This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LDAPS / LDAP signing

We currently use LDAP (/adirectory) over port 389 with our domain controller for the recipient verification filter in the SMTP module. Since Microsoft will start enforcing LDAP signing in March, I've created a new authentication server entry with port 636 and SSL:

 

I also imported the CA certificate from our domain controller (which doubles as an internal CA):

The server test passes but when I switch to the new configuration, mails don't get rejected anymore. From this thread I've gathered that it was still a known issue in 2016:
https://community.sophos.com/products/unified-threat-management/f/mail-protection-smtp-pop3-antispam-and-antivirus/83298/ldaps-and-smtp-active-directory-recipient-verification

I was gonna check if it's still an issue but the page for LDAP (under "Sophos UTM 9 > Authentication > LDAP") is not there:
https://community.sophos.com/kb/en-us/124067



Info about MS patch:
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows



This thread was automatically locked due to age.
Parents
  • This is still a known issue. Please refer NUTML-11946 for UTM 9 in KIL list.

    Regards

    Jaydeep

  • I made the changes and restarted the UTM, the new config works for AD syncs but as soon as I switch to the new config for recipient verification, I see SSL handshakes failing in the SMTP proxy log (and the recipient verification doesn't work, i.e. I get bounced messages):

     

    Update: Nevermind, didn't properly elevate my privileges before making the changes. [8-)]

  • hello sophos, this is an old and annoying bug and still happens with 9.701-6.

    LDAPS connections works great, but not for SMTP recipient validation.

     

    In relation to the forthcoming LDAP signing recommendations by Microsoft it would be great, if you could fix this

Reply
  • hello sophos, this is an old and annoying bug and still happens with 9.701-6.

    LDAPS connections works great, but not for SMTP recipient validation.

     

    In relation to the forthcoming LDAP signing recommendations by Microsoft it would be great, if you could fix this

Children
No Data