LDAPS / LDAP signing

Question

We currently use LDAP (/adirectory) over port 389 with our domain controller for the recipient verification filter in the SMTP module. Since Microsoft will start enforcing LDAP signing in March, I've created a new authentication server entry with port 636 and SSL:

I also imported the CA certificate from our domain controller (which doubles as an internal CA): 
 
 The server test passes but when I switch to the new configuration, mails don't get rejected anymore. From this thread I've gathered that it was still a known issue in 2016: https://community.sophos.com/products/unified-threat-management/f/mail-protection-smtp-pop3-antispam-and-antivirus/83298/ldaps-and-smtp-active-directory-recipient-verification I was gonna check if it's still an issue but the page for LDAP (under "Sophos UTM 9 > Authentication > LDAP") is not there: https://community.sophos.com/kb/en-us/124067 Info about MS patch: https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

Jaydeep · Accepted Answer

This is still a known issue. Please refer NUTML-11946 for UTM 9 in KIL list.

GwynBleidd · Answer

Have you tried out the workaround? It should fix the problem

Keep in mind it’s not update proof and unwanted changes are outside of the support.

Option 1: Switch to non encrypted LDAP connections or recipient verification with callout.

Option 2: Add the following line to /var/chroot-smtp/etc/openldap/ldap.conf

TLS_REQCERT allow

According to linux.die.net/.../ldap.conf : TLS_REQCERT <level> Specifies what checks to perform on server certificates in a TLS session, if any.

The <level> can be specified as one of the following keywords: ... allow The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally.