Issue: You need to configure your Ironport to run LDAP queries against your IBM Lotus Domino environment for the purpose of checking if a recipient is valid.
Steps:
1) Open the Ironport LDAP Settings Profile
The “Base DN” will be automaticly populated with the Hostname. However, the Base DN should be empty for “normal” Lotus Domino Domains. In very large complex environments the Base DN can be used to help reduce the results from the ldap query
2) Configure the accept query, which will be used when scanning for the recipients email address across Lotus ‘person’, ‘document’ and ‘groups’.
Query String: (|(mail={a})(uid={a})(mailaddress={a})(cn={a}))
Tips from Lotus Documentation:
– The Domino Addressbook names.nsf should be set to ‘full index’ for a better performance
– Lotus Domino and the Ironport are caching the ldap lookup results. To push up to date information to the Ironport, flush the Ironport ldap cache and restart the Lotus Domino LDAP server task
Query to scan for email addresses in group document:
Queries are only possible for valid email addresse e.g. name@domain.com (query is case sensitive lower/upper case) and no support for partial addresses
(&(objectClass=dominoGroup)(cn={g})(member=*{u}))
Note: after talking to lotus support, it sounds like the group query is not possible with this format because Lotus Group Document is by users canonical name (first last/ou/organization) and it has no way of matching an email address to the canonical name. The only way this would work is if the way you have people named in Lotus, happens to match the beginning of their email address and you used {u} rather than {a} in the LDAP query so that only the first part of their email address is sent in the query.
I opted to leave “Group Query” unchecked in the Ironport LDAP settings, emails to groups are still received successfully.
4) Spam Quarantine End-User Authentication Query:
This will query the users shortname in Lotus
(uid={u})
Edit Attribute(s): mail
“a” stands for entire email address test@contoso.com
“u” is just the first portion of the email address, “test” in this case.
Additional Resources:
IBM/Lotus Documentation on Ironport LDAP Accept Query
https://www.dominoteam.de/dominoteam/webfaq.nsf/7ef85cbc26a570dd4125672f001b3e6b/6487815148abd2a8c12572cd007c87e9!OpenDocument
IBM/Lotus Documentation on LDAP Group Query w IronPort: https://dominoteam.de/dominoteam/webfaq.nsf/0/05973246EB0530B1C12572CD007D035E
Bonjour,
La requête que j’ai mise en place dans mon environnement et celle-ci (les précédentes ne fonctionnent pas) :
(|(cn={a})(mail={a}))(&(dominoaccessgroups={g}))
Cordialement.
Hervé