Loading ...
Sorry, an error occurred while loading the content.

Re: MS Exchange + TLS+AUTH as a relay host

Expand Messages
  • Noel Jones
    ... Have you set in main.cf: smtp_sasl_security_options = noanonymous so that LOGIN will be accepted as a method? Also, some microsoft products seem to prefer
    Message 1 of 8 , Feb 1, 2008
    • 0 Attachment
      Alex Zepeda wrote:
      > So my goal, as handed down to me by my supervisor is to get postfix to
      > relay all outgoing mail through a hosted Exchange server. Sigh. Said
      > server requires TLS and user/pass authentication before you can do
      > anything.
      >
      > If you connect to the host you'll see:
      >
      > 220 smtpx16.msoutlookonline.net Microsoft ESMTP MAIL Service ready at
      > Thu, 31 Jan 2008 22:58:54 -0800
      > EHLO localhost
      > 250-smtpx16.msoutlookonline.net Hello [x.x.x.x]
      > 250-SIZE 52428800
      > 250-PIPELINING
      > 250-ENHANCEDSTATUSCODES
      > 250-STARTTLS
      > 250-AUTH
      > 250-8BITMIME
      > 250-BINARYMIME
      > 250 CHUNKING
      >
      > Note that it does indeed show a null auth list (sigh). If I connect
      > with s_client and hit start tls I'll see:
      >
      > EHLO localhost
      > 250-smtpx16.msoutlookonline.net Hello [x.x.x.x]
      > 250-SIZE 52428800
      > 250-PIPELINING
      > 250-ENHANCEDSTATUSCODES
      > 250-AUTH LOGIN
      > 250-8BITMIME
      > 250-BINARYMIME
      > 250 CHUNKING
      >
      > Ah hah, a real list of allowed authentication methods!
      >
      > However with postfix I see the following in my mail.log:
      >
      > postfix/smtp[5288]: warning: smtpx16.msoutlookonline.net[207.5.72.190] offered
      > null AUTH mechanism list
      > postfix/smtp[5288]: setting up TLS connection to smtpx16.msoutlookonline.net
      > postfix/smtp[5288]: Verified: subject_CN=smtpx16.msoutlookonline.net,
      > issuer=Equifax
      > postfix/smtp[5288]: TLS connection established to smtpx16.msoutlookonline.net:
      > TLSv1 with cipher RC4-MD5 (128/128 bits)
      > postfix/smtp[5288]: warning: SASL authentication failure: No worthy mechs found
      > postfix/smtp[5288]: 75915BF45: to=<destination.address@...>,
      > relay=smtpx16.msoutlookonline.net[207.5.72.190]:25, delay=17993,
      > delays=17993/0.05/0.15/0, dsn=4.7.0, status=deferred (SASL authentication
      > failed; cannot authenticate to server
      > smtpx16.msoutlookonline.net[207.5.72.190]: no mechanism available)
      >
      > Note that it's checking the auth list before it does its TLS handshake.
      >
      > Is there any way to get Postfix to re-read the auth list? This is
      > Postfix 2.3.8 (2.3.8-2+b1) on Debian Etch.
      >

      Have you set in main.cf:
      smtp_sasl_security_options = noanonymous
      so that LOGIN will be accepted as a method?


      Also, some microsoft products seem to prefer the obsolete
      "smtps" submission method; maybe this will help your problem.
      Here are instructions on how to set it up:
      http://www.postfix.org/TLS_README.html#client_smtps

      If you do use smtps, the lookup key for the sasl_passwd table
      lookup will be the local nexthop rather than the final
      destination.
      [127.0.0.1]:11125 user:pass

      HTH.

      --
      Noel Jones
    • Alex Zepeda
      ... Makes no difference, I think the null auth list is catching postfix up. It doesn t seem to be re-reading the auth list after starttls. ... Not an option
      Message 2 of 8 , Feb 1, 2008
      • 0 Attachment
        Noel Jones wrote:

        > Have you set in main.cf:
        > smtp_sasl_security_options = noanonymous
        > so that LOGIN will be accepted as a method?

        Makes no difference, I think the null auth list is catching postfix up.
        It doesn't seem to be re-reading the auth list after starttls.

        > Also, some microsoft products seem to prefer the obsolete "smtps"
        > submission method; maybe this will help your problem. Here are
        > instructions on how to set it up:
        > http://www.postfix.org/TLS_README.html#client_smtps

        Not an option here. It *must* be TLS. Yes, I hate hosted Exchange.

