Managing untrusted certificates

July 4, 2024

ID 75804

If you have established an encrypted connection of the application to an external directory service via the LDAP protocol using the <connectionType/> setting in the settings.xml file, Kaspersky Security 8 for Linux Mail Server requests a certificate from the server with the openLDAP or Active Directory service. You can configure the way Kaspersky Security 8 for Linux Mail Server responds to a situation in which Active Directory or an openLDAP server fails to send a certificate to Kaspersky Security 8 for Linux Mail Server or sends an untrusted certificate.

You can configure what Kaspersky Security 8 for Linux Mail Server does if a certificate is missing or untrusted using the TLS_REQCERT <level> setting. This setting is located in the configuration file: /etc/opt/kaspersky/klms/ldap.conf. The format of the ldap.conf file depends on the LDAP library used.

The TLS_REQCERT parameter can take the following values:

  • never. Kaspersky Security 8 for Linux Mail Server does not request a certificate from Active Directory or the openLDAP server.
  • allow. Kaspersky Security 8 for Linux Mail Server requests a certificate from Active Directory or the openLDAP server. If the certificate has not been sent or an untrusted certificate has been sent, the TLS session continues. This is the default value.
  • try. Kaspersky Security 8 for Linux Mail Server requests a certificate from Active Directory or the openLDAP server. If the certificate is not sent, the TLS session continues. If an untrusted certificate is sent, the TLS session is interrupted.
  • demand / hard. The demand and hard values are equivalent. Kaspersky Security 8 for Linux Mail Server requests a certificate from Active Directory or the openLDAP server. If the certificate is missing or an untrusted certificate has been sent, the TLS session is interrupted.

After changing the value of the TLS_REQCERT setting and saving the ldap.conf file, restart Kaspersky Security 8 for Linux Mail Server to apply changes.

');
Kaspersky Endpoint Security for Business Advanced: Adaptive security of your company
Web and device controls. Data encryption. Centralized and convenient management from a single console.
');
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).