This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LDAPS / LDAP signing

We currently use LDAP (/adirectory) over port 389 with our domain controller for the recipient verification filter in the SMTP module. Since Microsoft will start enforcing LDAP signing in March, I've created a new authentication server entry with port 636 and SSL:

 

I also imported the CA certificate from our domain controller (which doubles as an internal CA):

The server test passes but when I switch to the new configuration, mails don't get rejected anymore. From this thread I've gathered that it was still a known issue in 2016:
https://community.sophos.com/products/unified-threat-management/f/mail-protection-smtp-pop3-antispam-and-antivirus/83298/ldaps-and-smtp-active-directory-recipient-verification

I was gonna check if it's still an issue but the page for LDAP (under "Sophos UTM 9 > Authentication > LDAP") is not there:
https://community.sophos.com/kb/en-us/124067



Info about MS patch:
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows



This thread was automatically locked due to age.
Parents Reply
  • I made the changes and restarted the UTM, the new config works for AD syncs but as soon as I switch to the new config for recipient verification, I see SSL handshakes failing in the SMTP proxy log (and the recipient verification doesn't work, i.e. I get bounced messages):

     

    Update: Nevermind, didn't properly elevate my privileges before making the changes. [8-)]

Children
  • hello sophos, this is an old and annoying bug and still happens with 9.701-6.

    LDAPS connections works great, but not for SMTP recipient validation.

     

    In relation to the forthcoming LDAP signing recommendations by Microsoft it would be great, if you could fix this