Loading ...
Sorry, an error occurred while loading the content.

MS Exchange + TLS+AUTH as a relay host

Expand Messages
  • Alex Zepeda
    So my goal, as handed down to me by my supervisor is to get postfix to relay all outgoing mail through a hosted Exchange server. Sigh. Said server requires
    Message 1 of 8 , Jan 31, 2008
    • 0 Attachment
      So my goal, as handed down to me by my supervisor is to get postfix to
      relay all outgoing mail through a hosted Exchange server. Sigh. Said
      server requires TLS and user/pass authentication before you can do
      anything.

      If you connect to the host you'll see:

      220 smtpx16.msoutlookonline.net Microsoft ESMTP MAIL Service ready at
      Thu, 31 Jan 2008 22:58:54 -0800
      EHLO localhost
      250-smtpx16.msoutlookonline.net Hello [x.x.x.x]
      250-SIZE 52428800
      250-PIPELINING
      250-ENHANCEDSTATUSCODES
      250-STARTTLS
      250-AUTH
      250-8BITMIME
      250-BINARYMIME
      250 CHUNKING

      Note that it does indeed show a null auth list (sigh). If I connect
      with s_client and hit start tls I'll see:

      EHLO localhost
      250-smtpx16.msoutlookonline.net Hello [x.x.x.x]
      250-SIZE 52428800
      250-PIPELINING
      250-ENHANCEDSTATUSCODES
      250-AUTH LOGIN
      250-8BITMIME
      250-BINARYMIME
      250 CHUNKING

      Ah hah, a real list of allowed authentication methods!

      However with postfix I see the following in my mail.log:

      postfix/smtp[5288]: warning: smtpx16.msoutlookonline.net[207.5.72.190] offered
      null AUTH mechanism list
      postfix/smtp[5288]: setting up TLS connection to smtpx16.msoutlookonline.net
      postfix/smtp[5288]: Verified: subject_CN=smtpx16.msoutlookonline.net,
      issuer=Equifax
      postfix/smtp[5288]: TLS connection established to smtpx16.msoutlookonline.net:
      TLSv1 with cipher RC4-MD5 (128/128 bits)
      postfix/smtp[5288]: warning: SASL authentication failure: No worthy mechs found
      postfix/smtp[5288]: 75915BF45: to=<destination.address@...>,
      relay=smtpx16.msoutlookonline.net[207.5.72.190]:25, delay=17993,
      delays=17993/0.05/0.15/0, dsn=4.7.0, status=deferred (SASL authentication
      failed; cannot authenticate to server
      smtpx16.msoutlookonline.net[207.5.72.190]: no mechanism available)

      Note that it's checking the auth list before it does its TLS handshake.

      Is there any way to get Postfix to re-read the auth list? This is
      Postfix 2.3.8 (2.3.8-2+b1) on Debian Etch.

      --
      alex
    • Noel Jones
      ... Have you set in main.cf: smtp_sasl_security_options = noanonymous so that LOGIN will be accepted as a method? Also, some microsoft products seem to prefer
      Message 2 of 8 , Feb 1, 2008
      • 0 Attachment
        Alex Zepeda wrote:
        > So my goal, as handed down to me by my supervisor is to get postfix to
        > relay all outgoing mail through a hosted Exchange server. Sigh. Said
        > server requires TLS and user/pass authentication before you can do
        > anything.
        >
        > If you connect to the host you'll see:
        >
        > 220 smtpx16.msoutlookonline.net Microsoft ESMTP MAIL Service ready at
        > Thu, 31 Jan 2008 22:58:54 -0800
        > EHLO localhost
        > 250-smtpx16.msoutlookonline.net Hello [x.x.x.x]
        > 250-SIZE 52428800
        > 250-PIPELINING
        > 250-ENHANCEDSTATUSCODES
        > 250-STARTTLS
        > 250-AUTH
        > 250-8BITMIME
        > 250-BINARYMIME
        > 250 CHUNKING
        >
        > Note that it does indeed show a null auth list (sigh). If I connect
        > with s_client and hit start tls I'll see:
        >
        > EHLO localhost
        > 250-smtpx16.msoutlookonline.net Hello [x.x.x.x]
        > 250-SIZE 52428800
        > 250-PIPELINING
        > 250-ENHANCEDSTATUSCODES
        > 250-AUTH LOGIN
        > 250-8BITMIME
        > 250-BINARYMIME
        > 250 CHUNKING
        >
        > Ah hah, a real list of allowed authentication methods!
        >
        > However with postfix I see the following in my mail.log:
        >
        > postfix/smtp[5288]: warning: smtpx16.msoutlookonline.net[207.5.72.190] offered
        > null AUTH mechanism list
        > postfix/smtp[5288]: setting up TLS connection to smtpx16.msoutlookonline.net
        > postfix/smtp[5288]: Verified: subject_CN=smtpx16.msoutlookonline.net,
        > issuer=Equifax
        > postfix/smtp[5288]: TLS connection established to smtpx16.msoutlookonline.net:
        > TLSv1 with cipher RC4-MD5 (128/128 bits)
        > postfix/smtp[5288]: warning: SASL authentication failure: No worthy mechs found
        > postfix/smtp[5288]: 75915BF45: to=<destination.address@...>,
        > relay=smtpx16.msoutlookonline.net[207.5.72.190]:25, delay=17993,
        > delays=17993/0.05/0.15/0, dsn=4.7.0, status=deferred (SASL authentication
        > failed; cannot authenticate to server
        > smtpx16.msoutlookonline.net[207.5.72.190]: no mechanism available)
        >
        > Note that it's checking the auth list before it does its TLS handshake.
        >
        > Is there any way to get Postfix to re-read the auth list? This is
        > Postfix 2.3.8 (2.3.8-2+b1) on Debian Etch.
        >

