LDAP allows your email users to log in to the EuropeanMX spam panel using their existing email credentials. This means that users only have to remember one credentials instead of two.
Please note: Currently we can only offer LDAP for AD (Microsoft), OpenLDAP and Zimbra!
2-factor authentication can also be used with LDAP. However, password changes or restores are no longer possible because the credentials are stored and managed on your LDAP server. Normally, e-mail users cannot be added or simply removed, as they are automatically added again when LDAP is activated. The only reason to add one or more users is to prevent them from logging into the EuropeanMX spam panel. To do this, you can simply set the status to inactive.
LDAP is only supported at email user level. Access for the domain admin is not supported by LDAP. For this reason, your e-mail address (e.g. firstname.lastname@example.org) must also be used as the user name. So for LDAP integration to work with our spam panel, the LDAP server must authenticate an email address, not the user name.
How can I enable LDAP authentication?
Log into the spam panel as domain admin and select "Manage e-mail users" under "Web interface user". In this view you can find the option "LDAP authentication". You must add the following values there:
- Authentication mode: Select the "AD" mode when using ActiveDirectoy (e.g. Exchange). Use the "LDAP" mode with a simple LDAP (e.g. Zimbra or OpenLDAP)
- Domain Controller: The host name and port (optional) of your LDAP server must be added here. If your LDAP controller can be reached at ldap.example.de and uses port 389 (unsecured) or port 636 (secured via TLS), then the value to be entered must be "ldap.example.de:636".
- Security protocol: If you want to use a secure connection for LDAP authentication, select either TLS or SSL here.
- Bind DN: This should be the starting point of the DNs, which contains all users of your domain and no foreign users. If the DN of the user is "CN=test,CN=users,DC=exchange,DC=example,DC=de", then the value of the field " CN=Users,DC=exchange,DC=example,DC=de" should be.
- Basic search: An LDAP attribute that uniquely identifies a user should be used here.
- If the user is e.g. "email@example.com", then there is an LDAP attribute which is "sAMAccountName: test". The correct value of the basic search is then sAMAccountName.
- If there is no such attribute available, but there is one that also uses the domain, you can also append the domain name (e.g. userPrincipalName: firstname.lastname@example.org)
- Other possible values include sAMAccountName, CN, UID
Once LDAP is set up, the credentials are automatically verified by us the first time an email user attempts to connect.
What are the requirements for using LDAP synchronization?
- All fields must be filled correctly in the LDAP settings.
- Your LDAP server must allow registration with the e-mail address in the following format: email@example.com.
- An LDAP attribute must be used that uniquely identifies the user with or without specifying a domain. For example, sAMAccountName= test or userPrincipalName= firstname.lastname@example.org
- Users' email addresses can be different from the current LDAP user. In these cases, however, the user must continue to use the logon data of the LDAP user and not that of the e-mail address.
- The users must have the mail LDAP attribute.
Single sign-on alternatives:
- If you have the LDAP user names and passwords and you want to provide a new mailbox, you can synchronize the logins with the API or simply forward the details via API.
- EuropeanMX has a feature to automatically activate reporting for a new recipient and send the user a welcome message by email with the required credentials. By activating this function, all valid users of your domain are automatically added to the "Periodic User Report" overview. Subsequently, the user receives a daily or weekly e-mail with a summary of the received spam messages of his e-mail address. Furthermore, as soon as the first spam message is detected, a welcome message is sent to the user to inform him about the activation of his personal quarantine. In addition, the message contains a login link with which he can log in directly to the spam panel. With the first login, the user is added to the "Manage e-mail users" list.
LDAP User Verification:
To avoid the need for data duplication, EuropeanMX uses advanced SMTP-based recipient verification calls. Your SMTP server does the local LDAP search to ensure that our system always processes the emails for your mailboxes correctly. To protect your SMTP and LDAP servers from flooding with queries, we have added an advanced dictionary attack handling to our system. This system is fully automatic, no access data from our side is required.