SEG(ESA) USE CASE 1

Published by Adrian Danek on

Case 1

Description:

Organization has marketing server sending bulk of emails to internal and external users.  External domain may change over the time and not managed by IT team, internal domains are known and managed by that organization.

Requirements:

  • internal user’s email addresses must be verified if exists via LDAP
  • multiple external domains may change frequently

Solution

Option 1

  • Define LDAP query to verify if particular email address exists in LDAP database, in my case Active Directory

esa ldap query1

  • Enable query on public listener

ESA ldap query2

  • Specify mail flow policy if needed and assign individual settings, if needed (optional), What is important connection behaviour must be: RELAY

  • Add new SENDER GROUP with newsletter IP addresses of your servers and assign mail flow policy

ESA sender group1

  • Modify Sender Group order, if needed to catch mail traffic from newsletter and assign appropiate mail flow policy

ESA Sender Group order 1

  • Create outgoing mail policy for internal domains where you want to verify if email address exists

ESA out policy1

Please note, we are checking condition if recipient address is in domain @addura.eu and email exists in LDAP group VPNUsers. If not then use next outgoing policy.

  • Configure security checks for that mail policy
  • Create new outgoing policy to drop all emails directed to internal domains where email addresses does not exist in LDAP DB.

policy

  • Create content filter to delete all emails where domain is @addura.eu.

content filter 1

This step is critical, because emails within domain @addura.eu(those not defined in LDAP) will not hit ADDURA EU OUT but default policy(or others) and those emails will be send anyway. Of course, MTA will bounce that message with info “recipient does not exist” but it consumes time and resources.

  • Specify new outgoing mail policy for external domains or use default policy.

 

Option 2

  • Create LDAP accept query in LDAP Server Profile

LDAP accept query

  • Create new listener with different IP or/and port and enable LDAP accept query

listener2

 

  • Under new listener(!!!) create sender group (modify existing) and add IP of marketing servers.

marketing sender group1

⊗ Be aware, we are working on new public listener, created for marketing servers only

  • Delete rest of sender groups(not mandatory) and leave last group ALL
  • Set mail flow policy with connection behaviour REJECT to sender group ALL

    mail flow policy blocked

    HAT1

    Please note, in case of other requirements you may modify HAT to include additional servers

    • Create incoming mail policy for internal and external domains

    marketing 1

    incoming mail policy1

    • Create RAT (Recipient Access Table) with appropiate actions:

    for internal domains like addura.eu – ACCEPT

    for external domains  – ACCEPT (Bypass LDAP)

    Please note, we are building RAT for secondary Listener!!!

    RAT1

      Categories: Email Security
      Tags:

      0 Comments

      Leave a Reply

      Avatar placeholder

      Your email address will not be published. Required fields are marked *