Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

custom LDAP Query

Can anyone shoot me an example of a Custom LDAP query, to query other LDAP attributes.
As an example I'd like to query the MailServer attribute then if it returns a certain server, route the message to an alternate server.

7 REPLIES
New Member

Re: custom LDAP Query

In the LDAP section, you'd probably want to use the Routing query [system administration > ldap ]


A query string like this would work. In your case, you would use the "MailServer" attribute.

(&(company=Ironport Systems)(proxyaddresses=smtp:{a}))



cn: John Smith
company: Ironport Systems
dn: CN=John Smith,OU=Employees,DC=Ironport,DC=com
memberof: CN=Support,OU=Mailing list,DC=ironport,DC=com
mail: jsmith@ironport.com
proxyAddresses: smtp: jsmith@ironportthecompany.com
proxyAddresses: smtp: jsmith@exchange.ironportthecompany.com

=============

Using the routing query, you can compare the recipient email with the other attribute. The other attribute needs to be hardcoded.

Then, once you have the query you want, you can use message filters to make use of the ldap routing.




Can anyone shoot me an example of a Custom LDAP query, to query other LDAP attributes.
As an example I'd like to query the MailServer attribute then if it returns a certain server, route the message to an alternate server.

New Member

got it working, but more problems :)

OK I was able to get the LDAP query to work using a group query. [below]
(&(mail={a})(companyname={g}))

there are a couple other problems.
1) I've entered the LDAP query into a content filter, if it passes it adds a header, then alt-routes it to another host.
However, while the header gets added, it is not routing through the alternate host specified.

2) in reference to the LDAP query, I have tried replacing the companyname with servername, however I can't get it to pass the query. I've tried formating the server name as canonical (CN=servername,OU=unit,O=org,C=US) I've also tried several other ways of formating it and it simply will not pass the quesry.

Any ideas.

Thanks for all your help.!!

New Member

Re: got it working, but more problems :)

OK I was able to get the LDAP query to work using a group query. [below]
(&(mail={a})(companyname={g}))

there are a couple other problems.
1) I've entered the LDAP query into a content filter, if it passes it adds a header, then alt-routes it to another host.
However, while the header gets added, it is not routing through the alternate host specified.



Can you display the IF condition and the Action of your content filter? Specific examples would be best.



2) in reference to the LDAP query, I have tried replacing the companyname with servername, however I can't get it to pass the query. I've tried formating the server name as canonical (CN=servername,OU=unit,O=org,C=US) I've also tried several other ways of formating it and it simply will not pass the quesry.



If you can enable the LDAP Debug Log, I would like to see what you're submitting in the query.

To create the ldap debug log, follow these steps:

1. In the GUI interface, click on 'System Administration > Log Subscriptions"
2. Add new log, select the "LDAP Debug Log" type.

Once the log is created, run your test again in the LDAP section, "System Administration > LDAP".

Your test will show up in the ldap debug logs that you created. On the command line, you can tail the ldap debug logs while you're doing the test. On the CLI, type "tail" and select the ldap debug log.

If you can submit the results here, that would be useful.


Any ideas.

Thanks for all your help.!!

New Member

it hates me

:?
I have no idea what I was doing, but I finished some other things and decided I would give the 'mailserver' query another try, darn if it didn't work the first time.
Now the only issue is the action, I have two actions. 1) add a header and 2) alt-mailhost to route the message to another server. the header is getting added but its still routing based on the recipient domain.
as below:
alt-mailhost ("apbmt01pr.domain.com")

New Member

Re: it hates me

On the CLI of your Ironport appliance type this:

nslookup apbmt01pr.domain.com a


What are the results?


Try using the IP address instead of the hostname.


:? 
I have no idea what I was doing, but I finished some other things and decided I would give the 'mailserver' query another try, darn if it didn't work the first time.
Now the only issue is the action, I have two actions. 1) add a header and 2) alt-mailhost to route the message to another server. the header is getting added but its still routing based on the recipient domain.
as below:
alt-mailhost ("apbmt01pr.domain.com")

New Member

Re: it hates me

NSLOOKUP does resolve the IP address.
I have not tried the IP address specifically, but we originally tried an address that referenced a couple MX records which also didn't work.
I'll try the IP address,
If not maybe some fresh eyes on Monday will help.

New Member

Re: it hates me

My only other recommendation is after putting in the alt-mailhost, put in a deliver() final action.


NSLOOKUP  does resolve the IP address.
I have not tried the IP address specifically, but we originally tried an address that referenced a couple MX records which also didn't work.
I'll try the IP address,
If not maybe some fresh eyes on Monday will help.

461
Views
0
Helpful
7
Replies