Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1146
Views
0
Helpful
2
Replies

Account lockout in AD Due to Smtp Authentication

santoshkumar
Level 1
Level 1

‎11-11-2009 11:00 AM

if any one face such issue pls share your views.
User1 configured an email id "abc@mydomain.com" with smtp authentication in mail client Msoutlook to check mails,
User2 use same mail id "abc@mydomain.com" in Application with smtp authication to send mails",
After some time expiry of password for email id "abc@mydomain.com", user1 update new password but same is not updated by user2 in his application at same time,as a result of it application is sending request for password on ldap server for smtp authentication,that was rejected by ldap server due to wrong password and finally user id "abc@mydomain.com" is continuously get locked and user1 is unable to log his mailbox,
"user2`s Application is used to send some regular mails at some 5 min interval."
so can any one face such issue and have an idea to block such type of behavior.
Thanks in advance for understanding..
:roll:

Labels:
0 Helpful
2 Replies 2

mychrislo_ironport
Level 1
Level 1

‎11-12-2009 02:56 AM

IMHO, this is more than a AD password policy issue than ironport.

When we implement the password policy on AD, we would either exclude some _application_ accounts or apply a different policy such as login delay rather than lockup the account.

As long as you can detect login fail attempts and remedy it. It should be acceptable by the auditors...

0 Helpful

steven_geerts
Level 1
Level 1

‎11-13-2009 10:59 PM

This is a 100% AD issue instead of an Iroport issue... (As already told by MyChrislo)... but since we’re all E-mail guys....here you have a hopefully usable answer. :-)


I think the easiest solution is to create an extra AD account for the application. Maybe it's wise to set this password to "never expire" (if your security department allows that).
If the application also must retrieve mail from the abc@mydomain.com mailbox you must add the new account as secondary account on the mailbox, if the application is only sending out messages this is not needed (as far as I know).

Another possibility is to allow your application server to deliver (or relay) mail anonymous. in that case the SMTP authentication can be dropped entirely.

hope this is useful.

Steven

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents