Loading ...
Sorry, an error occurred while loading the content.
 

Rewriting sender addresses to get around an exchange restriction

Expand Messages
  • Dan Stromberg
    I m working on getting a nagios server going. It seems to work fine, except for the e-mail notices portion. nagios part of this is OK - but our exchange
    Message 1 of 3 , Feb 25, 2007
      I'm working on getting a nagios server going.

      It seems to work fine, except for the e-mail notices portion. nagios'
      part of this is OK - but our exchange server (sigh) is refusing to
      accept mail from the "nagios" user on the nagios server. The nagios
      server runs postfix - the one that comes with (patched) SuSE 9.3.

      The exchange server is apparently requiring SMTP auth. I don't know if
      that restriction would be lifted if I had a static IP; the nagios server
      is unfortunately on a DHCP IP - at least for now.

      I've got postfix doing SMTP auth OK for my own userid - dstromberg.
      However, the nagios process is sending mail as user nagios, and although
      I have postfix authenticating to exchange using user dstromberg, the
      exchange server is rejecting the mail from the nagios user, saying:

      Feb 25 20:07:08 linux postfix/pickup[22211]: 7785B38F162B: uid=1001 from=<nagios>
      Feb 25 20:07:08 linux postfix/cleanup[23455]: 7785B38F162B: message-id=<45E25CEC.mailI3G1MUJ77@linux>
      Feb 25 20:07:08 linux postfix/qmgr[22212]: 7785B38F162B: from=<nagios@...>, size=461, nrcpt=1 (queue active)
      Feb 25 20:07:08 linux postfix/smtp[23400]: warning: pop.opus-i.net[209.10.181.154] offered AUTH option multiple times
      Feb 25 20:07:09 linux postfix/smtp[23400]: 7785B38F162B: to=<support@...>, relay=pop.opus-i.net[209.10.181.154
      ], delay=1, status=deferred (host pop.opus-i.net[209.10.181.154] said: 454 5.7.3 Client does not have permission to Send
      As this sender. (in reply to MAIL FROM command))

      So as an interim measure, I've been looking at getting
      nagios@... rewritten to dstromberg@... via
      sender_canonicial:

      linux:/etc/postfix # grep nagios sender_canonical
      nagios@... dstromberg@...
      nagios-admin@... dstromberg@...

      ,,,however, that doesn't seem to work - the sender address doesn't
      appear to be getting rewritten to dstromberg@.... Yes, I have
      postmap'd sender_canonical - also I can open the postmap database using
      python and list the keys and values.

      Is there an easy way to get this rewriting working? Should that get me
      around this exchange restriction?

      As far as longer term fixes, is it best to get nagios and nagios-admin
      accounts on the exchange server, and then have postfix set up with
      multiple smtp's in master.cf?

      Is there a way on the exchange side, to make it just trust whatever
      postfix passes it? Or to make one account able to send out mail as any
      sender?

      And would exchange trust the nagios box if it weren't on a DHCP'd,
      unroutable address? :)

      BTW, to get exchange to process any mail at all from this machine, I
      wound up binary patching away the AUTH=<> that postfix was adding to the
      MAIL FROM line - without that change, even mail from dstromberg wouldn't
      work.

