Support

Support for Business Products

Kaspersky Secure Mail Gateway
Kaspersky Secure Mail Gateway
Knowledge Base Online Help
FAQ System requirements Download Forum Contact support Recovery tools Product videos
 
 

How to configure SMTP verification using LDAPS in Kaspersky Secure Mail Gateway

Latest update: March 06, 2023 ID: 12300
 
 

Get maximum benefit from Kaspersky solutions

 
 

The guide is applicable for cases when several LDAP servers are used. If the servers have different search_base or accounts, create a configuration file for each server. Add the created files to the relay_recipient_maps options.

 
 
 
 

To enable SMTP verification using LDAPS:

  1. Open the console of the Kaspersky Secure Mail Gateway virtual machine or connect to it via SSH.
  2. Go to Technical Support Mode.
  3. Copy the file /opt/kaspersky/klms-appliance/share/postfix/main.cf.template
  4. In the original file, find  relay_recipient_maps
  5. Delete the following lines:
{% if rejectRecipient == "unlisted" -%}
{%- endif %}
  1. Add the following line below:
relay_recipient_maps = ldap:$config_directory/ldap_relay_recipients.cf
  1. Make sure the file includes the following parameters:
smtpd_recipient_restrictions = reject_unlisted_recipient,  reject_non_fqdn_recipient,  reject_unknown_recipient_domain,  permit_mynetworks,  reject_unauth_destination,  reject_unverified_recipient
smtpd_reject_unlisted_recipient = yes
  1. Save the file.
Changing of the settings related to reject_unlisted_recipient will become unavailable after you save the file main.cf.template.
  1. Create a file /etc/postfix/ldap_relay_recipients.cf
  2. Fill it in according to the example:

SSL is supported. In this case, the link must start with ldaps:// 

  • If you are using a single LDAP server:
  • server_host = ldaps://192.168.0.1
    server_port = 389
    search_base = DC=domain,DC=com
    query_filter = mail=%s
    result_attribute = mail
    bind = yes
    version = 3
    debuglevel = 0
    bind_dn = CN=admin,OU=tech,DC=domain,DC=com
  • If you are using multiple LDAP servers:
  • server_host = ldaps://192.168.0.1, ldaps://192.168.0.2
    timeout = 5
    server_port = 389
    search_base = DC=domain,DC=com
    query_filter = mail=%s
    result_attribute = mail
    bind = yes
    version = 3
    debuglevel = 0
    bind_dn = CN=admin,OU=tech,DC=domain,DC=com
  • If the first LDAP server is unavailable, the application will try to access the second one.
  • bind parameters are optional, if anonymous access to LDAP is available. 
  • For description of all parameters, see the Postfix official website.
  1. Check if you can find users by their email addresses:
postmap -q test10@test.mail.com ldap:/etc/postfix/ldap_relay_recipients.cf  
If the address exists and the search works, the information about the address will appear on the screen.
  1. Update the configuration of postfix:
/opt/kaspersky/klms-appliance/bin/update_postfix_config.sh

If the settings are correct, upon attempts to send a message to the user outside LDAP, you will get the error:

Non existing user:
Feb 26 17:53:50 adagsd postfix/smtpd[10029]: NOQUEUE: reject: RCPT from adagsd.test.local[::1]: 550 5.1.1 <test111111@test.mail.com>: Recipient address rejected: User unknown in relay recipient table; from=<root@adagsd.test.local> to=<test111111@test.mail.com> proto=ESMTP helo=<adagsd.test.local>

 
 
 
 

The settings will not function if Trusted Networks is used. For details, please see the Postfix website.

 
 
 
 
 
 
 

Useful references

Description of all LDAP parameters on the Postfix website

 
 
Did you find what you were searching for?
Thank you for your feedback!