Messaging Gateway

Hi all.

Hopefully someone knows something about this.

We have 8380 Control Center, plus four 8360 scanners.

When this happened the first time, I thought it was a fluke.

But recently it has happened again.

We use LDAP to sync with our active directory. These options are selected: Authentication, Synchronization, Recipient Validation.

Under Invalid Recipients, we chose to use the option to Drop invalid recipients.

Well, we had a planned network outage in the datacenter where the Control Center resides. Due to this the control center failed to sync with AD and also failed to replicate updates to the scanners.

When the network came up, ALL four scanners started dropping ALL inbound mail as if it was sent to invalid recipients.

As I mentioned this was the second time this happened. The first time was also due to some network problems, but we had just installed all the appliances, so I wrote that incident off as a fluke.

Is there a known issue that is causing the scanners to lose the local replica of LDAP database after the control center fails to do its own LDAP sync?

P.S. also I have been told that in order to use the Reject Invalid Recipients option, we have to allow port 389 from every scanner directly to the active directory domain controllers. Is this true? Our scanners are in the DMZ and we aren't too crazy about this idea.

Thanks in advance for any help!

Hi Andrey,

I've never really seen problems where the Scanners would start dropping messages to all recipients after an LDAP Sync failure.  Here is a quick description on how the process works.  LDAP Sync runs which normally just checks the changes that have been made to the directory, it adds and removes entries from the Mysql database stored on the Control Center to update accordingly.  The next time Scanner replication runs all of this data is extracted from the mysql database and imported into a file which is then transferred to all Scanners and they use this file to check whether recipients exist or not.  If Sync weren't able to connect to the AD which you seem to be indicating, the process should just really quit and current entries in the database shouldn't have been affected, the next time Scanner replication were to run it will grab what is still in the database which won't have changed since the previous Sync.

In terms of your recipient validation query, it is true the Scanners need access to port 389 or the Global Catalog port on your LDPA servers, Symantec are planning to support LDAPS in the near future which should ease your mind a bit more.  I highly recommend rejecting using recipient validation over dropping using LDAP Sync as when you are dropping, as you currently are, the scanners still accept and scan the message before silently dropping it.  Rejecting at connection time will reduce the load on the scanners much more effectively.  Keep in mind if you do move to reject, make sure the enable the DHA attack functionality as well, as you are exposing your directory namespace to spammers.

Kevin