One question regarding reciepient verification

For context, do you have a .CA certificate configured on your domain controller?

i don't have .CA certificate configured.

Hi Borut Zidaric 

Would you please create a case with Sophos Support? Once the case has been created, please message me the case number.

I have solved problem with option 2:

Option 1: Switch to non encrypted LDAP connections or recipient verification with callout. Option 2: Add the following line to /var/chroot-smtp/etc/openldap/ldap.conf TLS_REQCERT allow According to linux.die.net/.../ldap.conf : TLS_REQCERT <level>  Specifies what checks to perform on server certificates in a TLS session, if any. The <level> can be specified as one of the following keywords: ... allow  The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally.

NUTML-11946

I have solved problem with option 2:

Option 1: Switch to non encrypted LDAP connections or recipient verification with callout. Option 2: Add the following line to /var/chroot-smtp/etc/openldap/ldap.conf TLS_REQCERT allow According to linux.die.net/.../ldap.conf : TLS_REQCERT <level>  Specifies what checks to perform on server certificates in a TLS session, if any. The <level> can be specified as one of the following keywords: ... allow  The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally.

NUTML-11946

Is it therefore appropriate to conclude that when SMTP Proxy uses secure LDAP, it performs certificate verification by default, while the  authentication services do not?   So the third option would be to use a valid CA certificate.