Ironport LDAP query to IBM Notes / Domino

1 Reply

Issue: You need to configure your Ironport to run LDAP queries against your IBM Lotus Domino environment for the purpose of checking if a recipient is valid.

Steps:
1) Open the Ironport LDAP Settings ProfileIronport_LDAP_Settings_Profile
The “Base DN” will be automaticly populated with the Hostname.  However, the Base DN should be empty for “normal” Lotus Domino Domains. In very large complex environments the Base DN can be used to help reduce the results from the ldap query

2) Configure the accept query, which will be used when scanning for the recipients email address across Lotus ‘person’, ‘document’ and ‘groups’.
Query String: (|(mail={a})(uid={a})(mailaddress={a})(cn={a}))
Ironport_LDAP_Accept_Query_Lotus_Notes_Domino
Tips from Lotus Documentation:
– The Domino Addressbook names.nsf should be set to ‘full index’ for a better performance
– Lotus Domino and the Ironport are caching the ldap lookup results. To push up to date information to the Ironport, flush the Ironport ldap cache and restart the Lotus Domino LDAP server task

3) (optional) Configure the Group Query to check if the email address is a member of a Domino Group

Query to scan for email addresses in group document:

IronPort_LDAP_Group_Query_IBM_Notes

Queries are only possible for valid email addresse e.g. name@domain.com (query is case sensitive lower/upper case) and no support for partial addresses

(&(objectClass=dominoGroup)(cn={g})(member=*{u}))

Note: after talking to lotus support, it sounds like the group query is not possible with this format because Lotus Group Document is by users canonical name (first last/ou/organization) and it has no way of matching an email address to the canonical name.  The only way this would work is if the way you have people named in Lotus, happens to match the beginning of their email address and you used {u} rather than {a} in the LDAP query so that only the first part of their email address is sent in the query.

I opted to leave “Group Query” unchecked in the Ironport LDAP settings, emails to groups are still received successfully.

 

4) Spam Quarantine End-User Authentication Query:

This will query the users shortname in Lotus

(uid={u})

Edit Attribute(s): mail

“a” stands for entire email address test@contoso.com

“u” is just the first portion of the email address, “test” in this case.

Additional Resources:
IBM/Lotus Documentation on Ironport LDAP Accept Query
https://www.dominoteam.de/dominoteam/webfaq.nsf/7ef85cbc26a570dd4125672f001b3e6b/6487815148abd2a8c12572cd007c87e9!OpenDocument

IBM/Lotus Documentation on LDAP Group Query w IronPort: https://dominoteam.de/dominoteam/webfaq.nsf/0/05973246EB0530B1C12572CD007D035E

One thought on “Ironport LDAP query to IBM Notes / Domino

  1. Hervé

    Bonjour,

    La requête que j’ai mise en place dans mon environnement et celle-ci (les précédentes ne fonctionnent pas) :
    (|(cn={a})(mail={a}))(&(dominoaccessgroups={g}))

    Cordialement.

    Hervé

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.