Integration with an external directory service

Kaspersky Secure Mail Gateway can connect to servers of external directory services used by your organization over the LDAP protocol.

A connection to an external directory service via the LDAP protocol enables the Kaspersky Secure Mail Gateway administrator to:

• Add senders or recipients from an external directory service to message processing rules.
• Use the autocompletion feature on Sender email and Recipient email fields when filtering email traffic processing events and messages of corporate LAN users in Backup.

If the organization uses multiple domains, a LDAP connection must be configured for each domain.

Multiple LDAP connections can be configured for a single domain in the external directory service, provided that each LDAP connection has a unique value of the Search base field.

If an LDAP domain uses multiple domain controllers for fault tolerance, it is not necessary to add an extra LDAP connection. The program automatically selects an available domain controller as part of a previously configured connection in accordance with the priorities of SRV records on the DNS server.

After configuring the LDAP server connection, the program automatically synchronizes data with the Active Directory domain controller every 30 minutes. You can configure the synchronization to run on a schedule. If you need to update user account data immediately (for example, after adding a user), you can start the synchronization manually.

Each cluster node synchronizes independently of other nodes. As a result of a successful synchronization, the LDAP cache stores the following information:

• Accounts of all users in the domain
• Active Directory contacts (if receiving email addresses of contacts is configured in the LDAP server connection settings)
• Groups to which domain users and contacts belong
• Email addresses of domain users, groups, and contacts

The program stores and uses this data until the next synchronization is initiated. If the domain controller is not available, the last received data is used. After deleting the LDAP server connection, all LDAP cache data is deleted.

After a successful synchronization, Kaspersky Secure Mail Gateway checks the LDAP accounts for duplicate data. The following data are checked for duplicates:

• Names of all domain users.

  For users with duplicate names, protection against Active Directory spoofing is disabled; such users also cannot use personal Backup and personal allow and denylists of sender addresses.

• Groups to which domain users belong.

  For groups with duplicated names, protection against Active Directory spoofing is disabled.

• Active Directory contacts.

  For contacts with duplicated names, protection against Active Directory spoofing is disabled.

• Kerberos user accounts.

  Users with duplicated Kerberos names cannot use personal Backup and personal allow and denylists of sender addresses.

• NTLM user accounts.

  Users with duplicated NTLM names cannot use personal Backup and personal allow and denylists of sender addresses.

• Email addresses of domain users.

  Messages intended for duplicated addresses are not placed in users' personal Backup, and personal allow and denylists of sender addresses are not applied to duplicated addresses.

If duplicate data are found in accounts, the cluster node table displays a warning.