Account lockout in AD Due to Smtp Authentication

Unanswered Question
Nov 11th, 2009

if any one face such issue pls share your views.
User1 configured an email id "[email protected]" with smtp authentication in mail client Msoutlook to check mails,
User2 use same mail id "[email protected]" in Application with smtp authication to send mails",
After some time expiry of password for email id "[email protected]", user1 update new password but same is not updated by user2 in his application at same time,as a result of it application is sending request for password on ldap server for smtp authentication,that was rejected by ldap server due to wrong password and finally user id "[email protected]" is continuously get locked and user1 is unable to log his mailbox,
"user2`s Application is used to send some regular mails at some 5 min interval."
so can any one face such issue and have an idea to block such type of behavior.
Thanks in advance for understanding..
:roll:

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mychrislo_ironport Thu, 11/12/2009 - 02:56

IMHO, this is more than a AD password policy issue than ironport.

When we implement the password policy on AD, we would either exclude some _application_ accounts or apply a different policy such as login delay rather than lockup the account.

As long as you can detect login fail attempts and remedy it. It should be acceptable by the auditors...

steven_geerts Fri, 11/13/2009 - 22:59

This is a 100% AD issue instead of an Iroport issue... (As already told by MyChrislo)... but since we’re all E-mail guys....here you have a hopefully usable answer. :-)


I think the easiest solution is to create an extra AD account for the application. Maybe it's wise to set this password to "never expire" (if your security department allows that).
If the application also must retrieve mail from the [email protected] mailbox you must add the new account as secondary account on the mailbox, if the application is only sending out messages this is not needed (as far as I know).

Another possibility is to allow your application server to deliver (or relay) mail anonymous. in that case the SMTP authentication can be dropped entirely.

hope this is useful.

Steven

Actions

This Discussion