Sophos Email Appliance

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
klinet
Posts: 19
Joined: Fri Sep 12, 2014 10:38 pm

Sophos Email Appliance

Post by klinet »

I am currently testing a Sophos Email Appliance, and would like to connect it to Zimbra for account authentication. I have made some guesses, but have been unsuccessful in making the connection. I have 9 fields that need info:
Does anyone have ideas about what attributes are for the following:
Server: FQHN

Port: 389
Email attribute: ??? The object attribute for email addresses in Directory Services. The default is "mail".
DN to authenticate: ??? If required, the distinguished name (DN) used to connect to the Directory Services server to query the DN of the user the system is attempting to authenticate.

Password: ***
Email alias attribute: ??? The object attribute for proxy addresses in Directory Services. The default is "proxyAddresses".
Base DN for users/groups: ??? The top Directory Services node from which searches are performed.
Account attribute: ??? The Directory Services object attribute that is queried when logging into the End User Web Interface (EUWI). The default is "sAMAccountName".



Group name attribute: ??? The Directory Services object attribute that specifies the group name for a group entry.
Thanks for any help!
Todd
gnyce
Outstanding Member
Outstanding Member
Posts: 204
Joined: Fri Sep 12, 2014 10:41 pm

Sophos Email Appliance

Post by gnyce »

Why not just grab a copy of ldapadmin (or other such tool) and peruse the Zimbra ldap tree yourself? Some guesses below:
[quote user="klinet"]I am currently testing a Sophos Email Appliance, and would like to connect it to Zimbra for account authentication. I have made some guesses, but have been unsuccessful in making the connection. I have 9 fields that need info:
Does anyone have ideas about what attributes are for the following:
Server: FQHN

Port: 389
Email attribute: ??? The object attribute for email addresses in Directory Services. The default is "mail".
that seems right
DN to authenticate: ??? If required, the distinguished name (DN) used to connect to the Directory Services server to query the DN of the user the system is attempting to authenticate.

Password: ***
so use an existing account, or create one, like "ldapquery"

uid=ldapquery,ou=people,dc=YOURDOMAIN,dc=COM
Email alias attribute: ??? The object attribute for proxy addresses in Directory Services. The default is "proxyAddresses".
?
Base DN for users/groups: ??? The top Directory Services node from which searches are performed.
ou=people,dc=YOURDOMAIN,dc=COM
Account attribute: ??? The Directory Services object attribute that is queried when logging into the End User Web Interface (EUWI). The default is "sAMAccountName".


?
Group name attribute: ??? The Directory Services object attribute that specifies the group name for a group entry.
any object where objectClass = ZimbraDistributionList
Thanks for any help!
Todd[/QUOTE]
bdial
Elite member
Elite member
Posts: 1633
Joined: Fri Sep 12, 2014 10:39 pm

Sophos Email Appliance

Post by bdial »

this should get you going
Server: zimbraserver.yourdomain.com

Port: 389

Email Attribute: mail

DN To Authenticate: uid=zimbra,cn=admins,cn=zimbra

Password: the result of the command zmlocalconfig -s | grep zimbra_ldap_password

Email Alias Attribute: zimbraMailAlias

Base DN for users/groups: ou=people,dc=yourdomain,dc=com

Account Attribute: probably use uid
not sure about the group thing
as gnyce suggests, for proudction you may want to create a ldapquery user with less privelages than the zimbra user.
we use puremessage, which i think is the software the e-mail appliance runs. it's pretty nice, and can integrate more with zimbra than just authentication. Heres 2 more ways you can integrate it
1. valid users - you can produce a list of valid addresses from zimbra for sophos, which it will use to produce undeliverable dsn messages at the gateway instead of passing it onto zimbra and making zimbra reject it.
2. address maps - if you're using the self service quarantine, you need to make sure sophos knows that spam it catches for a user's alias should be presented to the user when they login. so it needs to map myalias1@domain.com myalias2@domain.com to my actual acount myaccount@domain.com
You can set this up to do it live via ldap, but sophos support doesn't recommend this. instead, you can run scripts on the sohpos server to import this data via ldap every x minutes to keep it updated. this way even if your zimbra server is down, sophos has everything it needs in it's databases already.
klinet
Posts: 19
Joined: Fri Sep 12, 2014 10:38 pm

Sophos Email Appliance

Post by klinet »

