1 / 52

AsyncOS 7.5 Securing Your Email II

AsyncOS 7.5 Securing Your Email II. Module 1 Configuring LDAP Queries. Course Objectives. At the end of this course you will be able to : Use LDAP lookups to Control the Flow of Email Use LDAP lookups to Enforce User Access Policies Configure Message Filters to redirect Email

kat
Download Presentation

AsyncOS 7.5 Securing Your Email II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AsyncOS 7.5Securing Your Email II Module 1 Configuring LDAP Queries

  2. Course Objectives At the end of this course you will be able to: • Use LDAP lookups to Control the Flow of Email • Use LDAP lookups to Enforce User Access Policies • Configure Message Filters to redirect Email • Configure TLS to Encrypt Email • Use DKIM and SPF to Authenticate Email

  3. Course Agenda Module 1: Configuring LDAP Queries Module 2: Configuring Message Filters Module 3: Configuring Transport Layer Security (TLS) Module 4: Authenticating Email Appendix A: LDAP Routing & Masquerading (Optional)

  4. Module Objectives At the end of this module you will be able to: • Control Incoming mail with LDAP Accept Queries • Prevent Directory Harvest Attacks • Correctly apply LDAP features for a directory scenario • Control Outgoing mail with Group Queries

  5. Module Map • LDAP Overview • Query Tokens & Operators • Configuring an LDAP Profile • Lab 1.1: Configuring LDAP Accept • Configuring SMTP Call-Ahead • Lab 1.2: Configuring SMTP Call-Ahead • University Case Study • Lab 1.3: Accommodating Multiple Domains • Using LDAP Group Queries • Lab 1.4: Controlling Mail Policies with LDAP Group Queries

  6. LDAP Overview Lightweight Directory Access Protocol • Based on the X.500 standard • Significantly simpler • More readily adapted to meet custom needs • Unlike X.500, LDAP supports TCP/IP, which is necessary for Internet access • The core LDAP specifications are defined in RFCs LDAP can: • Provide data to clients • Search data with filters • Access specific information from an object • Be customized: each implementation is usually different

  7. Attributes of LDAP directories • Formal Implementations • Microsoft Exchange™ • Microsoft Active Directory™ • Lotus Notes™ (Domino) • OSS (OpenLDAP, tinyldap, etc.) • Sun (Part of SunOne™) • Netscape (NDS™) • Novell (Part of eDirectory™) • A hierarchical object-oriented database A repository of information Provide a single point of data management LDAP directories are heavily optimized for read performance • LDAP is not a relational database • Standardized access protocol Access the LDAP directory from nearly all platforms Applications don’t need to know details of back-enddirectory implementation Free client access • Best used for information: That must be available from many locations To which updates are infrequent • Whitepages/contact information • Email routing information • Config information for distributed software • Public certs and keys • Photos

  8. Organization = Example Corp Root or Base DN (Distinguished Name) OrganizationalUnit = Customer Support OrganizationalUnit = Sales OrganizationalUnit = West Coast OrganizationalUnit = Midwest Bob Smith’s DN CommonName = Alice Peters CommonName = Ted James CommonName = Carol Watkins CommonName = Bob Smith cn=Bob Smith,ou=West Coast,ou=Sales,o=Example Corp LDAP Uses a Hierarchical Namespace • Internet standard - runs over TCP/IP • Directory Tree structure (DIT) • RFC Standard: • LDAPv2RFC 1777 • LDAPv3RFC 2251 The tree structure is arbitrary and customer specific.

  9. Using LDAP to Check Recipients LDAP Directory 1. Verify the receiving domain in the RAT 2. Search LDAP directory from the base DN for the recipient email address 3. Return an accept or reject to sending domain. Query: (mail= {abuse@alpha.com}) Query: (mail= {a}) Returned 1 Result Rcpt to: sam@alpha.com LDAP Server ExchangeServer LDAP_Svr1.accept IncomingMail Listener abuse@exchange.alpha.com C-Series Appliance Rcpt to: abuse@alpha.com

  10. LDAP And The Pipeline Host Access Table (HAT) Sender Groups Mail Flow Policies Host and Env. DNS verificationSender Verification Exceptions ...AcceptQuery LDAP Recipient Acceptance(Work Queue time) Virtual Gateways Delivery Limits Masquerading orLDAP Masquerading Received Header Domain-based Limits Default Domain LDAP Routing Domain-basedRouting Domain Map Message Filters GroupQuery Global Unsubscribe Recipient Access Table (RAT) Per-Policy Scanning Anti-Spam Bounce Profiles Alias Tables Anti-Virus AcceptQuery... SMTP Client LDAP Recipient Acceptance(SMTP-time) Content Filters AcceptQuery... SMTP Call-Ahead Outbreak Filters DLP (Outgoing only) Receiving Message (SMTP Conversation) Work Queue Delivering Message

