Configure LDAP SMTPAUTH To Authenticate External Users and Relay Mail

Introduction

This document describes how to configure LDAP SMTPAUTH to authenticate external users and relay mail.

Procedure

Setting up relaying functionality for external users who are outside of the company's network that use Outlook Express or Mozilla Thunderbird or similar mail clients.

Note: Before setting up LDAP SMTPAUTH, you need to configure an LDAP profile that connects to a Domain Controller, Active Directory, etc. This can be done in the System Administration > LDAP section.

1. After the LDAP profile has been set up and is working, choose System Administration > LDAP. Click the server profile you want to change, then select the SMTP Authentication Query checkbox.
2. In the Query String field, enter samaccountname= {u}) for Active Directory. (It may be different for Lotus, Novell.)
3. For the Authentication Method, use: Authenticate via LDAP BIND.  (The other settings can be left as default.)

   Submit and Commit your changes. Perform a few tests to confirm that the authentication works. You should submit your windows credentials (for example, jsmith/*****) If it doesn't accept the credentials, verify if LDAP Accept works up top.

4. Choose Network > SMTP Authentication > Add Profile... and select LDAP as the Profile Type. Submit and Commit your changes.
5. Choose Network > Listener and either public or private listener to enable the LDAP profile for this listener.
6. For the SMTP Authentication Profile, select the LDAP profile that you created in the previous step. Submit and Commit your changes.
7. Choose Mail Policies > Mail Flow Policies. Make sure you select the correct Listener at the top. Select the Listener/IP address that external users will be connecting on.
8. Once the correct listener in the Mail Flow Policies is selected, click Default Policy Parameters.
9. In Default Policy Parameters scroll down to the bottom to the Security Features section. For the SMTP Authentication, set it to Preferred.
10. Submit and Commit your changes.

At this point, you should be able authenticate yourself using the Email Security appliance as your "outgoing server" in Outlook Express or Mozilla Thunderbird and relay mail.

If you successfully authenticate, your mail flow policy behavior will be set to Relay and will bypass LDAP ACCEPT and RAT check.

Example of what it should look like in the mail_logs when there is a successful relay with TLS enabled.

Wed Sep 12 07:59:39 2007 Info: New SMTP ICID 36 interface Management (172.19.0.146)
 address 10.251.21.126 reverse dns host unknown verified no
Wed Sep 12 07:59:39 2007 Info: ICID 36 ACCEPT SG SUSPECTLIST match sbrs[none] SBRS None
Wed Sep 12 07:59:41 2007 Info: ICID 36 TLS success protocol TLSv1 cipher
 DHE-RSA-AES256-SHA
Wed Sep 12 07:59:41 2007 Info: SMTP Auth: (ICID 36) succeeded for user: jsmith using
 AUTH mechanism: LOGIN with profile: ldap_smtp
<<<SNIP FOR BREVITY>>>
Wed Sep 12 07:59:41 2007 Info: MID 86 matched all recipients for per-recipient policy
 DEFAULT in the outbound table

The outbound table entry indicates that it's going out to the Internet as opposed to inbound table, which is heading into your network.