Recipient Verification Active Directory


we are Using Sophos XG 230 on SFOS 18.04 MR-4

If i try to set up Recipient Verification to AD nothing happens.

Every Mail is redirected to the Exchange 2016.

It does not Check against additional smtp Addresses or anything.

Does anybody here get woring solution to this?

With kind regards alex

Edited TAGs
[edited by: emmosophos at 12:00 AM (GMT -7) on 5 May 2021]
  • Hi ,

    Thanks for reaching out to the Community! 

    If you configured "In Active Directory" recipient verification, the firewall verifies the recipient of inbound emails with AD server over simple, SSL, and STARTTLS protocols. 

    Have you integrated your AD server with the firewall? 

    For recipient verification with "In Active Directory" to work, you would have to specify the AD server, bind DN, and base DN.

    The bind DN is the full distinguished name (DN), including the common name (CN) of the administrator user configured in the AD server that you’ve specified.


    Base DN is the base distinguished name (DN), which is the starting point of searches in the AD server.


    Reference document: Add an SMTP route and scan policy.



    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • Its all configured.

    Bind dn is the Administrator

    and Basis DN is the starting Point.

    I also get Reject Mails from the Exchange if the Recipient is not valid: but not from the Sophos.

    The Sophos Markes them all as green.


  • I would not recommend using an administrative account for this purpose because it is completely unnecessary. I'm using an unprivileged pseudo account "ldap" for read access to active directory (aka LDAP). A misspelled Bind DN is the most-likely reason. You can double check in CMD with this:

    dsquery user -name ldap

    The same applies to the Authentication menu where you configure the active directory server(s).
    You can also use SSH to login into the firewall and check /var/tslog/smtpd_main.log.