we have the following scenario: There is just one single mail domain. 500 Mailboxes are on an Microsoft Exchange server with Active Directory, 500 Mailboxes are on a different server hosting POP3 Mailboxes. Obviously I cannot use a LDAP Accept Query, as the AD doesn't have any knowledge about the POP3 mailboxes. The question is, can I still use LDAP for mailrouting, even if some account are not in the AD?
The problem is, that half the users are not on any directory. So I think we will try to have an smtp route for those and and ldap routing query for those on the AD. I'm just unsure if this query will generate errors for those users who are not in a directory.
I don't have the exact sytax yet. All users are in the same maildomain: @domain.com, so no way to separate mails here. One half of the user are on the exchange, so LDAP based routing is possible here. The other half is external, but this doesn't show in the address and the mails go to a POP3 Server with no directory I can use.
The question is, can I still use LDAP for mailrouting, even if some account are not in the AD?
Yes you can. You can do that on listener level or use "Bypass LDAP Accept Queries" in RAT. This disables only the accept query but leaves LDAP routing enabled.
The default SMTP route of @domain.com needs to be set to POP3 Mailboxes (the ones which can't be found from any directory), then you need to setup extra attribute for each AD account (e.g. extensionAttributeXX) to get Exchange addresses routed into Exchange server.
In this scenario all other than Exchange messages will be routed to POP3 Mailboxes. It's good to keep in mind that LDAP routing attribute in AD will play a very important role. If routing attribute in AD is missing the mail will follow the default SMTP route and end up into wrong environment !
We are accepting the emails for our colleagues in India while we are seated in Germany. We run accept queries against our AD using email activated contacts (translation word by word from german, sry) for our indian branch. The routing to India is done by the Exchange server. Even though it requires a bit of maintainance on our side.
Well.... there are more LDAP directories that MS-Active Directory.
If I understand you right your main problem is how to route 50% of your recipient addresses to Exchange and 50% of them to the POP3 system. If you could, it would be nice to have a message accept policy that is LDAP driven.
I suggest you try to install a dedicated LDAP server for your Ironport(s). That LDAP server should be updated daily with the details from your AD and an export from the POP3 system. On the LINUX platform there are several options (OpenLDAP, Apache Directory, Fedora 389, etc).
If you make sure your import scripts also provisions the mail addresses of all users and (at least) an attribute like "mailHost" (your Exchange based 50% of your recipients would have a static value of "your.exchange.server" (=hostname of your Exchange bridgehead) as value, the other 50% would have "your.pop3.server" (=hostname of your POP3 server) as value.
After that you can create a mail routing LDAP query that makes sure the messages are routed correctly. The mailHost attribute will be used to determine where the message should be routed to. If needed, you can also run a message acceptance query against that same LDAP. That query would reject all mail addresses that are unknown to the directory.
If you have more questions about this, jus send me a message; I have some experience with this matter.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...