        Have you set in main.cf:
        smtp_sasl_security_options = noanonymous
        so that LOGIN will be accepted as a method?


        Also, some microsoft products seem to prefer the obsolete
        "smtps" submission method; maybe this will help your problem.
        Here are instructions on how to set it up:
        http://www.postfix.org/TLS_README.html#client_smtps

        If you do use smtps, the lookup key for the sasl_passwd table
        lookup will be the local nexthop rather than the final
        destination.
        [127.0.0.1]:11125 user:pass

        HTH.

        --
        Noel Jones
      • Alex Zepeda
        ... Makes no difference, I think the null auth list is catching postfix up. It doesn t seem to be re-reading the auth list after starttls. ... Not an option
        Message 3 of 8 , Feb 1, 2008
        • 0 Attachment
          Noel Jones wrote:

          > Have you set in main.cf:
          > smtp_sasl_security_options = noanonymous
          > so that LOGIN will be accepted as a method?

          Makes no difference, I think the null auth list is catching postfix up.
          It doesn't seem to be re-reading the auth list after starttls.

          > Also, some microsoft products seem to prefer the obsolete "smtps"
          > submission method; maybe this will help your problem. Here are
          > instructions on how to set it up:
          > http://www.postfix.org/TLS_README.html#client_smtps

          Not an option here. It *must* be TLS. Yes, I hate hosted Exchange.

          --
          alex
        • Victor Duchovni
          ... No Postfix (as of at least 2.2.0 which is the first official release that supports TLS) recomputes all EHLO features after STARTTLS. So your problem is
          Message 4 of 8 , Feb 1, 2008
          • 0 Attachment
            On Fri, Feb 01, 2008 at 11:02:19AM -0800, Alex Zepeda wrote:

            > Noel Jones wrote:
            >
            > > Have you set in main.cf:
            > > smtp_sasl_security_options = noanonymous
            > > so that LOGIN will be accepted as a method?
            >
            > Makes no difference, I think the null auth list is catching postfix up.
            > It doesn't seem to be re-reading the auth list after starttls.

            No Postfix (as of at least 2.2.0 which is the first official release
            that supports TLS) recomputes all EHLO features after STARTTLS. So your
            problem is elsewhere. Perhaps you don't have SASL "login" support in your
            Cyrus SASL library.

            --
            Viktor.

            Disclaimer: off-list followups get on-list replies or get ignored.
            Please do not ignore the "Reply-To" header.

            To unsubscribe from the postfix-users list, visit
            http://www.postfix.org/lists.html or click the link below:
            <mailto:majordomo@...?body=unsubscribe%20postfix-users>

            If my response solves your problem, the best way to thank me is to not
            send an "it worked, thanks" follow-up. If you must respond, please put
            "It worked, thanks" in the "Subject" so I can delete these quickly.
          • Alex Zepeda
            ... As in my original post, the server *returns a null auth list* before TLS, and returns an auth indicating login support *after* TLS. If Postfix is not
            Message 5 of 8 , Feb 1, 2008
            • 0 Attachment
              Victor Duchovni wrote:

              > No Postfix (as of at least 2.2.0 which is the first official release
              > that supports TLS) recomputes all EHLO features after STARTTLS. So your
              > problem is elsewhere. Perhaps you don't have SASL "login" support in your
              > Cyrus SASL library.

