Configuring profiles : Configuring LDAP profiles : Configuring domain lookup options
Configuring domain lookup options
The following procedure is part of the LDAP profile configuration process. For general procedures about how to configure an LDAP profile, see “Configuring LDAP profiles”.
1. Go to Profile > LDAP.
2. Click New to create a new profile or double click on an existing profile to edit it.
3. Click the arrow to expand the Domain Lookup Options section.
Organizations with multiple domains may maintain a list of domains on the LDAP server. The FortiMail unit can query the LDAP server to verify the domain portion of a recipient’s email address.
For this option to work, your LDAP directory should contain a single generic user for each domain such as generic@dom1.com because the FortiMail unit will only look at the domain portion of the generic user’s mail address, such as dom1.com.
When an SMTP session is processed, the FortiMail unit will query the LDAP server for the domain portion retrieved from the recipient email address. If the LDAP server finds a user entry, it will reply with the domain objects defined in the LDAP directory, including parent domain attribute, generic mail host attribute, generic antispam attribute, and generic antivirus attribute. The FortiMail unit will remember the mapping domain, mail routing, and antispam and antivirus profiles information to avoid querying the LDAP server again for the same domain portion retrieved from a recipient email address in the future.
If there are no antispam and antivirus profiles for the user, the FortiMail unit will use the antispam and antivirus profiles from the matching IP policy.
If the LDAP server does not find a user matching the domain, the user is considered as unknown, and the mail will be rejected unless it has a specific access list entry.
4. Configure the following:
 
GUI item
Description
Domain Lookup Query
Enter an LDAP query filter that selects a set of domain objects, whichever object class contains the attribute you configured for this option, from the LDAP directory.
For details on query syntax, refer to any standard LDAP query filter reference manual.
For this option to work, your LDAP directory should contain a single generic user for each domain. The user entry should be configured with attributes to represent the following:
parent domain from which a domain inherits the specific RCPT check settings and quarantine report settings.
For example, parentDomain=parent.com
For information on parent domain, see “Configuring protected domains”.
IP address of the backend mail server hosting the mailboxes of the domain.
For example, mailHost=192.168.1.105
antispam profile assigned to the domain.
For example, genericAntispam=parentAntispam
antivirus profile assigned to the domain.
For example, genericAntivirus=parentAntivirus
Parent domain attribute
Enter the name of the attribute, such as parentDomain, whose value is the name of the parent domain from which a domain inherits the specific RCPT check settings and quarantine report settings.
The name of this attribute may vary by the schema of your LDAP directory.
Mail host attribute
Enter the name of the attribute, such as mailHost, whose value is the IP address of the backend mail server hosting the mailboxes of the domain.
The name of this attribute may vary by the schema of your LDAP directory.
AntiSpam attribute
Enter the name of the attribute, such as genericAntispam, whose value is the name of the antispam profile assigned to the domain.
The name of this attribute may vary by the schema of your LDAP directory.
If you do not specify this attribute at all (that is, leave this field blank), the antispam profile in the matched recipient-based policy will be used.
AntiVirus attribute
Enter the name of the attribute, such as genericAntivirus, whose value is the name of the antivirus profile assigned to the domain.
The name of this attribute may vary by the schema of your LDAP directory.
If you do not specify this attribute at all (that is, leave this field blank), the antivirus profile in the matched recipient-based policy will be used.
Content attribute
Enter the name of the attribute, such as genericContent, whose value is the name of the content profile assigned to the domain.
The name of this attribute may vary by the schema of your LDAP directory.
If you do not specify this attribute at all (that is, leave this field blank), the content profile in the matched recipient-based policy will be used.