Hi Jim,
Thanks a lot for our help and time.
I managed to encrypt the authentication to windows 2022 AD few days ago. The method used is nearly identical to yours with slightly difference.
Similarly to your method:
1. I created ADCS
2. Exported CA certificate and copied to the mail server
3. Update the local CA stores on the mail server using update-ca-certificates command
4. Configuration of /etc/default/saslauthd :- MECHANISMS = “ldap”
5. Configuration of /etc/saslauthd.conf was nearly identical to your method with the exception of the following keywords
a. ldap_servers: ldap://{DC name here} instead of ldap_servers: ldaps://{DC name here}:636
b. ldap_tls_check_peer: yes in my case this was removed to avoid compilations.
c. ldap_start_tls: YES this is different from your method basically it starts TLS encryption before authentication.
6. Configuration of /etc/imapd.conf should include the following keywords
a. allowplaintext: yes
b. sasl_mech_list: PLAIN
c. sasl_pwcheck_method: saslauthd
I checked communication with Wireshark and I could confirm that there were several TLS packets exchanges between the domain server and the mails server. Furthermore, when plain text communication was used that is when ldap_start_tls: was NO Windows server 2022 event viewer recorded an informative error with Event ID 2889. Event ID 2889 states the following:
“the following client performed a SASL (Negotiate/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple binding over a clear text (non-SSL/TLS-encrypted) LDAP Connection.”
This informative error was caused because in this case simple binding was used.
In contrast, when ldap_start_tls: was YES no similar informative errors were recorded and cyrus managed authenticate with the server.
Regards
Denis
