IronPort ESA LDAP Accept Query – Disabled AD Accounts

I recently had the possibility to work on a project where I had to setup and implement an E-Mail gateway using Cisco IronPort Email Security Appliances (ESA) and stumbled over an interesting issue.

If you verify the recipient on incoming mails via an internal ActiveDirectory (only accept mails for people who have a E-Mail address associated to their account in ActiveDirectory), you might find this useful:

To avoid the ESAs from accepting mail for disabled accounts, you have to use a custom accept-query:


(&(|(mail={a})(proxyAddresses=smtp:{a}))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

This query takes into account, that the ActiveDirectory marks disabled accounts by setting the userAccountControl flag to 0x0002 (decimal 2).

As a comparison, this is the default accept-query:


(|(mail={a})(proxyAddresses=smtp:{a}))

Links
http://support.microsoft.com/kb/305144
http://msdn.microsoft.com/en-us/library/windows/desktop/ms680832%28v=vs.85%29.aspx

One thought on “IronPort ESA LDAP Accept Query – Disabled AD Accounts

  1. Thanks for this info. I know this is an old post, but do you know if there are any changes to this when using Server 2012? I’ve tested this in the accept query tool on the ironport, and it always fails for any account disabled or not. Of course, the default query does & is working fine. I’m not having much luck finding more info, but this is SO close to what I need.

Leave a Reply

Your email address will not be published. Required fields are marked *

*