using ldap accept query in the "SMTP Conversation" in the listener section.
You will be doing the verification at the network level and reduce the amount of invalid recipients that get processed in the workqueue. By handling it at the "smtp conversation" level, you'll reduce load on the IronPort and still alert the sending MTA that the recipients were invalid.
And now with LDAP, you'll get the benefit of DHAP (directory harvest attack) on your sendergroups/mail flow policies section.
-kevin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: