5 Replies Latest reply on Apr 10, 2014 12:17 PM by jmickley

    Multiple Active Directory Domains with Recipient Checks

    benorb

      We have an e-mail gateway configured at a single ingress point serving multiple sites. Each site runs a different domain.

       

      When configuring recipient checks we have found that the gateway does not iterate through all directory services configured when performing the "or if a reicipent does not satisfy the query" step. As such, if a user is in a different domain, then the recipient check fails as it only checks the domain controller configured. How can you set the query to be against all Directory Services?

        • 1. Re: Multiple Active Directory Domains with Recipient Checks
          wormnrifle

          I would be interested in the same answer.  I have setup the Recipient Authentication, but it will only work for one domain and not both.

          • 2. Re: Multiple Active Directory Domains with Recipient Checks
            wormnrifle

            I called support today and was told that this basically can't be done unless you combine all your valid email addresses into one LDAP directory.  It was suggested that I submit an enhancement request.

            • 3. Re: Multiple Active Directory Domains with Recipient Checks
              jmickley

              This is not correct.  On the directory services page, create a primary directory server.  After that, add in as many secondaries as needed.  Then on the recipient auth page, select the primary.  It will also query the secondary servers tied to it if needed.

               

              Let me know if more assistance is needed.

               

              --Jake 

              • 4. Re: Multiple Active Directory Domains with Recipient Checks
                swanlee

                I have a simialr issue that we have been using in Ironmail for years that I was told today is not supported in MEG.

                 

                We do not want each domain to query every server, we want certain domains to only query a partciaulr group of domain controllers that is on a different AD forest. SMTP addresses in Forest A may not be in Forest B and vice versa. This type of validation is fairly easily configured in Ironmail.

                 

                 

                Basically we need this

                 

                LDAP SMTP ProxyValidation

                DomainA ----->Looks at AD forest A for validation before processing inbound email and never tries to validate against forest B

                DomainB ------> Looks at AD forest B for validation before processing inbound email and never tries to validate against forest A

                 

                Message was edited by: swanlee on 4/10/14 11:38:59 AM CDT
                • 5. Re: Multiple Active Directory Domains with Recipient Checks
                  jmickley

                  Unless i am greatly misunderstanding the situation here, it is entirely possible in MEG 7.

                   

                  To configure this go to Email > Group Management > Directory Services.  Click on "add server."  This will be what is known as the primary server.  Go through the configuration and confirm that all is good with the communication.  One thing to keep in mind is that on the directory service query page, you will want to take the checkamrks out of the boxes for "stop on result" for the list of groups and valid recipient rows since you are going to want the query to run to the secondary server.  Once you are done setting up the primary LDAP server, Highlight the line of the primary by clicking on it.  The "Add secondary server" button is now available.  Add the information for the secondary server.  It can be an entirely different AD if needed.  Add as many secondary servers as you want.  Once done, Save the changes.

                   

                  By default, MEG 7 will synchronize or "cache" the results.  This means it will query the AD servers according to the schedule you configure on the directory services page.  If you have multiple AD servers configured the way mentioned above, we get all the results from those servers and add them to a file correlating to the Primary AD server for the profile.  When you go to email configuration > recceiving email > recipient authentication and select the Priamry AD profile for use from the recipient checks section, the results of the secondary AD server will be included in this query.

                   

                  Also, if you have domains that the gateway hosts for but you do not want to query AD for recipient auth, you can still use the method above.  This is done on the recipient authentication page by putting a checkmark in the box for "if the recipient is not in the following list" and adding *@domain.com as an entry.  This is used in parallel with "Or if the recipient does not satisfy the query."

                   

                  Sorry if I rambled on and you don't quite follow.  But it can be done.  We have it configured like this in our lab and it works fine.

                   

                  --Jake