LDAP instead of RAT

Unanswered Question
Oct 7th, 2009


this may be a very stupid question but i'm new on ironport.

At the moment our Ironport is checking whether an email is accepted by RAT. Soon I plan to use LDAP.
Is it possible to use a LDAP-Query instead of RAT.
Regarding the listener i can't modify the field "Recipient Access Table".


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Andrew Wurster Wed, 10/07/2009 - 17:06

sven -

that's a fine question as many people need to accomplish that. you do not necessarily edit or remove your RAT, you just add another layer of checking.

you'll need an LDAP accept query - and here's how to do it:

take care!

sven_warnke_ironport Thu, 12/03/2009 - 07:09

sorry, but i didn't have the time until yet to try it out.

So i experimented yesterday and found my next question:

I don't want to accept all the adresses, listed in my AD. So an accept query would be the wrong way. It has to be a group query.

This is also definable on the listener. But i do not find the right place to tell the ironport against which group this group query should check.

I hope you understand what i want to do.
Don't hesitate to ask me for more information ;)


Andrew Wurster Thu, 12/03/2009 - 16:34

yea that makes sense to me for the most part.

you probably want to add a term to your query that enforces this "group" name. that means taking your default query (which I'm guessing at since you haven't provided one) and add in a group-like statement for the following logic

(memberOf = actual DN) AND (mail OR proxyAddresses = rcpt to address)

actual syntax for your AD it might look like:


give that a shot.


sven_warnke_ironport Fri, 12/04/2009 - 06:53


i had the same idea yesterday morning but the following message appears when i'm going to use the "test-button" on the ldap configuration site:
(I used a fully qualified name of a group, which exists in my AD ;-) --> same result)

Query results for host:XXX.XXX.XXX.XXX
Query (&(memberOf="CN=we,CN=foo,DC=bar,DC=tld")(|([email protected])([email protected])(proxyAddresses=smtp:[email protected]))) to server ldap_recieve (xxx.xxx.xxx.xxx:389)
Query (&(memberOf="CN=we,CN=foo,DC=bar,DC=tld")(|([email protected])([email protected])(proxyAddresses=smtp:[email protected]))) lookup failed: LDAP Query Syntax Error: Invalid character 'w' at position 16 of query "(&(memberOf="CN=we,CN=foo,DC=bar,DC=tld")(|([email protected])([email protected])(proxyAddresses=smtp:[email protected])))"
Failure: LDAP Query Syntax Error: Invalid character 'w' at position 16 of query "(&(memberOf="CN=we,CN=foo,DC=bar,DC=tld")(|([email protected])([email protected])(proxyAddresses=smtp:[email protected])))"

A few minutes ago i ran 2 tests:
1. I enabled the group-query (not paying attention on the wrong syntax) and changed the value of "all other recipients" in my rat from reject to accept.
--> Every Email passed the RAT but i saw the trial of an ldap request with the same failure as described on top

2. 1. I enabled the group-query (not paying attention on the wrong syntax) and let the value of "all other recipients" on "reject"
--> Using tail i got the message "Adress rejected by RAT" and did not see any ldap request
Andrew Wurster Fri, 12/04/2009 - 16:02

sven -

do you mind opening a support case on this? i am 99% sure there is a defect which requires us to escape our distinguished name values '=' with '%3d' or something along those lines to look like 'CN%3dfoo,DC%3dbar' etc. if we get a support case and remote access tunnel, we can isolate your requirements and run an ldapsearch against your directory to confirm this.

i just need to look further in to it before confirming. we can always post the answer back here in any case.


sven_warnke_ironport Mon, 12/07/2009 - 14:32


you're almost right!

I think the support and me found the solution nearly in parallel :-D

Like already posted, you have to replace the "=" at the fully qualified name of the group with this string "\3d".

So the syntax for the accept-query looks like this



This Discussion