Messaging Gateway

Hi there,

I will get BMG 9 up in my lab enivornment shortly but thought I would ask here.
Can the new version use multiple ldap sources to query for email routing destination?

Eq. There is a requirement in a very large environment for all email users to have the same FQDN.
The departments are split all over the place though and there is more than one AD server that services the same FQDN.

One AD server may have information on 20% of the users and another 40% and another 40% etc.
The AD servers are split apart geographically, physically and firewalled as well.

I am wondering if Brightmail can query one ldap source, and if it does not find a mail route, then query the next one in a list.
Or that the ldap sources are all synchronised back to an internal DB on the scanners that is aware of all possible routes.

Any help appreciated

Z

The appliance will query all configured LDAP servers at the same time. Be very careful that there are no duplicate user entries, as that will break this function.

It will only break it for Address Resolution,  you can have duplicates across directories if you are just doing recipient validation.   If you are using policy groups you will need unique AD content and both users, contacts and distros count.

My environment has multiple ADs and we have contacts in one that point at the other (so the can be in the exchange GAL).  Still haven't fully resolved this.  One way I'm exploring is to make sure users in each AD instance are also members of a group in that AD.  Then modify the address resolution query to included that group.

ZerO - with that much AD, I assume you know these but... have load balancing on your AD.  Don't create multiple Directory instances in SBG 9 for that (it works but it will complicate things).  Also remember to use LDAP over SSL if you boxes are in a DMZ.

So it sounds like I can do LDAP based routing with the following conditions:

- There are no duplicate user entries.
- The user entries will be split over multiple seperated AD servers
- Each user entry will have a mailHost=servername.com attribute

Then the query on the scanner be written so that it will route mail to the appropriate next hop MTA.

Apologies if this is straightforward, but although I know a lot about the  Brightmails I have never really linked them with LDAP before.
My setups have always been at the gateway!!

Am I missing anything here?

Exactly.  That way a single domain can be routed the the correct MTA.

LDAP in 8.0 really didn't scale to the level you are looking at.  I think the rewrite of LDAP in 9.0 is one of the best improvements.

Hey there,

I have just tested this setup in a lab scenario and what you are saying is not the case.
Only one LDAP source can be configured to determine the route for each email address/domain.
So, it cannot be setup to query multiple AD servers.

If there is no match then the mail is sent using the Default local delivery configuration.

This means I have to run multiple SBG's with each one (or cluster) pointing to a single AD server.
Then if the mailhost lookup fails it sends it down to the next SBG (or cluster) and so on.

I am going to put in an IDEA application to allow multiple LDAP server lookups for each email address/domain.

If I have missed something in the configuration please let me know.

Z

Does Bright mail gateway 9.x have the option of skipping the duplicate entries and switchover to valid entries while doing a LDAP sync?

 

There is no such thing as an LDAP sync on Brightmail 9, so you will need to clarify what you mean.

Just wanted to understand that with the advent of Directory integration as we call it in BMG 9, is it possible to customize a query by which I can actually query the e-mail addresses inside the group?

I will get BMG 9 up in my lab enivornment shortly but thought I would ask here.
Q: Can the new version use multiple ldap sources to query for email routing destination?

A:  YES. You can have as many LDAP sources as you'd like.  An LDAP source should be a DISCTICT LDAP domain.  It's NOT normally multiple entries for different SERVERS in an LDAP domain.

Q: Eq. There is a requirement in a very large environment for all email users to have the same FQDN.
The departments are split all over the place though and there is more than one AD server that services the same FQDN.

A: You need an LDAP source for each LDAP (AD) instance.  If you have a single AD structure, it doesn't matter what the user's e-mail domain is (we have a single LDAP with 3 different domains (e.g. @domain1.com, @Otherdomain.com, @thirddomain.com) all in a single AD instance.   We also have TWO seperate AD domains.  The 2nd AD environment has 2 other e-mail domains it it.  So we have two LDAP sources - one for each of the AD trees.

Q:One AD server may have information on 20% of the users and another 40% and another 40% etc.
The AD servers are split apart geographically, physically and firewalled as well.

A: that sounds like you have multiple AD trees.  Yes, you can create an LDAP source for each.  You will need to have a patch from EACH Scanner and Control Center to each LDAP source server(s).  So you will need some firewall rules.  I recommend you use LDAP over SSL if any of your Scanners are in a DMZ.

Q: I am wondering if Brightmail can query one ldap source, and if it does not find a mail route, then query the next one in a list.
Or that the ldap sources are all synchronised back to an internal DB on the scanners that is aware of all possible routes.

A: Brightmail will query each LDAP source until it finds a match on the recipient's e-mail address.  BTW: It also caches results (positive and negative to minimize network traffic and improve performance.

While Recipient Validation doesn't care, Address Resolution requires that any users be unique across ALL LDAP sources, since Brightmail would have no way to decide which source is authoritive for the route.

And, only one AD object should have any specific e-mail address.

Q: Just wanted to understand that with the advent of Directory integration as we call it in BMG 9, is it possible to customize a query by which I can actually query the e-mail addresses inside the group?

A: Define "Query"  Are you asking about custom queries in the LDAP source, or about policy groups.

If you want to write content policies that only apply to a group of users, based on AD group membership, you use the Admin / Policy Groups feature and add the DN as the membership source.

Cricket,

Thanks for your reply.

My situation is pretty unique as my client was trying to merge two mail domains into each other with users that exist on two seperate AD domains.

I did extensive lab testing and at present an SBG can only lookup a single LDAP source for mail routing based on an AD mailhost attribute. the only workaround is to cascade multiple SBG custers that point to each seperate LDAP source.

The mail comes into the first SBG that does a lookup on AD for the mailhost attribute.

• If it matches then it is routed to the first exchange server
• If it doesn't match then it is sent to the next hop default local delivery which is configured as another SBG

The second SBG then looks up the second AD for the mailhost attribute and delivers mail to the second exchange server. If it doesn't match it is sent out the default next hop where I have set up a catchall SBG

If the mail didn't match any AD accounts we know it is trying to be delivered to a non-existant address and we can bounce it or do whatever we want.

Quarantine can be handled by routing the mail to any SBG cluster that you have configured on port 41025.

A downside to this approach is you need an SBG scanner and control centre for each cluster as the configuration cannot be made on a single control centre.

Z