We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Email Security Gateway

How do I write a custom LDAP filter for the Barracuda Spam Firewall?

  • Type: Knowledgebase
  • Date changed: one year ago
Solution #00001802

Scope:
Applies to Barracuda Spam Firewall models 300 and higher that are using LDAP for recipient verification, all firmware versions.

Answer:
Here is an example LDAP filter (it should be entered as one line):

(|(proxyaddresses=smtp:${recipient_email})
(mail=${recipient_email})(userPrincipalName=${recipient_email}))

The filter above has multiple OR conditions (OR, not AND, because it begins with a | instead of a &), meaning that as long as one of the listed conditions is met, the recipient will be validated as legitimate. So, if one of your recipients has no mail record on your LDAP or Active Directory server, he or she may receive email anyway. If your intent is to verify recipients based only on whether he or she has a mail record, simply truncate your LD(&(userAccountControl=512)(|(proxyaddresses=smtp$${recipient_email})(proxyaddresses=smtp:${recipient_email})(mail=${recipient_email})(userPrincipalName=${recipient_email})))AP filter to this:

(|(mail=${recipient_email}))

Trimming your filter will ensure that you allow emails to only the user addresses for which you intend to receive mail. This is configured on the Domains > Edit Domain page as the LDAP Search Filter option.

Additional Notes:
Below is a list of the variables that can be used when creating a custom LDAP filter for the LDAP Search Filter field.
  • ${recipient_email}
    The full recipient email address. If the recipient address is jsmith@domain.com, this variable will contain jsmith@domain.com.

  • ${recipient_fqdn}
    The fully qualified domain name portion of the recipient email address. If the recipient address is jsmith@domain.com, this variable will contain domain.com.

  • ${recipient_local_part}
    The username portion of the recipient email address. If the recipient address is jsmith@domain.com, this variable wil contain jsmith.

Customer wanted to maintain his users in AD, including their email , but not accept email for any users that have been disabled… The Solution is to disable user and remove userprincipalname from their ldap filter


remove this out of the filter:

(userPrincipalName=${recipient_email})



 

Finally a public article referencing this:

Quote from MS site:

 

"The attribute otherMailbox is by default not indexed in Active Directory. It's required to index this attribute in Active Directory, otherwise the Active Directory server will have a high CPU load during search queries on this attribute. For more information about indexing attributes in Active Directory, see http://go.microsoft.com/fwlink/?LinkId=46790."


Link to This Page:
https://campus.barracuda.com/solution/50160000000GVBnAAO