Hi Jim, Thanks a lot for our help and time. I managed to encrypt the authentication to windows 2022 AD few days ago. The method used is nearly identical to yours with slightly difference. Similarly to your method: 1. I created ADCS 2. Exported CA certificate and copied to the mail server 3. Update the local CA stores on the mail server using update-ca-certificates command 4. Configuration of /etc/default/saslauthd :- MECHANISMS = “ldap” 5. Configuration of /etc/saslauthd.conf was nearly identical to your method with the exception of the following keywords a. ldap_servers: ldap://{DC name here} instead of ldap_servers: ldaps://{DC name here}:636 b. ldap_tls_check_peer: yes in my case this was removed to avoid compilations. c. ldap_start_tls: YES this is different from your method basically it starts TLS encryption before authentication. 6. Configuration of /etc/imapd.conf should include the following keywords a. allowplaintext: yes b. sasl_mech_list: PLAIN c. sasl_pwcheck_method: saslauthd I checked communication with Wireshark and I could confirm that there were several TLS packets exchanges between the domain server and the mails server. Furthermore, when plain text communication was used that is when ldap_start_tls: was NO Windows server 2022 event viewer recorded an informative error with Event ID 2889. Event ID 2889 states the following: “the following client performed a SASL (Negotiate/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple binding over a clear text (non-SSL/TLS-encrypted) LDAP Connection.” This informative error was caused because in this case simple binding was used. In contrast, when ldap_start_tls: was YES no similar informative errors were recorded and cyrus managed authenticate with the server.
Regards Denis ------------------------------------------ Cyrus: Info Permalink: https://cyrus.topicbox.com/groups/info/T1c604a219c5fa805-Me78ecb0cbb88a21cc70856a1 Delivery options: https://cyrus.topicbox.com/groups/info/subscription
