This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ldaps and smtp active directory recipient verification

i am currently migrating mail from dedicated  es100  to sophos utm 

on the es100   active directory syns is set on ldaps 2369 

and the gateway correctly rejects email addresses not in active directory

on the utm i had ldaps 636 for authentication services , however it doesnt it only works with standard ldap port 389 

the behaviour is also strange in that, it fails to get a response from ad so it just passes the mail anyway, i would expect the opposite

that if it cant get a response from ad it should drop the mail ... 

 

community.sophos.com/.../smtp-proxy-ad-recipient-verification-ldaps-failing

and


https://community.sophos.com/products/unified-threat-management/f/mail-protection-smtp-pop3-antispam-and-antivirus/49883/recipient-verification-fails-with-ldaps

both posts seem to suggest it should have been fixed a long time ago 

am i right in thinking it is still not fixed?   support ldaps for smpt recipient autnentication



This thread was automatically locked due to age.
Parents
  • Neil,

    According to the 'Known Issue List' available in the 'Support' section:

    ID24065 9.004 Regression from V8: Recipient Verification against AD not working with LDAP-SSL
    ------------------------------------------------------------------------
    Description:  SMTP recipient verification against AD is not working with
                  LDAP-SSL.
    Workaround:   Option 1: Switch to non encrypted LDAP connections or
                  recipient verification with callout.
                  
                  Option 2: Add the following line to
                  /var/chroot-smtp/etc/openldap/ldap.conf
                  
                  TLS_REQCERT allow
                  
                  According to linux.die.net/.../ldap.conf :
                  
                  TLS_REQCERT <level>
                                Specifies what checks to perform on server
                  certificates in a TLS session, if any. The <level> can be
                  specified as one of the following keywords:
                  ...
                  allow
                    The server certificate is requested. If no certificate
                  is provided, the session proceeds normally. If a bad
                  certificate is provided, it will be ignored and the
                  session proceeds normally.
    Fixed in:
    

    Not fixed.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Neil,

    According to the 'Known Issue List' available in the 'Support' section:

    ID24065 9.004 Regression from V8: Recipient Verification against AD not working with LDAP-SSL
    ------------------------------------------------------------------------
    Description:  SMTP recipient verification against AD is not working with
                  LDAP-SSL.
    Workaround:   Option 1: Switch to non encrypted LDAP connections or
                  recipient verification with callout.
                  
                  Option 2: Add the following line to
                  /var/chroot-smtp/etc/openldap/ldap.conf
                  
                  TLS_REQCERT allow
                  
                  According to linux.die.net/.../ldap.conf :
                  
                  TLS_REQCERT <level>
                                Specifies what checks to perform on server
                  certificates in a TLS session, if any. The <level> can be
                  specified as one of the following keywords:
                  ...
                  allow
                    The server certificate is requested. If no certificate
                  is provided, the session proceeds normally. If a bad
                  certificate is provided, it will be ignored and the
                  session proceeds normally.
    Fixed in:
    

    Not fixed.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • so  a regression from astaro code , ie. a feature they didnt bother porting 

    also its a feature of the es100 mail gateway software works perfectly

    so let me get this straight a security company wants you to sync your active directory with your external gateway without SSL 

    regardless of whether this is a big risk or not , this is basics.....

    so will / has this feature been added to  Sophos xg firewall ?   chances of it ever making it into UTM seem remote at this stage in the game.

     

    i love the way resellers / sales people gloss over all this 

    es 100 you dont need that anymore , yeah yeah the sophos utm has exactly the same functionality

    sophos xg  , yeah yeah the sophos xg has exactly the same functionailty as utm 

  • Don't tar us all with the same brush, Neil!

    My post above includes the "fix" for now.  I'm not sure when that directory is created, so you might want to also modify /etc/openldap/ldap.conf.default.

    The one thing I know that the es100 does better is flexibility with SPX.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Sorry Bob

    appreciate your replies, wasn't having a go at you. more Sophos itself

    we have the hardware appliances, so i don't like to change any parameters if i can help it.

    especially if the changes will get wiped on update...