Fortimail Cloud and LDAP

LDAP traffic from a Fortimail Cloud instance travels over the internet and therefore should be SSL encrypted (port 636). Certificate services must be installed on your Active Directory server for it to accept LDAP SSL requests on 636.

LDAP requests on port 389 are sent in the clear, this includes e-mail addresses and password. This also includes the Admin user password for the initial bind.

See the below packet capture as an example:

501.091693 port1 out 172.20.184.160.48226 -> 172.20.184.200.389: psh 983268976 ack 1855075221
000000 00 00 00 00 00 00 52 00 00 01 00 01 08 00 45 00 ......R.......E.
000010 00 7e 71 30 40 00 40 06 ff b7 ac 14 b8 a0 ac 14 .~q0@.@.........
000020 b8 c8 bc 62 01 85 3a 9b 7e 70 6e 92 33 95 80 18 ...b..:.~pn.3...
000030 00 e5 ca 02 00 00 01 01 08 0a 20 ec 0f 41 1e 54 .............A.T
000040 5d ed 30 48 02 01 01 60 43 02 01 03 04 2e 43 4e ].0H...`C.....CN
000050 3d 54 65 73 74 2c 43 4e 3d 55 73 65 72 73 2c 44 =Test,CN=Users,D
000060 43 3d 45 54 41 43 2c 44 43 3d 66 6f 72 74 69 6e C=ETAC,DC=fortin
000070 65 74 74 61 63 2c 44 43 3d 63 6f 6d 80 0e 46 6f ettac,DC=com..Fo
000080 72 74 69 6e 65 74 31 32 33 21 21 21             rtinet123!!!

We can see the authentication password sent for user test@fortinettac.com is Fortinet123!!!

Leave a Reply