              As in my original post, the server *returns a null auth list* before
              TLS, and returns an auth indicating login support *after* TLS. If
              Postfix is not recomputing (yay potential man in the middle attacks)
              after TLS, then yes it's not a matter of what's been compiled in -- it's
              looking at the 'wrong' features list.

              Thanks anyhow, I'm using the stock Debian packages. I'd love to be in a
              situation where fiddling with the source is an option. Unfortunately, I
              guess it's time to evaluate other MTAs.

              --
              alex
            • Victor Duchovni
              ... You don t need to repeat this a 3rd time... ... As I tried to say (but dropped a comma after No ), Postfix recomputs all EHLO features after STARTTLS,
              Message 6 of 8 , Feb 1, 2008
              • 0 Attachment
                On Fri, Feb 01, 2008 at 11:33:09AM -0800, Alex Zepeda wrote:

                > Victor Duchovni wrote:
                >
                > > No Postfix (as of at least 2.2.0 which is the first official release
                > > that supports TLS) recomputes all EHLO features after STARTTLS. So your
                > > problem is elsewhere. Perhaps you don't have SASL "login" support in your
                > > Cyrus SASL library.
                >
                > As in my original post, the server *returns a null auth list* before
                > TLS, and returns an auth indicating login support *after* TLS.

                You don't need to repeat this a 3rd time...

                > If
                > Postfix is not recomputing (yay potential man in the middle attacks)
                > after TLS, then yes it's not a matter of what's been compiled in -- it's
                > looking at the 'wrong' features list.

                As I tried to say (but dropped a comma after "No"), Postfix recomputs
                all EHLO features after STARTTLS, including the SASL mechanisms, so
                your hypothesis is wrong. Postfix is NOT looking at the wrong feature
                list, so resume your debugging with the knowledge that "LOGIN" is seen,
                but not being accepted. Are you sure you have not disabled "plaintext"
                mechanisms? Are you sure you have Cyrus SASL's "login" module? ...

                --
                Viktor.

                Disclaimer: off-list followups get on-list replies or get ignored.
                Please do not ignore the "Reply-To" header.

                To unsubscribe from the postfix-users list, visit
                http://www.postfix.org/lists.html or click the link below:
                <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                If my response solves your problem, the best way to thank me is to not
                send an "it worked, thanks" follow-up. If you must respond, please put
                "It worked, thanks" in the "Subject" so I can delete these quickly.
              • Wietse Venema
                ... Check out these parameters: smtp_sasl_security_options (options BEFORE STARTTLS) smtp_sasl_tls_security_options (options AFTER STARTTLS) If
                Message 7 of 8 , Feb 1, 2008
                • 0 Attachment
                  Victor Duchovni:
                  > On Fri, Feb 01, 2008 at 11:33:09AM -0800, Alex Zepeda wrote:
                  >
                  > > Victor Duchovni wrote:
                  > >
                  > > > No Postfix (as of at least 2.2.0 which is the first official release
                  > > > that supports TLS) recomputes all EHLO features after STARTTLS. So your
                  > > > problem is elsewhere. Perhaps you don't have SASL "login" support in your
                  > > > Cyrus SASL library.
                  > >
                  > > As in my original post, the server *returns a null auth list* before
                  > > TLS, and returns an auth indicating login support *after* TLS.
                  >
                  > You don't need to repeat this a 3rd time...
                  >
                  > > If
                  > > Postfix is not recomputing (yay potential man in the middle attacks)
                  > > after TLS, then yes it's not a matter of what's been compiled in -- it's
                  > > looking at the 'wrong' features list.
                  >
                  > As I tried to say (but dropped a comma after "No"), Postfix recomputs
                  > all EHLO features after STARTTLS, including the SASL mechanisms, so
                  > your hypothesis is wrong. Postfix is NOT looking at the wrong feature
                  > list, so resume your debugging with the knowledge that "LOGIN" is seen,
                  > but not being accepted. Are you sure you have not disabled "plaintext"
                  > mechanisms? Are you sure you have Cyrus SASL's "login" module? ...

                  Check out these parameters:

                  smtp_sasl_security_options (options BEFORE STARTTLS)
                  smtp_sasl_tls_security_options (options AFTER STARTTLS)

                  If smtp_sasl_tls_security_options disallows plaintext login
                  then Postfix won't use the LOGIN method.

                  Of course, if you don't have the SASL shared library object for LOGIN,
                  then Postfix won't use the LOGIN method either.

                  Wietse
                • Alex Zepeda
                  Thanks for the help guys, problem solved. -- alex
                  Message 8 of 8 , Feb 9, 2008
                  • 0 Attachment
                    Thanks for the help guys, problem solved.

                    --
                    alex
                  Your message has been successfully submitted and would be delivered to recipients shortly.