Applies to Email Security Gateway models 300 and higher that are using LDAP for recipient verification, all firmware versions.
Here is an example LDAP filter (it should be entered as one line):
The filter above has multiple OR conditions (OR, not AND, because it begins with a instead of a &), meaning that as long as one of the listed conditions is met, the recipient will be validated as legitimate. So, if one of your recipients has no mail record on your LDAP or Active Directory server, he or she may receive email anyway. If your intent is to verify recipients based only on whether he or she has a mail record, simply truncate your LD
AP filter to this:
Trimming your filter will ensure that you allow emails to only the user addresses for which you intend to receive mail. This is configured on the Domains > Edit Domain page as the LDAP Search Filter option.
Below is a list of the variables that can be used when creating a custom LDAP filter for the LDAP Search Filter field.
The full recipient email address. If the recipient address is firstname.lastname@example.org, this variable will contain email@example.com.
The fully qualified domain name portion of the recipient email address. If the recipient address is firstname.lastname@example.org, this variable will contain domain.com.
The username portion of the recipient email address. If the recipient address is email@example.com, this variable wil contain jsmith.
Customer wanted to maintain his users in AD, including their email , but not accept email for any users that have been disabled? The Solution is to disable user and remove userprincipalname from their ldap filter
remove this out of the filter:
Finally a public article referencing this:
Quote from MS site:
"The attribute otherMailbox is by default not indexed in Active Directory. It's required to index this attribute in Active Directory, otherwise the Active Directory server will have a high CPU load during search queries on this attribute. For more information about indexing attributes in Active Directory, see http://go.microsoft.com/fwlink/?LinkId=46790."