This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LDAPS / LDAP signing

We currently use LDAP (/adirectory) over port 389 with our domain controller for the recipient verification filter in the SMTP module. Since Microsoft will start enforcing LDAP signing in March, I've created a new authentication server entry with port 636 and SSL:

 

I also imported the CA certificate from our domain controller (which doubles as an internal CA):

The server test passes but when I switch to the new configuration, mails don't get rejected anymore. From this thread I've gathered that it was still a known issue in 2016:
https://community.sophos.com/products/unified-threat-management/f/mail-protection-smtp-pop3-antispam-and-antivirus/83298/ldaps-and-smtp-active-directory-recipient-verification

I was gonna check if it's still an issue but the page for LDAP (under "Sophos UTM 9 > Authentication > LDAP") is not there:
https://community.sophos.com/kb/en-us/124067



Info about MS patch:
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows



This thread was automatically locked due to age.
Parents
  • Have you tried out the workaround? It should fix the problem

    Keep in mind it’s not update proof and unwanted changes are outside of the support.

     

    Option 1: Switch to non encrypted LDAP connections or recipient verification with callout.

     

    Option 2: Add the following line to /var/chroot-smtp/etc/openldap/ldap.conf

    TLS_REQCERT allow

    According to linux.die.net/.../ldap.conf : TLS_REQCERT <level>  Specifies what checks to perform on server certificates in a TLS session, if any.

    The <level> can be specified as one of the following keywords: ... allow  The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally.

  • it should be update proof. I would not consider doing this, a bug fix by Sophos would be appreciated.

     

    So, LDAPS works so far in my tests, but not for email address verification. I changed to SMTP verification against Exchange, but keep in mind, that recipient verification in Exchange does not work as expected (since 2013):

     

    - you have to enable antispam agents and configure recipient verification

    - it does not work with frontend connectors, only with backend connectors or edge-server

Reply
  • it should be update proof. I would not consider doing this, a bug fix by Sophos would be appreciated.

     

    So, LDAPS works so far in my tests, but not for email address verification. I changed to SMTP verification against Exchange, but keep in mind, that recipient verification in Exchange does not work as expected (since 2013):

     

    - you have to enable antispam agents and configure recipient verification

    - it does not work with frontend connectors, only with backend connectors or edge-server

Children