  11. Module Map • LDAP Overview • Query Tokens & Operators • Configuring an LDAP Profile • Lab 1.1: Configuring LDAP Accept • Configuring SMTP Call-Ahead • Lab 1.2: Configuring SMTP Call-Ahead • University Case Study • Lab 1.3: Accommodating Multiple Domains • Using LDAP Group Queries • Lab 1.4: Controlling Mail Policies with LDAP Group Queries

  12. Using Query Tokens & Operators {a} Substitute recipient username@domain.com {u} Substitute username only {d} Substitute domain name only {g} Supply and match a group name, e.g. "HR Team" {f} Substitute envelope sender username@domain | Perform a logical OR of the following (evaluation)(evaluation)(evaluation...) & Perform a logical AND of the following (evaluation)(evaluation)(evaluation...)

  13. Running the Active Directory Wizard System Administration > LDAP

  14. Configuring AD and other LDAP Profiles • Verify Connectivity CLI: nslookup ldap_server_host; telnet host 3268 or 389 • Create New Server Profile System Administration LDAP Add LDAP Server Profile • Create LDAP Accept Query, Test • Apply Query to IncomingMail Listener Network Listeners IncomingMail LDAP Queries Accept • Verify Operation trace telnet ironport.domain.com 25 "rcpt-to user@domain.com"

  15. Configuring the LDAP Server Profile Supports • Active Directory • Lotus Notes • Open LDAP • SunOne • Others

  16. Configuring LDAP Server Profile (cont) System Administration > LDAP Test Query: Will initiate a query to the LDAP server with the query string, provides search results. No impact on production mail.

  17. Completing Server Setup Submit and Commit your changes to see a reminder

  18. Enabling the Accept Query on a Listener • Network Listeners IncomingMail LDAP Queries • Select your (tested) Accept Query from pull-down list • Choose option to "Allow Mail in" if the LDAP server is unreachable 1 2

  19. DHAP: Preventing Harvest Attacks • Problem: A University mail admin wants to prevent hackers from discovering the valid usernames • Spiders use dictionary attacks or common user names to work out which recipients are conversationally rejected or bounced, then hackers sell the list of good addresses that PassLDAP Accept validation • Solution: (Mail Policies Mail Flow Policies Default Policy Parameters) • Set Max Invalid Recipients/hr to 5

  20. Module Map • LDAP Overview • Query Tokens & Operators • Configuring an LDAP Profile • Lab 1.1: Configuring LDAP Accept • Configuring SMTP Call-Ahead • Lab 1.2: Configuring SMTP Call-Ahead • University Case Study • Lab 1.3: Accommodating Multiple Domains • Using LDAP Group Queries • Lab 1.4: Controlling Mail Policies with LDAP Group Queries

  21. Apply it to your Incoming Mail listener 2 Test 3 Defending Against Invalid Recipient Addresses with LDAP Accept 1 Configure an LDAP policy for LDAP acceptance outside.com .200 exchange notes OK? ad.wsa.train Yea, OK. .210 LDAP server

  22. Module Map • LDAP Overview • Query Tokens & Operators • Configuring an LDAP Profile • Lab 1.1: Configuring LDAP Accept • Configuring SMTP Call-Ahead • Lab 1.2: Configuring SMTP Call-Ahead • University Case Study • Lab 1.3: Accommodating Multiple Domains • Using LDAP Group Queries • Lab 1.4: Controlling Mail Policies with LDAP Group Queries

  23. SMTP Call-Ahead SMTP Call-Ahead is used to verify legitimate recipient addresses in hosted customers domains without accessing their LDAP directory Hosted Customer 1 Hosted Email Service Internet Mail Domains Hosted Customer 2

  24. Order of Recipient Validation • RAT • LDAP Accept (if configured) • SMTP Call-ahead (if configured)

  25. SMTP Call-Ahead • SMTP Call-Ahead Profile Types • Static Servers profile A static list of call-ahead servers (round robin distribution) Useful for a single hosted domain • Delivery Host profile Dynamic lookup of next call-ahead server Useful for multiple hosted domains Identify the delivery host for the recipient using • LDAP-Routing query • SMTP Routes • Profile can be assigned to Public listeners • Can be bypassed for individual RAT entries