      Thanks!
    • mouss
      ... so exchange is apparently rejecting the transaction because of mismatch between login and sender address. see if you can tell exchange to allow this
      Message 2 of 3 , Feb 26, 2007
        Dan Stromberg wrote:
        > I'm working on getting a nagios server going.
        >
        > It seems to work fine, except for the e-mail notices portion. nagios'
        > part of this is OK - but our exchange server (sigh) is refusing to
        > accept mail from the "nagios" user on the nagios server. The nagios
        > server runs postfix - the one that comes with (patched) SuSE 9.3.
        >
        > The exchange server is apparently requiring SMTP auth. I don't know if
        > that restriction would be lifted if I had a static IP; the nagios server
        > is unfortunately on a DHCP IP - at least for now.
        >
        > I've got postfix doing SMTP auth OK for my own userid - dstromberg.
        > However, the nagios process is sending mail as user nagios, and although
        > I have postfix authenticating to exchange using user dstromberg, the
        > exchange server is rejecting the mail from the nagios user, saying:
        >
        > Feb 25 20:07:08 linux postfix/pickup[22211]: 7785B38F162B: uid=1001 from=<nagios>
        > Feb 25 20:07:08 linux postfix/cleanup[23455]: 7785B38F162B: message-id=<45E25CEC.mailI3G1MUJ77@linux>
        > Feb 25 20:07:08 linux postfix/qmgr[22212]: 7785B38F162B: from=<nagios@...>, size=461, nrcpt=1 (queue active)
        > Feb 25 20:07:08 linux postfix/smtp[23400]: warning: pop.opus-i.net[209.10.181.154] offered AUTH option multiple times
        > Feb 25 20:07:09 linux postfix/smtp[23400]: 7785B38F162B: to=<support@...>, relay=pop.opus-i.net[209.10.181.154
        > ], delay=1, status=deferred (host pop.opus-i.net[209.10.181.154] said: 454 5.7.3 Client does not have permission to Send
        > As this sender. (in reply to MAIL FROM command))
        >

        so exchange is apparently rejecting the transaction because of mismatch
        between login and sender address. see if you can tell exchange to allow
        this (postfix can be told to do so and more).
        > So as an interim measure, I've been looking at getting
        > nagios@... rewritten to dstromberg@... via
        > sender_canonicial:
        >

        why not configure nagios to send as dstromberg@...? just
        modify the notify-by-email command to use sendmail with the -f option.
        > linux:/etc/postfix # grep nagios sender_canonical
        > nagios@... dstromberg@...
        > nagios-admin@... dstromberg@...
        >
        > ,,,however, that doesn't seem to work - the sender address doesn't
        > appear to be getting rewritten to dstromberg@.... Yes, I have
        > postmap'd sender_canonical - also I can open the postmap database using
        > python and list the keys and values.
        >

        no need for python hre. to test maps, use 'postmap -q':
        # postmap -q nagios@... hash:/path/to/sender_canonical
        ...
        > Is there an easy way to get this rewriting working? Should that get me
        > around this exchange restriction?
        >

        well, you forgot the mandatory postconf -n and logs (and master.cf if
        you are using content_filters or having a non std master.cf)
        > As far as longer term fixes, is it best to get nagios and nagios-admin
        > accounts on the exchange server, and then have postfix set up with
        > multiple smtp's in master.cf?
        >
        >

        That's too much work...

        > Is there a way on the exchange side, to make it just trust whatever
        > postfix passes it? Or to make one account able to send out mail as any
        > sender?
        >

        I guess so, but I'm no exchangeer.
        > And would exchange trust the nagios box if it weren't on a DHCP'd,
        > unroutable address? :)
        >
        > BTW, to get exchange to process any mail at all from this machine, I
        > wound up binary patching away the AUTH=<> that postfix was adding to the
        > MAIL FROM line - without that change, even mail from dstromberg wouldn't
        > work.
        >

        really? that exchange would be double-broken.... ESMTP servers should
        ignore keywords they don't manage. are you sure it's not a
        router/firewall in the middle?
        > Thanks!
        >
        >
        >
        >
        >
      • Rupprecht, James R
        Hmmm... Is your Exchange box sending SMTP messages to the Nagios box? If that answer is no, just add the from address Nagios is using as a new SMTP address
        Message 3 of 3 , Feb 27, 2007
          Hmmm...

          Is your Exchange box sending SMTP messages to the Nagios box? If that answer is no, just add the 'from' address Nagios is using as a new SMTP address for the account being used for auth. Alternately, if the Nagios address is a distinct account in AD, grant SEND AS rights for the Nagios account to the auth account.


