Upload
yousef512
View
225
Download
1
Embed Size (px)
Citation preview
8/10/2019 FortiMail-09-LDAP
1/10
Course 221 - FortiMail Email Filtering
06-50000-0221-20130726
LD
1
2013 Fortinet Inc. All r ights reserved.
The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc. 06-50000-0221-20130726
LDAP
Module 9
2
Module Objectives
By the end of this module, you will be able to:
Configure a FortiMail system to perform recipient address verification by querying
an existing LDAP server
Set up group-based email inspection using group attributes defined in an existing
LDAP server
8/10/2019 FortiMail-09-LDAP
2/10
Course 221 - FortiMail Email Filtering
06-50000-0221-20130726
LD
3
LDAP Profile
The FortiMail unit can be configured to consult an LDAP server formany items that you would normally configure locally such as:
User Query
Group Query
User Authentication
User Alias
Mail Routing
Address Mapping
Domain lookup
4
LDAP Profile
Main section of every LDAP profile is User Query Options
Contains key elements such as class attributes to query, bind and base DN
8/10/2019 FortiMail-09-LDAP
3/10
Course 221 - FortiMail Email Filtering
06-50000-0221-20130726
LD
5
User Query Options
User Query Options area is also used to define the attributes to searchfor an objects DN starting from its email address
This functionality can be used in the following scenarios:
Recipient address verification
Automatic removal of invalid quarantine accounts
Domain verification
6
Browse Directory Tree
An administrator can browse the directory tree from User Query
Options
8/10/2019 FortiMail-09-LDAP
4/10
Course 221 - FortiMail Email Filtering
06-50000-0221-20130726
LD
7
Browse Directory Tree Sample Output
8
Valid Recipient LDAP Search Sequence
FortiMailUnit
AD
Server
LDAP Bind Request
Bind DN: CN=Administrator,CN=Users,DC=trainingAD,DC=training,DC=lab
Bind
LDAP Bind Response Success
LDAP Search Request
Base Object: CN=Users,DC=trainingAD,DC=training,DC=lab
LDAP Search: (&(|objectClass=User)(objectClass=publicFolder))
(|(proxyAddresses=smtp:[email protected])([email protected])))
LDAP SearchResEntry
Object Name: CN=User1,CN=Users,DC=trainingAD,DC=training,DC=lab
1
3
2
4
8/10/2019 FortiMail-09-LDAP
5/10
Course 221 - FortiMail Email Filtering
06-50000-0221-20130726
LD
9
Invalid Recipient LDAP Search sequence
FortiMailUnit
AD
Server
LDAP Bind Request
Bind DN: CN=Administrator,CN=Users,DC=trainingAD,DC=training,DC=lab
Bind
LDAP Bind Response Success
LDAP Search Request
Base Object: CN=Users,DC=trainingAD,DC=training,DC=lab
LDAP Search: (&(|objectClass=User)(objectClass=publicFolder))
(|(proxyAddresses=smtp:[email protected])([email protected])))
LDAP SearchResDone Success 0 Results
1
3
2
4
10
Group Query
The LDAP directory can be queried for group membership
This functionality provides the ability to clearly identify if an object is
part of a group
All the users located in the
same container will be
considered part of the
same group
8/10/2019 FortiMail-09-LDAP
6/10
Course 221 - FortiMail Email Filtering
06-50000-0221-20130726
LD
11
Group Query Verify
You can query the LDAP directory to verify LDAP connectivity andlookup results as follows:
1 2
3
12
User Authentication
Users credentials can be verified using LDAP by configuring User
Authentication Options
8/10/2019 FortiMail-09-LDAP
7/10
Course 221 - FortiMail Email Filtering
06-50000-0221-20130726
LD
13
User Alias
User Alias option is used to dynamically resolve email aliases to realemail addresses by querying a Directory Server
One advantage of this option is the handling of quarantine reports
because the FortiMail unit maintains a single quarantine mailbox at
each users primary email account
14
User Alias
Attribute name that
contains the list of real
email addresses
Attribute that uniquely
identifies the object used
for the alias resolution
8/10/2019 FortiMail-09-LDAP
8/10
Course 221 - FortiMail Email Filtering
06-50000-0221-20130726
LD
15
User Alias
16
LDAP Advanced Options
To optimize the usage of the LDAP queries, enable the caching
capabilities fromAdvanced Options
8/10/2019 FortiMail-09-LDAP
9/10
Course 221 - FortiMail Email Filtering
06-50000-0221-20130726
LD
17
Mail Routing
Email can be routed to a backend SMTP server that differs from theone associated to the MX record or statically configured in theprotected domain section
The field Mail host attribute defines the MTA (FQDN or IP) where theemail should be sent
The field Mail routing address attribute matches the recipient address When an email for this attribute is received the email will be routed to the MTA
specified for Mail host attribute
18
Lab Network
8/10/2019 FortiMail-09-LDAP
10/10
Course 221 - FortiMail Email Filtering
06-50000-0221-20130726
LD
19
Lab 8 LDAP
Objectives To verify recipient email addresses against an LDAP server and use the LDAP
group attribute to enforce the same security policy to a group of users
Tasks
Ex 1: Recipient Address Verification
Ex 2: Group Based Spam Inspection
Estimated time to complete the lab: 30 minutes