I am not sure if you can use ldap to verify users, but I know you can enable sender verification on your $RELAYED mail flow policy. This will check for you if the mail from address is from a i) valid domain ii) domain is resolvable and iii) mailformed address. This works in most situation and would work for, unless of course the spammer are actually using your real domain with invalid users.
thinking on top of my head you probably could use a content filter with an ldap, and say if mails are not from any of your users (or groups). just drop the mails. This of course has perfomance impact. If you go this route you just make sure its an outgoing mail content filter. and please test before implementing
We use an LDAP Group lookup from our IronPort appliance against our LDAP directory to achieve this and it works very well... we only allow some addresses to send outbound email. We call the ldap group query from an outgoing mail policy. If the sender doesn't match that policy it falls through to the default policy which bounces the email. You can use additional policies higher up the priority list to allow any other type of mail you want to allow.
I'd think you should also review your mail policies further and close your open relay hole.
To deploy SPF using it's most strictiest policy, you must be able to declare legimate sources where the mail from your domain can be originated from. Ip source addresses, netblocks, FQDN names, reverse domains, etc.
If you have one singe (or clustered) C-series mail router in DMZ and all the mail traffic from @yourdomain.com can be routed outbound fvia these C-series boxes only, then you can setup your SPF records that way, that only your C-series box(es) are legimate mail sources.
If you use RFC 1918 private addressing internally, that's it.
If you use public, routable ip addressing internally, you might need to add that network into your SPF record, but it depends how the mail traffic is routed there.
The configure your Ironport C-series appliances using SPF. If you have inbound forged mail coming in and if the source ip addr of SMTP peer is not listed in your SPF records and if you use strictiest SPF policy, your C-series appliance will reject these inbound connections.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :