LDAP Routing Query

Unanswered Question
Nov 12th, 2009


we have the following scenario:
There is just one single mail domain.
500 Mailboxes are on an Microsoft Exchange server with Active Directory, 500 Mailboxes are on a different server hosting POP3 Mailboxes.
Obviously I cannot use a LDAP Accept Query, as the AD doesn't have any knowledge about the POP3 mailboxes. The question is, can I still use LDAP for mailrouting, even if some account are not in the AD?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
shannon.hagan Thu, 11/12/2009 - 19:34

If so, you can chain the queries. Have it check the one with the most mailboxes first and the other second.

Eisenhafen Fri, 11/13/2009 - 08:07

The problem is, that half the users are not on any directory.
So I think we will try to have an smtp route for those and and ldap routing query for those on the AD.
I'm just unsure if this query will generate errors for those users who are not in a directory.

Andrew Wurster Fri, 11/13/2009 - 19:03

if these users still using external POP mail boxes are distinguishable by receiving domain name - there are several options for you.

if you can provide us real address syntax and examples - we might be able to give a more specific answer...

Eisenhafen Mon, 11/16/2009 - 08:19


I don't have the exact sytax yet.
All users are in the same maildomain: @domain.com, so no way to separate mails here. One half of the user are on the exchange, so LDAP based routing is possible here. The other half is external, but this doesn't show in the address and the mails go to a POP3 Server with no directory I can use.

mychrislo_ironport Mon, 11/16/2009 - 08:31

Hi Eisenhafen,

If it's really all mailboxes are in the same domain.

It's not possible to have "split-brain" mailboxes backends. That'd be terrible mess. -- split brains means the left brain doesn't know anything with the right brain.

.And it sounds like companies merging mail domains.

You may need to take a few steps, including mailbox migration.

A) Talk-Easy steps.
- migrate your non-ldap mailboxes (external pop3) to your ldap-enabled backend.

B) Alternatives....still not easy
subdomain. have one of them change to subdomain..Obviously, the one without ldap should be subdomained.

Ironport will be able to handle, after that's done.

You may need to try masquerade if your ironport also acts as centralized outgoing mta.

C) Can you create AD proxy addresses.....but it's an admin nightmare.

Rayman_Jr Mon, 11/16/2009 - 11:50

The question is, can I still use LDAP for mailrouting, even if some account are not in the AD?

Yes you can. You can do that on listener level or use "Bypass LDAP Accept Queries" in RAT. This disables only the accept query but leaves LDAP routing enabled.

The default SMTP route of @domain.com needs to be set to POP3 Mailboxes (the ones which can't be found from any directory), then you need to setup extra attribute for each AD account (e.g. extensionAttributeXX) to get Exchange addresses routed into Exchange server.

In this scenario all other than Exchange messages will be routed to POP3 Mailboxes. It's good to keep in mind that LDAP routing attribute in AD will play a very important role. If routing attribute in AD is missing the mail will follow the default SMTP route and end up into wrong environment !
Knuto0815 Wed, 11/25/2009 - 11:22

Hi Eisenhafen.

We are accepting the emails for our colleagues in India while we are seated in Germany. We run accept queries against our AD using email activated contacts (translation word by word from german, sry) for our indian branch. The routing to India is done by the Exchange server. Even though it requires a bit of maintainance on our side.

steven_geerts Thu, 11/26/2009 - 23:53

Well.... there are more LDAP directories that MS-Active Directory.

If I understand you right your main problem is how to route 50% of your recipient addresses to Exchange and 50% of them to the POP3 system. If you could, it would be nice to have a message accept policy that is LDAP driven.

I suggest you try to install a dedicated LDAP server for your Ironport(s). That LDAP server should be updated daily with the details from your AD and an export from the POP3 system. On the LINUX platform there are several options (OpenLDAP, Apache Directory, Fedora 389, etc).

If you make sure your import scripts also provisions the mail addresses of all users and (at least) an attribute like "mailHost" (your Exchange based 50% of your recipients would have a static value of "your.exchange.server" (=hostname of your Exchange bridgehead) as value, the other 50% would have "your.pop3.server" (=hostname of your POP3 server) as value.

After that you can create a mail routing LDAP query that makes sure the messages are routed correctly. The mailHost attribute will be used to determine where the message should be routed to. If needed, you can also run a message acceptance query against that same LDAP. That query would reject all mail addresses that are unknown to the directory.

If you have more questions about this, jus send me a message; I have some experience with this matter.



This Discussion