How to configure SMTP verification using LDAPS in Kaspersky Secure Mail Gateway

Latest update: June 16, 2020 ID: 12300
 
 
 
 

The guide is applicable for cases when several LDAP servers are used. If the servers have different search_base or accounts, create a configuration file for each server. Add the created files to the relay_recipient_maps options.

 
 
 
 

To enable SMTP verification using LDAPS:

  1. Open the console of the Kaspersky Secure Mail Gateway virtual machine or connect to it via SSH.
  2. Go to Technical Support Mode.
  3. Copy the file /opt/kaspersky/klms-appliance/share/postfix/main.cf.template
  4. In the original file, find  relay_recipient_maps
  5. Delete the following lines:
{% if rejectRecipient == "unlisted" -%}
{%- endif %}
  1. Add the following line below:
relay_recipient_maps = ldap:$config_directory/ldap_relay_recipients.cf
  1. Make sure the file includes the following parameters:
smtpd_recipient_restrictions = reject_unlisted_recipient,  reject_non_fqdn_recipient,  reject_unknown_recipient_domain,  permit_mynetworks,  reject_unauth_destination,  reject_unverified_recipient
smtpd_reject_unlisted_recipient = yes
  1. Save the file.
Changing of the settings related to reject_unlisted_recipient will become unavailable after you save the file main.cf.template.
  1. Create a file /etc/postfix/ldap_relay_recipients.cf
  2. Fill it in according to the example:

SSL is supported. In this case, the link must start with ldaps:// 

  • If you are using a single LDAP server:
  • server_host = ldaps://192.168.0.1
    server_port = 389
    search_base = DC=domain,DC=com
    query_filter = mail=%s
    result_attribute = mail
    bind = yes
    version = 3
    debuglevel = 0
    bind_dn = CN=admin,OU=tech,DC=domain,DC=com
  • If you are using multiple LDAP servers:
  • server_host = ldaps://192.168.0.1, ldaps://192.168.0.2
    timeout = 5
    server_port = 389
    search_base = DC=domain,DC=com
    query_filter = mail=%s
    result_attribute = mail
    bind = yes
    version = 3
    debuglevel = 0
    bind_dn = CN=admin,OU=tech,DC=domain,DC=com
  • If the first LDAP server is unavailable, the application will try to access the second one.
  • bind parameters are optional, if anonymous access to LDAP is available. 
  • For description of all parameters, see the Postfix official website.
  1. Check if you can find users by their email addresses:
postmap -q test10@test.mail.com ldap:/etc/postfix/ldap_relay_recipients.cf  
If the address exists and the search works, the information about the address will appear on the screen.
  1. Update the configuration of postfix:
/opt/kaspersky/klms-appliance/bin/update_postfix_config.sh

If the settings are correct, upon attempts to send a message to the user outside LDAP, you will get the error:

Non existing user:
Feb 26 17:53:50 adagsd postfix/smtpd[10029]: NOQUEUE: reject: RCPT from adagsd.test.local[::1]: 550 5.1.1 <test111111@test.mail.com>: Recipient address rejected: User unknown in relay recipient table; from=<root@adagsd.test.local> to=<test111111@test.mail.com> proto=ESMTP helo=<adagsd.test.local>

 
 
 
 

The settings will not function if Trusted Networks is used. For details, please see the Postfix website.

 
 
 
 
 
Did you find what you were searching for?
Thank you for your feedback!