UTM Email Protection: Recipient verification with Active Directory

In my private environment with a Sophos UTM 9.508-10, I have always had the problem that the recipient verification of Email Protection via Active Directory did not work. The following warning was always displayed in the Email Protection live log:

Warning: ACL "warn" statement skipped: condition test deferred: failed to bind the LDAP connection to server 192.168.5.1:636 - ldap_bind() returned -1

The normal authentication of users against the Active Directory ran without any problems, and it was also possible to test the authentication services. Only Email Protection stubbornly refused to verify the email addresses against Active Directory.

In the authentication services of the UTM, I had configured that the connection to the domain controller should be encrypted using SSL. Apparently, however, this causes problems with the UTM's email protection and, at least in my case, leads to the error mentioned above.

Importing the domain controller's certificate didn't help either, so the only thing left for me to do was to use an unencrypted connection.

Here is the configuration that works in my environment:

In order for recipient verification to work, I had to change the setting "Domain controller: Signature requirements for LDAP server" to the value "None". The setting can either be defined in the group policy "Default Domain Controllers Policy" or via a new additional policy for the domain controllers. I am a friend of unchanged default policies, so I would recommend creating a new group policy here, here you must then pay attention to the order of the GPOs so that the default policy does not overwrite the value:

To verify e-mail addresses and users, the UTM requires a user in the ActiveDirectory. The user must only belong to the "Domain users" group. The user's password must not expire:

The Distinguished Name (DN) is required from the user's attributes; this can already be copied once:

The Distinguished Name (DN) of the Active Directory domain is also required:

A new server with the type "Active Directory" is now created in the authentication services of the UTM. SSL is deactivated and port 389 is selected. The value "Bind-DN" corresponds to the Distinguished Name (DN) of the user account. The value for BaseDN corresponds to the DN of the domain:

The settings can be tested with "Test server settings" and any user/password combination.

Recipient authentication via Active Directory can now be activated in the Email Protection settings under the Routing menu item. The DN of the domain can again be specified as the "Alternative BaseDN":

With these settings, recipient verification via Active Directory works, at least in my environment. If anyone has managed it with SSL, I would be pleased to receive feedback.