How to configure SMTP verification using LDAPS in Kaspersky Secure Mail Gateway
The guide is applicable for cases when several LDAP servers are used. If the servers have different search_base or accounts, create a configuration file for each server. Add the created files to the relay_recipient_maps options.
To enable SMTP verification using LDAPS:
- Open the console of the Kaspersky Secure Mail Gateway virtual machine or connect to it via SSH.
- Go to Technical Support Mode.
- Copy the file /opt/kaspersky/klms-appliance/share/postfix/main.cf.template
- In the original file, find relay_recipient_maps
- Delete the following lines:
{%- endif %}
- Add the following line below:
- Make sure the file includes the following parameters:
smtpd_reject_unlisted_recipient = yes
- Save the file.
- Create a file /etc/postfix/ldap_relay_recipients.cf
- Fill it in according to the example:
SSL is supported. In this case, the link must start with ldaps://
- If you are using a single LDAP server:
-
server_host = ldaps://192.168.0.1
server_port = 389
search_base = DC=domain,DC=com
query_filter = mail=%s
result_attribute = mail
bind = yes
version = 3
debuglevel = 0
bind_dn = CN=admin,OU=tech,DC=domain,DC=com - If you are using multiple LDAP servers:
-
server_host = ldaps://192.168.0.1, ldaps://192.168.0.2
timeout = 5
server_port = 389
search_base = DC=domain,DC=com
query_filter = mail=%s
result_attribute = mail
bind = yes
version = 3
debuglevel = 0
bind_dn = CN=admin,OU=tech,DC=domain,DC=com -
If the first LDAP server is unavailable, the application will try to access the second one.
- bind parameters are optional, if anonymous access to LDAP is available.
- For description of all parameters, see the Postfix official website.
- Check if you can find users by their email addresses:
- Update the configuration of postfix:
If the settings are correct, upon attempts to send a message to the user outside LDAP, you will get the error:
Non existing user:
Feb 26 17:53:50 adagsd postfix/smtpd[10029]: NOQUEUE: reject: RCPT from adagsd.test.local[::1]: 550 5.1.1 <test111111@test.mail.com>: Recipient address rejected: User unknown in relay recipient table; from=<root@adagsd.test.local> to=<test111111@test.mail.com> proto=ESMTP helo=<adagsd.test.local>
The settings will not function if Trusted Networks is used. For details, please see the Postfix website.