Windows issues following Core Agent 2.7.6 and Intercept X 2.0.17 update. See KBA 135504 for more information.
We'd love to hear about it! Click here to go to the product suggestion community
We currently use LDAP (/adirectory) over port 389 with our domain controller for the recipient verification filter in the SMTP module. Since Microsoft will start enforcing LDAP signing in March, I've created a new authentication server entry with port 636 and SSL:
I also imported the CA certificate from our domain controller (which doubles as an internal CA):
The server test passes but when I switch to the new configuration, mails don't get rejected anymore. From this thread I've gathered that it was still a known issue in 2016: https://community.sophos.com/products/unified-threat-management/f/mail-protection-smtp-pop3-antispam-and-antivirus/83298/ldaps-and-smtp-active-directory-recipient-verification I was gonna check if it's still an issue but the page for LDAP (under "Sophos UTM 9 > Authentication > LDAP") is not there: https://community.sophos.com/kb/en-us/124067 Info about MS patch: https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
This is still a known issue. Please refer NUTML-11946 for UTM 9 in KIL list.
In reply to Jaydeep:
I made the changes and restarted the UTM, the new config works for AD syncs but as soon as I switch to the new config for recipient verification, I see SSL handshakes failing in the SMTP proxy log (and the recipient verification doesn't work, i.e. I get bounced messages):
Update: Nevermind, didn't properly elevate my privileges before making the changes.
In reply to jmu:
hello sophos, this is an old and annoying bug and still happens with 9.701-6.
LDAPS connections works great, but not for SMTP recipient validation.
In relation to the forthcoming LDAP signing recommendations by Microsoft it would be great, if you could fix this
Have you tried out the workaround? It should fix the problem
Keep in mind it’s not update proof and unwanted changes are outside of the support.
Option 1: Switch to non encrypted LDAP connections or recipient verification with callout.
Option 2: Add the following line to /var/chroot-smtp/etc/openldap/ldap.conf
According to linux.die.net/.../ldap.conf : TLS_REQCERT <level> Specifies what checks to perform on server certificates in a TLS session, if any.
The <level> can be specified as one of the following keywords: ... allow The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally.
One also might consult Doug Foster's Sophos UTM: Using LDAP with Active Directory.
Cheers - Bob
In reply to GwynBleidd :
Microsoft will stop LDAP soon:
Thus it's necessary that our UTM allows LDAPS for SMTP Recipient Verification.
it should be update proof. I would not consider doing this, a bug fix by Sophos would be appreciated.
So, LDAPS works so far in my tests, but not for email address verification. I changed to SMTP verification against Exchange, but keep in mind, that recipient verification in Exchange does not work as expected (since 2013):
- you have to enable antispam agents and configure recipient verification
- it does not work with frontend connectors, only with backend connectors or edge-server
In reply to Dr No:
Sophos confirmed that this is as known bug. But they couldn't say when it will be fixed.