Sophos UTM Email Protection contains a bug where recipient verification is simply skipped. In the case of recipient verification via Active Directory and the query via SSL, no verification of the recipients takes place. Here are the problematic settings:
- Recipient verification using Active Directory
- Querying the Active Directory with SSL
In the Email Protection live log, it then leads to the following log entries:
2016:11:16-20:45:43 utm exim-in[25000]: 2016-11-16 20:45:43 [127.0.0.1] F= R= Verifying recipient address in Active Directory 2016:11:16-20:45:43 utm exim-in[25000]: 2016-11-16 20:45:43 H=mx.frankysweb.com [127.0.0.17]:46804 Warning: ACL "warn" statement skipped: condition test deferred: failed to bind the LDAP connection to server 127.0.0.2:636 - ldap_bind() returned -1
The query of the domain controller fails and the recipient verification is skipped.
Recipient check via server request (CallOut)?
The behavior is particularly unpleasant with Exchange 2013 and Exchange 2016, because recipient verification via CallOut (with server request) is difficult to implement without an Edge Transport Server.
Since Recipient Validation only takes place at the Hub Transport Connector, but not at the FrontEnd. In this case, Exchange will always respond with "250 Recipient OK". The lack of recipient validation on the Exchange side is due to the architecture. A mail is always accepted by the "Default Frontend" receiving connector and forwarded bluntly to the "Default" receiving connector:
In this case, recipient verification is therefore always successful for the UTM's Mail Protection, as the recipient is only validated by the downstream connector. This is also the case if the Exchange AntiSPAM Agents are installed.
Disable LDAP SSL?
Uh? No, because NO!
Customize Sophos UTM Mail Protection (workaround)
Customizing the UTM configuration via shell will probably cause problems with support, which is already indicated at login:
NOTE: If not explicitly approved by Sophos support, any modifications
done by root will void your support.
The procedure should therefore be discussed with Support. I only have the Home version, so I can't fall back on the support anyway.
After you have obtained root rights on the shell using "sudo su -" to obtain root rights, the following file can be edited using VI:
vi /var/chroot-smtp/etc/openldap/ldap.conf
The following line is added to the file:
TLS_REQCERT allow
Then save the file and restart Mail Protection. Now the recipient check via LDAP SSL also works:
2016:11:16-20:46:23 utm exim-in[24512]: 2016-11-16 20:46:23 [127.0.0.1] F= R= Verifying recipient address in Active Directory 2016:11:16-20:46:23 utm exim-in[24512]: 2016-11-16 20:46:23 H=mx.frankysweb.com [127.0.0.1]:46468 F= rejected RCPT : Address not present in directory