How to Work with Non-AD Directories

Stopping unnecessary work at the earliest stage is always welcomed. Likewise, in the world of email messages, rejecting unnecessary relay requests as early as possible is also a rule of thumb.

Most email sanitizing systems have reputation scoring systems, which assess the quality of the IP addresses trying to relay email messages on behalf of people. As a result, maintaining a good reputation is the first thing every participant in the community wants to do.

Trend Micro Email Reputation Services (ERS), facing the Internet, compares every IP address, which tries to relay email messages to Hosted Email Security, with its internal database, and will reject relay requests if a low reputation score is found. Similarly, Hosted Email Security evaluates its downstream MTA's reputation by observing rejection incidents caused by unknown recipients (non-existent recipients). Frequent rejections will lead to a low score and degraded quality of service.

Synchronizing the valid recipient email addresses to Hosted Email Security is rather important. It not only reduces the chance of seeing offensive or disgusting content at the early stage, but also keeps the downstream MTA (your MTA) in a good standing. A low reputation score of a downstream MTA may cause unpredictable delivery issues.

The way to synchronize the valid recipient list to Hosted Email Security is easy, especially when Active Directory is deployed. A few tools under Administration > Web Services & Tools will help you achieve continuous synchronization.

The following describes different scenarios and how to achieve effective recipient synchronization in those scenarios:

  • If Active Directory is in use, download the Active Directory Synchronization Tool Guide and Active Directory Synchronization Tool from Administration > Web Services & Tools.

    The guide has detailed instructions about installation and configuration. The tool is implemented as a Windows Service to continuously synchronize the list of valid recipients to the cloud.

  • If a directory server other than Active Directory is used, implement valid recipient synchronization by programming with the Web Service interface of Hosted Email Security. Download Web Services Client and Web Services Guide from Administration > Web Services & Tools.

    When directory servers other than Active Directory are used, perform the following steps to implement automation:

    1. Dump valid recipients from directory servers.

    2. Enable client programs to send data to the cloud.

    If OpenLDAP is in use and configured properly, the ldapsearch tool is used to generate the list of valid recipients. Do the following:

    1. In the terminal window, run the following command:

      # ldapsearch -x -b 'dc=test1,dc=com' -h -L mail | grep mail | cut -d ':' -f 2 > ldapbackup.csv

      The preceding command searches for the desired entries within the OpenLDAP server hosted locally and extracts mail attributes to a CSV file. The file can then be sent to Hosted Email Security as described in the preceding step 2.

    2. Run the following command to replace the existing valid recipient list with the newly dumped recipient list:

      # /PATH_TO_FILE/imhs-cmd.rb -a replace-users -t csv -f /PATH_TO_FILE/ldapbackup.csv

    3. Combine these two commands in a script file, for example,

      The two steps must be part of the system crontab file of a Linux system.

    • If the operating system that performs this routine job is Microsoft Windows, a step-by-step approach to create a task using Task Scheduler can be found here.

    • If the operating system is a Linux box, refer to the following command examples:

      1. Edit the crontab file:

        # crontab -e

      2. Type the command that runs periodically:

        #every 5 min:

        */5 * * * * /PATH_TO_FILE/ >/tmp/log.txt 2>&1

        If an hourly job is preferred, use the following command:

        #every hour, such as: 01:00, 02:00, etc:

        0 */1 * * * /PATH_TO_FILE/ >/tmp/log.txt 2>&1

        If a daily job is preferred, use the following command:

        #every day at 07:10:

        10 7 * * * /PATH_TO_FILE/ >/tmp/log.txt 2>&1

      3. Display the command you just typed:

        # crontab -I

        The detailed time setting is as follows:

        * * * * * command to be executed

        - - - - -

        | | | | |

        | | | | ----- Day of week (0 - 7) (Sunday = 0 or 7)

        | | | ------- Month (1 - 12)

        | | --------- Day of month (1 -31)

        | ----------- Hour (0 -23)

        -------- ----- Minute (0 - 59)