It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

The problem with using Domain Aliasing and LDAP at the same time - NOT recommended

  • Type: Knowledgebase
  • Date changed: 2 years ago
Solution #00007522


Barracuda Email Security Service


Domain Aliasing and LDAP should not be used at the same time. IT doesn't work if the mail server does recipient verification.
NOTE: If your mail server DOES NOT do recipient verification (returns a 550 for invalid user at connect) then a BESS valid user list is essential.
BESS Setup using Domain Aliasing (mail server has recipient verification enabled)
All domains use the settings of the PRIMARY_DOMIAN
All usernames (eg: bob.smith) have to exist in the PRIMARY_DOMAIN.
Example (mail server with recipient verification enabled): (primary_domain) (alias_domain) (alias_domain)
Mail comes in for (allowed) (allowed) (allowed) (blocked because does not exist) (blocked because does not exist)
NOTE: If the mail server is NOT doing recipient verification then it will accept mail for all the above users. This however leaves the domains open to a Denial Of Service attack so without recipient verification it is essential that you create a valid userlist in BESS.
BESS Setup using LDAP user aliasing (NO DOMAIN ALIASING ENABLED)
BESS will accept mail for all of the above users.
If  you use Domain Aliasing and LDAP at the same time BESS will always check USERNAME@PRIMARY against the mail server to verify if it is valid or not. If the mail server is doing recipient verification and returns a "550 Invalid User" when we make the request we will return that to the sender and the mail will fail EVEN IF THE ADDRESS IS IN THE USER LIST.
Domain Aliasing can be a powerful tool but if used incorrectly it will cause mail to be rejected for valid users.
As noted on our Domains Settings page we DO NOT recommend using Domain Aliasing and LDAP at the same time.
If using domain aliasing all users in all aliased domains should exist in the Primary domain. If they do not exist and the mail server returns a "550 Invalid User" for USERNAME@PRIMARY_DOMAIN then mail to that user will fail even it USERNAME@ALIAS_DOMAIN is valid. We never get that far in testing because domain aliasing is enabled.