Skip to main content
Support

KB Article #176959

Filter out incoming mail for disabled Active Directory accounts

Problem

All users returned by the LDAP when querying it are treated as valid users by MailGate and mail is accepted for these users. Unless explicitly excluded from the query, Active Directory would return both enabled and disabled users as results, as long as these users are within the search base scope and conform to the Alias Query Filter requirements. Many administrators prefer to filter out disabled AD users as at any moment accepting mail for them may cause queue buildup with undeliverable DSNs (for no longer enabled internal users) and thus affect the overall performance.

The default Alias Query Filter for Active Directory in MailGate is:

(proxyAddresses=smtp\3A%s)

Resolution

Often administrators would opt for using LDAP-query based Content Policies in order to filter out disabled users. However, unless there are any additional actions required by the business case, accepting mail for such users is rather unnecessary and this filtering out can be accomplished on relay level by editing the Alias Query Filter.

Active Directory users have an attribute called UserAccountControl that dictates some behaviors and characteristics of these accounts. The value is a bitmask and features are enabled by turning on or off various bits along the mask; the decimal numeric value for the UserAccountControl attribute is the sum of all flags, set for the account. For example: The decimal value for a normal, enabled account is 512. The decimal value for the "ACCOUNTDISABLE" property flag is 2. As a result, the UserAccountControl attribute for a disabled user in AD will be the sum of 512 + 2, i.e. it will be 514.

More detailed information is available in the Microsoft Knowledgebase.

It is extremely important for administrators to check the value of the UserAccountControl attribute in AD for their disabled users before applying changes to MailGate. Your user flags may be different from the default.


Here are some of the possible decimal values:


512 Enabled Account
514 Disabled Account
544 Enabled, Password Not Required
546 Disabled, Password Not Required
66048 Enabled, Password Doesn't Expire
66050 Disabled, Password Doesn't Expire
66080 Enabled, Password Doesn't Expire & Not Required
66082 Disabled, Password Doesn't Expire & Not Required
262656 Enabled, Smartcard Required
262658 Disabled, Smartcard Required
262688 Enabled, Smartcard Required, Password Not Required
262690 Disabled, Smartcard Required, Password Not Required
328192 Enabled, Smartcard Required, Password Doesn't Expire
328194 Disabled, Smartcard Required, Password Doesn't Expire
328224 Enabled, Smartcard Required, Password Doesn't Expire & Not Required
328226 Disabled, Smartcard Required, Password Doesn't Expire & Not Required

Once the value for the disabled users is determined, it can be excluded from the lookup using the Alias Query Filter. For the purpose of this article, we will assume the value 514 (Normal Disabled Account) as an example. In this case, unless other rules or exclusions are needed, the query would be:

(&(|(mail=%s)(proxyAddresses=smtp\3A%s))(!(userAccountControl=514)))


Alternatively, the bitwise value of the userAccountControl attribute can be used. If we are to change the query above to this value, it will be:

(&(|(mail=%s)(proxyAddresses=smtp\3A%s))(!(objectclass=contact))(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))



To change the Alias Query Filter in MailGate, navigate to Administration > Directory Services > LDAP, click on the name of the desired LDAP server and expand the "Advanced Settings" section. The "Alias Query" field is located under "Filters".

Administrators are encouraged to test several enabled and disabled account, using the "Email Lookup" tool on the same page immediately after changing the query and verify that the expected results are returned, as failure to insert the correct alias query filter may result in MailGate not accepting email for valid users, if recipient verification is enabled.