Thanks for the suggestions, they have been very helpful. I am starting with the zimbra user and after all is working I will change to a different account.
When I try to log into the spam quarantine section of the appliance as a users, I see two errors in the Zimbra log...
Mar 30 10:53:30 mail2 slapd[3902]: OTP unavailable because can't read/write key database /etc/opiekeys: Permission denied

Mar 30 10:53:30 mail2 slapd[3902]: conn=124636 op=1 do_bind: invalid dn (CN=toddkline,CN=Users,)
I am not sure if this is an issue with the LDAP attributes that i have added to the appliance or an issue on the Zimbra side.
Thanks

Todd
bdial
Elite member
Elite member
Posts: 1633
Joined: Fri Sep 12, 2014 10:39 pm

Sophos Email Appliance

Post by bdial »

wierd for some reason your appliance is trying to authenticate to zimbra using otp which i think is like those RSA password token generators. not sure where that setting would be but i dont think zimbra supports it which is why you're getting that error.
catnipper
Advanced member
Advanced member
Posts: 71
Joined: Fri Sep 12, 2014 11:45 pm

Sophos Email Appliance

Post by catnipper »

I am not yet sure if groups are working as expected, but the following seems to work okay for user authentication and alias mapping...
It may certainely need some more understanding and evaluation in a production environment (not only a 12h test drive), but take it as a start:
DN to authenticate: uid=zimbra,cn=admins,cn=zimbra
Valid recipients: (&(objectClass=zimbraAccount)(zimbraMailStatus=enabled))

Aliases:(&(objectClass=zimbraAccount)(zimbraMailStatus=enabled))

Retrieve user: (&(uid=%%USERNAME%%)(objectClass=zimbraAccount)(zimbraMailStatus=enabled))

User groups: (&(objectClass=zimbraDistributionList)(zimbraMailStatus=enabled))

Members of a group: (&(uid=%%GROUP_DN%%)(objectClass=zimbraDistributionList)(zimbraMailStatus=enabled))

SMTP Authentication: (&(uid=%%USERNAME%%)(objectClass=zimbraAccount)(zimbraMailStatus=enabled))
Screen shot 2010-12-09 at 11.30.21 AM.jpg
Screen shot 2010-12-09 at 11.31.37 AM.jpg
nikhilvolga
Posts: 1
Joined: Sun Jan 21, 2018 9:00 am

Re: Sophos Email Appliance

Post by nikhilvolga »

The Sophos Email Appliance can use Zimbra directory services to enable user authentication and map mail policies to specific groups of users. Below are the steps to sync Zimbra directory service to Sophos Email gateway.

Login to Sophos Email appliance
1) Go to the menu SYSTEM-->Directory Service -->> select add
2) select the option "configure directory server settings manually"
3) fill the following details under the server settings menu

#####Directory Services Settings ######
Server: IP add of your zimbra server ---should be LDAP bounded interface IP
Port: 389
DN To Authenticate: uid=zimbra,cn=admins,cn=Zimbra
LDAP Password: execute this command from email server "zmlocalconfig -s | grep zimbra_ldap_password" ( login as user zimbra)

###Attribute Settings ####
Base DN for users/groups: ou=people,dc=youremaildomain,dc=com (Leave this field blank if you have multiple domains )
Account Attribute : uid
Email Attribute: mail
Email Alias Attribute: zimbraMailAlias
Group name attribute: uid

####click verify button to test the settings


4) Click on next button to configure "Config Queries Settings" and fill the below details

Valid recipients: (&(objectClass=zimbraAccount)(zimbraMailStatus=enabled))

Aliases:(&(objectClass=zimbraAccount)(zimbraMailStatus=enabled))

Retrieve user: (&(uid=%%USERNAME%%)(objectClass=zimbraAccount)(zimbraMailStatus=enabled))

User groups: (&(objectClass=zimbraDistributionList)(zimbraMailStatus=enabled))

Members of a group: (&(uid=%%GROUP_DN%%)(objectClass=zimbraDistributionList)(zimbraMailStatus=enabled))

SMTP Authentication: (&(uid=%%USERNAME%%)(objectClass=zimbraAccount)(zimbraMailStatus=enabled))

### for testing query settings put some Distribution list name under "Test %%GROUP_DN%%" box and click on run queries

5) save settings and configure SMTP options as per the organization requirements.
Additional notes for Sophos admins :

To enable recipient validation via directory services, go to the SMTP Options page in sophos
To enable web quarantine authentication via directory services, go to the User Preferences page.
To enable SMTP authentication via directory services, go to the SMTP Authentication page.


nikhilvolga@gmail.com
UAE
Post Reply