+49 (0) 7245 919 581 info@eunetic.com
[EN]
Login
  1. Home
  2. europeanMX Knowledge Base
  3. EuropeanMX Inbound Filter
  4. Is LDAP synchronization supported? How can we set this up?
europeanMX
Knowledge Base

Is LDAP synchronization supported? How can we set this up?

LDAP allows your email users to log in to the EuropeanMX spam panel using their existing email credentials. This means that users only have to remember one credentials instead of two.


Currently we can only offer LDAP for AD (Microsoft), OpenLDAP and Zimbra!

2-factor authentication can also be used with LDAP. However, password changes or restores are no longer possible because the credentials are stored and managed on your LDAP server. Normally, e-mail users cannot be added or simply removed, as they are automatically added again when LDAP is activated. The only reason to add one or more users is to prevent them from logging into the EuropeanMX spam panel. To do this, you can simply set the status to inactive.

LDAP is only supported at email user level. Access for the domain admin is not supported by LDAP. For this reason, your e-mail address (e.g. test@example.de) must also be used as the user name. So for LDAP integration to work with our spam panel, the LDAP server must authenticate an email address, not the user name.

How can I enable LDAP authentication?

Log into the admin panel as domain admin and select Manage e-mail users under Users & Permissions. In this view you can find the option LDAP authentication. You must add the following values there:

  • Authentication mode: Select the mode AD when using ActiveDirectoy (e.g. Exchange). Use the mode LDAP with a simple LDAP (e.g. Zimbra or OpenLDAP).
  • Domain Controller: This option allows you to switch between using LDAP authentication for email users (if the domain controller is specified) and normal authentication (leave entry blank). To activate, please enter the IP or the host name of the domain controller. E.G.
    • Domain controller: ldap.example.de
    • Port: 389 (insecure) or 636 (TLS)
    • z. B. ldap.example.de:636
  • Security protocol: If you want to use a secure connection for LDAP authentication, select either TLS or SSL here.
  • BaseDN: This should be the starting point of the DNs, which contains all users of your domain and no foreign users. If the DN of the user is CN=test,CN=users,DC=exchange,DC=example,DC=de, then the value of the field should be CN=Users,DC=exchange,DC=example,DC=de.
  • BindDN Format: If you want to override the bind username that is passed to your server, then you can use this option. For example, if your userPrincipalName format is user@domain.local, then enter %(user)s@domain.local.
  • Search Base: Enter here the LDAP/AD value that the service should search for at login time and which uniquely identify your users. For example, if the user is test@bw.beispiel.de and there is an LDAP attribute such as sAMAccountName : test, then you can specify sAMAccountName in the field Search base. If there is no such attribute, but there is one that also contains the domain name (e.g. userPrincipalName: test@bw.beispiel.de), then you can use userPrincipalName=%n to append the domain name. Other possible values you can use are sAMAccountName, CNor uid.

Once LDAP is set up, the credentials are automatically verified by us the first time an email user attempts to connect.


If EuropeanMX is unable to connect to your LDAP server for any reason, the locally cached access data will be checked.


What are the requirements for using LDAP synchronization?

  • All fields must be filled correctly in the LDAP settings.
  • Your LDAP server must allow registration with the e-mail address in the following format: user@ldap.example.com.
  • An LDAP attribute must be used that uniquely identifies the user with or without specifying a domain. For example, sAMAccountName= test or userPrincipalName= user@ldap.example.de.
  • Users' email addresses can be different from the current LDAP user. In these cases, however, the user must continue to use the logon data of the LDAP user and not that of the e-mail address.
  • The users must have the mail LDAP attribute.


Single sign-on alternatives

  • If you have the LDAP user names and passwords and you want to provide a new mailbox, you can synchronize the logins with the API or simply forward the details via API.

  • EuropeanMX has a feature that automatically activates reporting for a new recipient and sends the user a welcome email with the necessary login details. The user then receives a daily or weekly email with a summary of the spam messages received by their email address. Furthermore, as soon as the first spam message is detected, a welcome message is sent to the user to inform them about the activation of their personal quarantine. The message also contains a login link that allows them to log in directly to the spam panel. When they log in for the first time, the user is added to the Manage Email Users list. For more information, see “How can I create Email Scout reports and have them sent to me?”.


LDAP User Verification

To avoid the need for data duplication, EuropeanMX uses advanced SMTP-based recipient verification calls. Your SMTP server does the local LDAP search to ensure that our system always processes the emails for your mailboxes correctly. To protect your SMTP and LDAP servers from flooding with queries, we have added an advanced dictionary attack handling to our system. This system is fully automatic, no access data from our side is required.

Related topics:

Was this article helpful?

No Yes