          James Rupprecht
          Senior Systems Specialist
          Microsoft Exchange and Active Directory Administrator
          University of Kansas





          -----Original Message-----
          From: owner-postfix-users@...
          [mailto:owner-postfix-users@...]On Behalf Of mouss
          Sent: Monday, February 26, 2007 3:19 PM
          Cc: postfix-users@...
          Subject: Re: Rewriting sender addresses to get around an exchange
          restriction


          Dan Stromberg wrote:
          > I'm working on getting a nagios server going.
          >
          > It seems to work fine, except for the e-mail notices portion. nagios'
          > part of this is OK - but our exchange server (sigh) is refusing to
          > accept mail from the "nagios" user on the nagios server. The nagios
          > server runs postfix - the one that comes with (patched) SuSE 9.3.
          >
          > The exchange server is apparently requiring SMTP auth. I don't know if
          > that restriction would be lifted if I had a static IP; the nagios server
          > is unfortunately on a DHCP IP - at least for now.
          >
          > I've got postfix doing SMTP auth OK for my own userid - dstromberg.
          > However, the nagios process is sending mail as user nagios, and although
          > I have postfix authenticating to exchange using user dstromberg, the
          > exchange server is rejecting the mail from the nagios user, saying:
          >
          > Feb 25 20:07:08 linux postfix/pickup[22211]: 7785B38F162B: uid=1001 from=<nagios>
          > Feb 25 20:07:08 linux postfix/cleanup[23455]: 7785B38F162B: message-id=<45E25CEC.mailI3G1MUJ77@linux>
          > Feb 25 20:07:08 linux postfix/qmgr[22212]: 7785B38F162B: from=<nagios@...>, size=461, nrcpt=1 (queue active)
          > Feb 25 20:07:08 linux postfix/smtp[23400]: warning: pop.opus-i.net[209.10.181.154] offered AUTH option multiple times
          > Feb 25 20:07:09 linux postfix/smtp[23400]: 7785B38F162B: to=<support@...>, relay=pop.opus-i.net[209.10.181.154
          > ], delay=1, status=deferred (host pop.opus-i.net[209.10.181.154] said: 454 5.7.3 Client does not have permission to Send
          > As this sender. (in reply to MAIL FROM command))
          >

          so exchange is apparently rejecting the transaction because of mismatch
          between login and sender address. see if you can tell exchange to allow
          this (postfix can be told to do so and more).
          > So as an interim measure, I've been looking at getting
          > nagios@... rewritten to dstromberg@... via
          > sender_canonicial:
          >

          why not configure nagios to send as dstromberg@...? just
          modify the notify-by-email command to use sendmail with the -f option.
          > linux:/etc/postfix # grep nagios sender_canonical
          > nagios@... dstromberg@...
          > nagios-admin@... dstromberg@...
          >
          > ,,,however, that doesn't seem to work - the sender address doesn't
          > appear to be getting rewritten to dstromberg@.... Yes, I have
          > postmap'd sender_canonical - also I can open the postmap database using
          > python and list the keys and values.
          >

          no need for python hre. to test maps, use 'postmap -q':
          # postmap -q nagios@... hash:/path/to/sender_canonical
          ...
          > Is there an easy way to get this rewriting working? Should that get me
          > around this exchange restriction?
          >

          well, you forgot the mandatory postconf -n and logs (and master.cf if
          you are using content_filters or having a non std master.cf)
          > As far as longer term fixes, is it best to get nagios and nagios-admin
          > accounts on the exchange server, and then have postfix set up with
          > multiple smtp's in master.cf?
          >
          >

          That's too much work...

          > Is there a way on the exchange side, to make it just trust whatever
          > postfix passes it? Or to make one account able to send out mail as any
          > sender?
          >

          I guess so, but I'm no exchangeer.
          > And would exchange trust the nagios box if it weren't on a DHCP'd,
          > unroutable address? :)
          >
          > BTW, to get exchange to process any mail at all from this machine, I
          > wound up binary patching away the AUTH=<> that postfix was adding to the
          > MAIL FROM line - without that change, even mail from dstromberg wouldn't
          > work.
          >

          really? that exchange would be double-broken.... ESMTP servers should
          ignore keywords they don't manage. are you sure it's not a
          router/firewall in the middle?
          > Thanks!
          >
          >
          >
          >
          >
        Your message has been successfully submitted and would be delivered to recipients shortly.