Managing untrusted certificates
July 4, 2024
ID 75804
If you have established an encrypted connection of the application to an external directory service via the LDAP protocol using the <connectionType/> setting in the settings.xml file, Kaspersky Security 8 for Linux Mail Server requests a certificate from the server with the openLDAP or Active Directory service. You can configure the way Kaspersky Security 8 for Linux Mail Server responds to a situation in which Active Directory or an openLDAP server fails to send a certificate to Kaspersky Security 8 for Linux Mail Server or sends an untrusted certificate.
You can configure what Kaspersky Security 8 for Linux Mail Server does if a certificate is missing or untrusted using the TLS_REQCERT <level> setting. This setting is located in the configuration file:
/etc/opt/kaspersky/klms/ldap.conf
. The format of the ldap.conf
file depends on the LDAP library used.
The TLS_REQCERT
parameter can take the following values:
never
. Kaspersky Security 8 for Linux Mail Server does not request a certificate from Active Directory or the openLDAP server.allow
. Kaspersky Security 8 for Linux Mail Server requests a certificate from Active Directory or the openLDAP server. If the certificate has not been sent or an untrusted certificate has been sent, the TLS session continues. This is the default value.try
. Kaspersky Security 8 for Linux Mail Server requests a certificate from Active Directory or the openLDAP server. If the certificate is not sent, the TLS session continues. If an untrusted certificate is sent, the TLS session is interrupted.demand / hard
. Thedemand
andhard
values are equivalent. Kaspersky Security 8 for Linux Mail Server requests a certificate from Active Directory or the openLDAP server. If the certificate is missing or an untrusted certificate has been sent, the TLS session is interrupted.
After changing the value of the TLS_REQCERT
setting and saving the ldap.conf
file, restart Kaspersky Security 8 for Linux Mail Server to apply changes.