  26. SMTP Call-Ahead Configuration Network -> SMTP Call-Ahead

  27. SMTP Call-Ahead LDAP-Routing Query System Administration -> LDAP-> Routing Query

  28. Assign Call-Ahead Profile to Listener

  29. CLI -> callaheadconfig -> test

  30. Lab: Configuring SMTP Call-Ahead Hosting Domain Alpha.com exchange.inside.com Query callAhead: notes.inside.com ad.wsa.train outside.com exchange.alpha.com 192.168.10.x 172.20.0.x Data 1 Data 2 To: alice@notes.inside.com notes.alpha.com ESA-Alpha smtp: 250 recipient <alice@notes.inside.com> OK smtp: rcpt to: alice@notes.inside.com Network inside Hosting Domain from the last lab notes.inside.com To: alice@notes.inside.com

  31. Module Map • LDAP Overview • Query Tokens & Operators • Configuring an LDAP Profile • Lab 1.1: Configuring LDAP Accept • Configuring SMTP Call-Ahead • Lab 1.2: Configuring SMTP Call-Ahead • University Case Study • Lab 1.3: Accommodating Multiple Domains • Using LDAP Group Queries • Lab 1.4: Controlling Mail Policies with LDAP Group Queries

  32. University Case Study(ABC University) 2. Single LDAP Directory (Not including College 2) 1. Single LDAP Directory • joe@abc.edu • joe@col1.edu • joe@abc.edu • joe@col1.edu • joe@col2.edu Col1.edu Col1.edu No LDAP at Col 2 Col2.edu Col2.edu 4. Three Directories (Dissimilar Attributes) 3. Two Directories (Different Domains) • joe@abc.edu • joe@col1.edu • joe@abc.edu • joe@col1.edu Col1.edu Col1.edu • joe@abc.edu • joe@col2.edu • joe@abc.edu • joe@col2.edu ? Col2.edu Col2.edu LDAP 2 LDAP 1

  33. ABC University: Single Directory ironport.abc.edu Col2.edu LDAP_Svr1.accept Col1.edu • Scenario 1: ABC University has 2 small colleges, one shared directory for all • Query: (mailLocalAddress={a}) • Base DN: o=All • Bind User: uid=ldap,ou=apps,dc=abc,dc=edu

  34. Accommodating Domains not in Directory ironport.abc.edu LDAP_Svr1.accept B • Scenario 2:College2 has no directory • Options: • Create a new listener for col2.eduand point their MX to it, or • Use Bypass LDAP option in the RAT to bypass LDAP checks for col2.edu:

  35. Accommodating for Multiple Directories • joe@abc.edu • joe@col1.edu Col1.edu • joe@abc.edu • joe@col2.edu Col2.edu • Scenario 3:College2 has their own LDAP directory, not synced/replicated/trusted by ABC • Options: • Create a new listener for col2.eduand point their MX to it, or • Use Domain Assignments

  36. Option A: Separate Listeners esa-listener1.abc.edu esa-listener2.abc.edu ironport.abc.edu LDAP_Svr2.accept LDAP_Svr1.accept No Sync Scenario 3 Option A: College2 on separate listener

  37. Option B: Single Listener withDomain Assignments esa-listener1.abc.edu ironport.abc.edu LDAP_Svr2.accept LDAP_Svr1.accept Scenario 3 Option B: Using a DA for College2 One Shared listener reconfigured to use new Accept DA instead of original LDAP Accept query

  38. Configuring Domain Assignments If rcpt = test@col2.edu, use this predefined Accept Query 2 3 • Configure LDAP Profile & Accept Query for College2 LDAP Server • In the server profile, click the Advanced down-arrow • Choose name for this Domain Assignment (DA), e.g. OurDomains, and Query Type, e.g. Accept, Group, Routing, Masquerade, • Enter the domain or .domain that this directory supports • Add Row to add additional domains serviced by the same or different queries (not shown), • or use Default Domain query to "catch-all" any other domains • Convenient for directories that can service multiple domains • Makes exceptions out of the domains listed above If rcpt = test@anything.else, try this Accept Query

  39. Accommodating for Multiple Directories inOne Domain esa-listener1.abc.edu ironport.abc.edu LDAP_Svr2.accept LDAP_Svr3.accept • joe@abc.edu • joe@col1.edu Col1.edu • joe@abc.edu • joe@col2.edu ? Col2.edu LDAP 2 LDAP 1 Scenario 4:Col 2 uses different attributes to store similar (or the same) values. Want to query Exchange first, and if that fails, query Notes

