Setting up and testing Directory Harvesting - ORF Forums

Setting up and testing Directory Harvesting RSS Back to forum

1

I am setting up a test of ORF on our two Exchange 2010 Edge Transport servers.
How do I set up ORF for directory harvesting tests against our Active Directory?
How can I test to make sure it is working?

Thanks in advance!

by aflowers 6 years ago
2

Correction: After reading further, I think I mean the recipient validation test. How can I make sure that incoming email is accepted only for valid users. This is on the Edge Transport servers.

by aflowers 6 years ago
3

@aflowers: Since ORF cannot query the AD for the list of valid recipients from the Edge server, you should use one of the fallback options:

1. Add the list of valid recipient to the Recipient Blacklist and switch it to "Blacklist all addresses, except the list below" mode (http://vamsoft.com/r?o-hto-adm-recipientblacklist)
2. Compile a list of valid recipients and store them in a TXT file on the Edge server (http://vamsoft.com/r?o-hto-adm-recipientvalidationsrc-textfile)
3. Compile a list of valid recipients and store them in a SQL database (http://vamsoft.com/r?o-hto-adm-recipientvalidationsrc-sql)

If the list of valid recipients changes rarely, the first fallback option may work well (though the list of recipients should be maintained manually). However, if you add or remove valid recipients frequently and/or you have many recipients, 2) or 3) may work better.

E.g., you could query the AD for valid recipients on a back-end server (which have access to the Active Directory) and export the list to a TXT file (by using ldfide: http://technet.microsoft.com/en-us/library/cc731033(v=ws.10).aspx), then move over this TXT file to the Edge server and reinitialize the ORF Service to pick up the updated TXT file (orfeesvc -updateconfig). You can even build a batch/scheduled task for this to run in every hour.

The LDAP query which the Active Directory-based Recipient Validation of ORF uses is:

(&(&(mailNickName=*)(proxyAddresses=*))(|(|(objectCategory=user)(objectCategory=group))(objectCategory=publicFolder)))

This finds the ProxyAddress attribute of mail-enabled AD objects.

by Krisztián Fekete (Vamsoft) 6 years ago
(in reply to this post)

4

@Krisztián Fekete (Vamsoft): Thanks for the quick reply!

Looks like the text option will be the easiest, but I will have to keep it updated on two edge servers.

If I use the SQL option, will it synchronize the lists automatically like it does the automatic whitelist?

by aflowers 6 years ago
(in reply to this post)

5

yes, that's one way to achieve this: you can have both Edge servers configured to check the same SQL database. Another option is using a simple TXT list of compiled addresses and utilize the Configuration Subscription feature (http://vamsoft.com/r?o-hto-configsync-general) to keep the two configurations in sync.

by Krisztián Fekete (Vamsoft) 6 years ago
6

I have went the text file route to get the two servers running ORF. In order to go to SQL, is all I have to do is put the text file entries into a SQL table?

by aflowers 6 years ago
7

@aflowers: Yes. Then you should:

1. Set the Recipient Validation test source to SQL (Blacklists / Recipient Validation, Validation source: SQL Database).
2. Enter the connection string (Blacklists / Recipient Validation, Validation source: SQL Database, Configure selected button, Connection tab).
3. Enter an SQL command which will return something when a recipient address is found, and nothing when it is not (Blacklists / Recipient Validation, Validation source: SQL Database, Configure selected button, Lookup command tab).

ORF will consider the recipient address valid, if the command results in 1 or more records and invalid if the resulting record set is empty. The first parameter in the lookup command must be the recipient email address.

by Krisztián Fekete (Vamsoft) 6 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2