I recently had the possibility to work on a project where I had to setup and implement an E-Mail gateway using Cisco IronPort Email Security Appliances (ESA) and stumbled over an interesting issue.
If you verify the recipient on incoming mails via an internal ActiveDirectory (only accept mails for people who have a E-Mail address associated to their account in ActiveDirectory), you might find this useful:
To avoid the ESAs from accepting mail for disabled accounts, you have to use a custom accept-query:
(&(|(mail={a})(proxyAddresses=smtp:{a}))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
This query takes into account, that the ActiveDirectory marks disabled accounts by setting the userAccountControl flag to 0x0002 (decimal 2).
As a comparison, this is the default accept-query:
(|(mail={a})(proxyAddresses=smtp:{a}))
Links
http://support.microsoft.com/kb/305144
http://msdn.microsoft.com/en-us/library/windows/desktop/ms680832%28v=vs.85%29.aspx
Thanks for this info. I know this is an old post, but do you know if there are any changes to this when using Server 2012? I’ve tested this in the accept query tool on the ironport, and it always fails for any account disabled or not. Of course, the default query does & is working fine. I’m not having much luck finding more info, but this is SO close to what I need.
Just a note…while this is the correct syntax for an LDAP query directly against AD, and even in testing LDAP connections against AD, in order for this query to work in the Ironport interface, the decimal notation for accountdisabled needs to be used. That is:
(!(userAccountControl=514))
Nice information. May I share this?