  40. Configuring Daisy Chains Does test@col2.edu pass with this query? 2 4 3 • In the server profile, click the Advanced down-arrow • Choose Name for this DC, e.g. TryList1, and Type, e.g. Accept, Group, Routing, Masquerade, SMTP Auth • Choose the first profile to try from the pull-down list of existing Accept queries or Domain Assignments • Hit Add Row to choose which query should be tried next If not, try this query

  41. Review: What To Configure If... Not all users are in the directory • Use LDAP Accept on the listener, validating most users • Add non-directory-enabled users to the RAT, and "Bypass LDAP Accept Queries for this Recipient" Not all domains are in the directory • Create separate MX records and listener for the non-LDAP domains, or • Add the domains to the RAT, and "Bypass LDAP Accept Queries for this Recipient" Different domains are in different directories, single IncomingMail listener • Add server profiles plus Accept queries for each directory, add Domain Assignments for each domain No way to know what directory a user is in • Daisy Chain your queries until one succeeds

  42. Module Map • LDAP Overview • Query Tokens & Operators • Configuring an LDAP Profile • Lab 1.1: Configuring LDAP Accept • Configuring SMTP Call-Ahead • Lab 1.2: Configuring SMTP Call-Ahead • University Case Study • Lab 1.3: Accommodating Multiple Domains • Using LDAP Group Queries • Lab 1.4: Controlling Mail Policies with LDAP Group Queries

  43. Lab 1.3: Accommodating Multiple Domains Using LDAP Accept Bypass & Domain Assignments <teamname>.com domain .200 outside.com Exchange.com alice@notes.alpha.net AD.WSA.TRAIN Notes.net .210 LDAP server <teamname>.com ldap2.<teamname>.net Accept Bypass Multiple LDAP domains on one listener

  44. Module Map • LDAP Overview • Query Tokens & Operators • Configuring an LDAP Profile • Configuring SMTP Call-Ahead • University Case Study • Using LDAP Group Queries

  45. Using LDAP Group Queries LDAP Group Queries are used to apply mail policies to members that are part of a group Accounting Policies Footer Stamping Quarantine_Execs : Internet LDAP server Sam Joe Accounting Group Sam Joe Lisa Lisa Accounting

  46. LDAP And The Pipeline Host Access Table (HAT) Sender Groups Mail Flow Policies Host and Env. DNS verificationSender Verification Exceptions ...AcceptQuery LDAP Recipient Acceptance(Work Queue time) Virtual Gateways Delivery Limits Masquerading orLDAP Masquerading Received Header Domain-based Limits Default Domain LDAP Routing Domain-basedRouting Domain Map Message Filters GroupQuery Global Unsubscribe Recipient Access Table (RAT) Per-Policy Scanning Anti-Spam Bounce Profiles Alias Tables Anti-Virus AcceptQuery... SMTP Client LDAP Recipient Acceptance(SMTP-time) Content Filters AcceptQuery... SMTP Call-Ahead Outbreak Filters DLP (Outgoing only) Receiving Message (SMTP Conversation) Work Queue Delivering Message

  47. Using Group Queries For Routing Mail to recipients in Perth, Australia need messages redirected to the Perth exchange server. N.Y. Headquarters Jan LDAP server Exch-NYC.company.com Internet HQ Group Jan : Perth Group Joe : Exch-perth.company.com Joe

  48. Configuring LDAP Group QueriesThe Second Query to Configure After Accept Queries • Used by ESM to determine which Inbound Mail Policies apply to a recipient Message and Content Filters (rcpt-to-group, mail-from-group) Mail routing in Exchange environments without custom attributes • Example query: (&(memberOf={g})(proxyAddresses=smtp:{a})) AsyncOS will substitute the group name from its config Means Accept query must pass AND value in memberOf attribute must match substituted group name cn=Staff,cn=Users,cn=col2, cn=edu

  49. Using Group Queries For Routing CN=Microsoft MTA, CN=PERTH, CN=Servers, CN=Exchange Administrative Group (FYDIBOHF23SPDLT), CN=Administrative Groups, CN=Second Organization, CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=company, DC=com Joe is memberOf group Perth, Jan is memberOf group NYC Option A: ESM Group-based Policies + Content Filter Option B:Incoming Content Filter

  50. Lab 1.4: Controlling Mail Policies with LDAP Group Queries Configure LDAP policies using Group queries outside.com Finance Department From:alan@exchance.alpha.com .200 exchange Finance Footer OK? Address?Group? notes ad.wsa.train Alan is a member of Finance .210 LDAP server

More Related