We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Essentials

The problem with using Domain Aliasing and LDAP at the same time - NOT recommended

  • Type: Knowledgebase
  • Date changed: 2 years ago
Solution #00007522

Scope:

Barracuda Email Security Service

Answer:

===============================================
Domain Aliasing and LDAP should not be used at the same time. IT doesn't work if the mail server does recipient verification.
NOTE: If your mail server DOES NOT do recipient verification (returns a 550 for invalid user at connect) then a BESS valid user list is essential.
 
===============================================
 
BESS Setup using Domain Aliasing (mail server has recipient verification enabled)
 
All domains use the settings of the PRIMARY_DOMIAN
 
All usernames (eg: bob.smith) have to exist in the PRIMARY_DOMAIN.
 
Example (mail server with recipient verification enabled):
 
FirstDomain.com (primary_domain)
   bob.smith@FirstDomain.com
 
   SecondDomain.com (alias_domain)
      bob.smith@SecondDomain.com
      bob.jones@SecondDomain.com
 
   ThirdDomain.com (alias_domain)
      sam.jones@ThirdDomain.com
      bob.smith@ThirdDomain.com
 
Mail comes in for 
 
  bob.smith@FirstDomain.com (allowed)
  bob.smith@SecondDomain.com (allowed)
  bob.smith@ThirdDomain.com (allowed)
 
  bob.jones@SecondDomain.com (blocked because bob.jones@FirstDomain.com does not exist)
 
  sam.jones@ThirdDomain.com (blocked because sam.jones@FirstDomain.com does not exist)
 
NOTE: If the mail server is NOT doing recipient verification then it will accept mail for all the above users. This however leaves the domains open to a Denial Of Service attack so without recipient verification it is essential that you create a valid userlist in BESS.
 
===============================================
   
BESS Setup using LDAP user aliasing (NO DOMAIN ALIASING ENABLED)
 
UserList
 
PARENT / ALIASES
bob.smith@FirstDomain.com / bob.smith@SecondDomain.com / bob.smith@ThirdDomain.com
bob.jones@SecondDomain.com / bobbyJ@SecondDomain.com
sam.jones@ThirdDomain.com / sjones@ThirdDomain.com
 
BESS will accept mail for all of the above users.
 
===============================================
 
If  you use Domain Aliasing and LDAP at the same time BESS will always check USERNAME@PRIMARY against the mail server to verify if it is valid or not. If the mail server is doing recipient verification and returns a "550 Invalid User" when we make the request we will return that to the sender and the mail will fail EVEN IF THE ADDRESS IS IN THE USER LIST.
 
Domain Aliasing can be a powerful tool but if used incorrectly it will cause mail to be rejected for valid users.
As noted on our Domains Settings page we DO NOT recommend using Domain Aliasing and LDAP at the same time.
If using domain aliasing all users in all aliased domains should exist in the Primary domain. If they do not exist and the mail server returns a "550 Invalid User" for USERNAME@PRIMARY_DOMAIN then mail to that user will fail even it USERNAME@ALIAS_DOMAIN is valid. We never get that far in testing because domain aliasing is enabled.