How to configure SMTP verification using LDAPS in Kaspersky Secure Mail Gateway

Latest update: June 07, 2023 ID: 12300
 
 

Get maximum benefit from Kaspersky solutions

 
 
This article concerns Kaspersky Secure Mail Gateway 1.1 (version 1.1.2.30).
 
 
 
 

The guide is applicable for cases when several LDAP servers are used. If the servers have different search_base or accounts, create a configuration file for each server. Add the created files to the relay_recipient_maps options.

 
 
 
 

To enable SMTP verification using LDAPS:

  1. Open the console of the Kaspersky Secure Mail Gateway virtual machine or connect to it via SSH.
  2. Go to Technical Support Mode.
  3. Copy the file /opt/kaspersky/klms-appliance/share/postfix/main.cf.template
  4. In the original file, find  relay_recipient_maps
  5. Delete the following lines:
{% if rejectRecipient == "unlisted" -%}
{%- endif %}
  1. Add the following line below:
relay_recipient_maps = ldap:$config_directory/ldap_relay_recipients.cf
  1. Make sure the file includes the following parameters:
smtpd_recipient_restrictions = reject_unlisted_recipient,  reject_non_fqdn_recipient,  reject_unknown_recipient_domain,  permit_mynetworks,  reject_unauth_destination,  reject_unverified_recipient
smtpd_reject_unlisted_recipient = yes
  1. Save the file.
Changing of the settings related to reject_unlisted_recipient will become unavailable after you save the file main.cf.template.
  1. Create a file /etc/postfix/ldap_relay_recipients.cf
  2. Fill it in according to the example:

SSL is supported. In this case, the link must start with ldaps:// 

  • If you are using a single LDAP server:
  • server_host = ldaps://192.168.0.1
    server_port = 389
    search_base = DC=domain,DC=com
    query_filter = mail=%s
    result_attribute = mail
    bind = yes
    version = 3
    debuglevel = 0
    bind_dn = CN=admin,OU=tech,DC=domain,DC=com
  • If you are using multiple LDAP servers:
  • server_host = ldaps://192.168.0.1, ldaps://192.168.0.2
    timeout = 5
    server_port = 389
    search_base = DC=domain,DC=com
    query_filter = mail=%s
    result_attribute = mail
    bind = yes
    version = 3
    debuglevel = 0
    bind_dn = CN=admin,OU=tech,DC=domain,DC=com
  • If the first LDAP server is unavailable, the application will try to access the second one.
  • bind parameters are optional, if anonymous access to LDAP is available. 
  • For description of all parameters, see the Postfix official website.
  1. Check if you can find users by their email addresses:
postmap -q test10@test.mail.com ldap:/etc/postfix/ldap_relay_recipients.cf  
If the address exists and the search works, the information about the address will appear on the screen.
  1. Update the configuration of postfix:
/opt/kaspersky/klms-appliance/bin/update_postfix_config.sh

If the settings are correct, upon attempts to send a message to the user outside LDAP, you will get the error:

Non existing user:
Feb 26 17:53:50 adagsd postfix/smtpd[10029]: NOQUEUE: reject: RCPT from adagsd.test.local[::1]: 550 5.1.1 <test111111@test.mail.com>: Recipient address rejected: User unknown in relay recipient table; from=<root@adagsd.test.local> to=<test111111@test.mail.com> proto=ESMTP helo=<adagsd.test.local>

 
 
 
 

The settings will not function if Trusted Networks is used. For details, please see the Postfix website.

 
 
 
 
 
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.