8/10/2019 FortiMail-09-LDAP

1/10

Course 221 - FortiMail Email Filtering

06-50000-0221-20130726

LD

1

2013 Fortinet Inc. All r ights reserved.

The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams

or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical

or otherwise, for any purpose, without prior written permission of Fortinet Inc. 06-50000-0221-20130726

LDAP

Module 9

2

Module Objectives

By the end of this module, you will be able to:

Configure a FortiMail system to perform recipient address verification by querying

an existing LDAP server

Set up group-based email inspection using group attributes defined in an existing

LDAP server

8/10/2019 FortiMail-09-LDAP

2/10

Course 221 - FortiMail Email Filtering

06-50000-0221-20130726

LD

3

LDAP Profile

The FortiMail unit can be configured to consult an LDAP server formany items that you would normally configure locally such as:

User Query

Group Query

User Authentication

User Alias

Mail Routing

Address Mapping

Domain lookup

4

LDAP Profile

Main section of every LDAP profile is User Query Options

Contains key elements such as class attributes to query, bind and base DN

8/10/2019 FortiMail-09-LDAP

3/10

Course 221 - FortiMail Email Filtering

06-50000-0221-20130726

LD

5

User Query Options

User Query Options area is also used to define the attributes to searchfor an objects DN starting from its email address

This functionality can be used in the following scenarios:

Recipient address verification

Automatic removal of invalid quarantine accounts

Domain verification

6

Browse Directory Tree

An administrator can browse the directory tree from User Query

Options

8/10/2019 FortiMail-09-LDAP

4/10

Course 221 - FortiMail Email Filtering

06-50000-0221-20130726

LD

7

Browse Directory Tree Sample Output

8

Valid Recipient LDAP Search Sequence

FortiMailUnit

AD

Server

LDAP Bind Request

Bind DN: CN=Administrator,CN=Users,DC=trainingAD,DC=training,DC=lab

Bind

LDAP Bind Response Success

LDAP Search Request

Base Object: CN=Users,DC=trainingAD,DC=training,DC=lab

LDAP Search: (&(|objectClass=User)(objectClass=publicFolder))

(|(proxyAddresses=smtp:user2@internal1.lab)(mail=user2@internal1.lab)))

LDAP SearchResEntry

Object Name: CN=User1,CN=Users,DC=trainingAD,DC=training,DC=lab

1

3

2

4

8/10/2019 FortiMail-09-LDAP

5/10

Course 221 - FortiMail Email Filtering

06-50000-0221-20130726

LD

9

Invalid Recipient LDAP Search sequence

FortiMailUnit

AD

Server

LDAP Bind Request

Bind DN: CN=Administrator,CN=Users,DC=trainingAD,DC=training,DC=lab

Bind

LDAP Bind Response Success

LDAP Search Request

Base Object: CN=Users,DC=trainingAD,DC=training,DC=lab

LDAP Search: (&(|objectClass=User)(objectClass=publicFolder))

(|(proxyAddresses=smtp:user2@internal1.lab)(mail=user2@internal1.lab)))

LDAP SearchResDone Success 0 Results

1

3

2

4

10

Group Query

The LDAP directory can be queried for group membership

This functionality provides the ability to clearly identify if an object is

part of a group

All the users located in the

same container will be

considered part of the

same group

8/10/2019 FortiMail-09-LDAP

6/10

Course 221 - FortiMail Email Filtering

06-50000-0221-20130726

LD

11

Group Query Verify

You can query the LDAP directory to verify LDAP connectivity andlookup results as follows:

1 2

3

12

User Authentication

Users credentials can be verified using LDAP by configuring User

Authentication Options

8/10/2019 FortiMail-09-LDAP

7/10

Course 221 - FortiMail Email Filtering

06-50000-0221-20130726

LD

13

User Alias

User Alias option is used to dynamically resolve email aliases to realemail addresses by querying a Directory Server

One advantage of this option is the handling of quarantine reports

because the FortiMail unit maintains a single quarantine mailbox at

each users primary email account

14

User Alias

Attribute name that

contains the list of real

email addresses

Attribute that uniquely

identifies the object used

for the alias resolution

8/10/2019 FortiMail-09-LDAP

8/10

Course 221 - FortiMail Email Filtering

06-50000-0221-20130726

LD

15

User Alias

16

LDAP Advanced Options

To optimize the usage of the LDAP queries, enable the caching

capabilities fromAdvanced Options

8/10/2019 FortiMail-09-LDAP

9/10

Course 221 - FortiMail Email Filtering

06-50000-0221-20130726

LD

17

Mail Routing

Email can be routed to a backend SMTP server that differs from theone associated to the MX record or statically configured in theprotected domain section

The field Mail host attribute defines the MTA (FQDN or IP) where theemail should be sent

The field Mail routing address attribute matches the recipient address When an email for this attribute is received the email will be routed to the MTA

specified for Mail host attribute

18

Lab Network

8/10/2019 FortiMail-09-LDAP

10/10

Course 221 - FortiMail Email Filtering

06-50000-0221-20130726

LD

19

Lab 8 LDAP

Objectives To verify recipient email addresses against an LDAP server and use the LDAP

group attribute to enforce the same security policy to a group of users

Tasks

Ex 1: Recipient Address Verification

Ex 2: Group Based Spam Inspection

Estimated time to complete the lab: 30 minutes