search cancel

%s and %d macros not expanded as expected in SMTP AUTH LDAP query


Article ID: 163721


Updated On:


Messaging Gateway


The Authenticated SMTP relay is not authenticating senders as expected. Some senders may not be able to authenticate as expected other email senders may be able to exploit the authenticated relay if they know the credentials for a local account.


The Directory Integration component of Messaging Gateway (SMG) makes use of a number of macros to form the LDAP queries used to identify and authenticate senders for SMTP Authentication. The most commonly used macros are:

%u - the user part of the authentication string (everything to the left of the '@' sign if an email address is used)
%d - the domain part of the authentication string (everything to the right of the '@' sign if an email address is used)
%s - the full string used for authentication

In the default configuration SMTP Authentication uses the following LDAP filter to identify the account associated with the sender address: (|(sAMAccountName=%u)(userPrincipalName=%s))

To authenticate, the sender provides either a username or an email address and a password for authentication. When a simple user name rather than an email address is used for authentication, both the %u and %s macros are set to the username and the %d macro remains unset.

For example, a sender with the email address "[email protected]" authenticating with the username "sales", the default LDAP query expands to (|(sAMAccountName=sales)(userPrincipalName=sales)).

In this case, the %d macro is not expanded at all and is instead passed to the LDAP server as the string "%d" rather than the expected empty string.


This failure to expand the %d macro when the domain part of the authentication username is absent is a known issue and will be addressed with a later release.

If the SMTP relay authentication is not working as expected, you can modify the default query filter to allow SMG to uniquely identify the account using solely the contents of the %u macro i.e. the user part of the email address. The details of this custom LDAP query filter will likely be unique to the individual environment and so a general replacement query filter cannot be provided here. Please consult with your directory administrator to determine what query filter will work in your environment if the default query filter is not operating as expected.

Please subscribe to this article to be automatically notified of any updates.