        --
        alex
      • Victor Duchovni
        ... No Postfix (as of at least 2.2.0 which is the first official release that supports TLS) recomputes all EHLO features after STARTTLS. So your problem is
        Message 3 of 8 , Feb 1, 2008
        • 0 Attachment
          On Fri, Feb 01, 2008 at 11:02:19AM -0800, Alex Zepeda wrote:

          > Noel Jones wrote:
          >
          > > Have you set in main.cf:
          > > smtp_sasl_security_options = noanonymous
          > > so that LOGIN will be accepted as a method?
          >
          > Makes no difference, I think the null auth list is catching postfix up.
          > It doesn't seem to be re-reading the auth list after starttls.

          No Postfix (as of at least 2.2.0 which is the first official release
          that supports TLS) recomputes all EHLO features after STARTTLS. So your
          problem is elsewhere. Perhaps you don't have SASL "login" support in your
          Cyrus SASL library.

          --
          Viktor.

          Disclaimer: off-list followups get on-list replies or get ignored.
          Please do not ignore the "Reply-To" header.

          To unsubscribe from the postfix-users list, visit
          http://www.postfix.org/lists.html or click the link below:
          <mailto:majordomo@...?body=unsubscribe%20postfix-users>

          If my response solves your problem, the best way to thank me is to not
          send an "it worked, thanks" follow-up. If you must respond, please put
          "It worked, thanks" in the "Subject" so I can delete these quickly.
        • Alex Zepeda
          ... As in my original post, the server *returns a null auth list* before TLS, and returns an auth indicating login support *after* TLS. If Postfix is not
          Message 4 of 8 , Feb 1, 2008
          • 0 Attachment
            Victor Duchovni wrote:

            > No Postfix (as of at least 2.2.0 which is the first official release
            > that supports TLS) recomputes all EHLO features after STARTTLS. So your
            > problem is elsewhere. Perhaps you don't have SASL "login" support in your
            > Cyrus SASL library.

            As in my original post, the server *returns a null auth list* before
            TLS, and returns an auth indicating login support *after* TLS. If
            Postfix is not recomputing (yay potential man in the middle attacks)
            after TLS, then yes it's not a matter of what's been compiled in -- it's
            looking at the 'wrong' features list.

            Thanks anyhow, I'm using the stock Debian packages. I'd love to be in a
            situation where fiddling with the source is an option. Unfortunately, I
            guess it's time to evaluate other MTAs.

            --
            alex
          • Victor Duchovni
            ... You don t need to repeat this a 3rd time... ... As I tried to say (but dropped a comma after No ), Postfix recomputs all EHLO features after STARTTLS,
            Message 5 of 8 , Feb 1, 2008
            • 0 Attachment
              On Fri, Feb 01, 2008 at 11:33:09AM -0800, Alex Zepeda wrote:

              > Victor Duchovni wrote:
              >
              > > No Postfix (as of at least 2.2.0 which is the first official release
              > > that supports TLS) recomputes all EHLO features after STARTTLS. So your
              > > problem is elsewhere. Perhaps you don't have SASL "login" support in your
              > > Cyrus SASL library.
              >
              > As in my original post, the server *returns a null auth list* before
              > TLS, and returns an auth indicating login support *after* TLS.

              You don't need to repeat this a 3rd time...

              > If
              > Postfix is not recomputing (yay potential man in the middle attacks)
              > after TLS, then yes it's not a matter of what's been compiled in -- it's
              > looking at the 'wrong' features list.

              As I tried to say (but dropped a comma after "No"), Postfix recomputs
              all EHLO features after STARTTLS, including the SASL mechanisms, so
              your hypothesis is wrong. Postfix is NOT looking at the wrong feature
              list, so resume your debugging with the knowledge that "LOGIN" is seen,
              but not being accepted. Are you sure you have not disabled "plaintext"
              mechanisms? Are you sure you have Cyrus SASL's "login" module? ...

              --
              Viktor.

              Disclaimer: off-list followups get on-list replies or get ignored.
              Please do not ignore the "Reply-To" header.

              To unsubscribe from the postfix-users list, visit
              http://www.postfix.org/lists.html or click the link below:
              <mailto:majordomo@...?body=unsubscribe%20postfix-users>

              If my response solves your problem, the best way to thank me is to not
              send an "it worked, thanks" follow-up. If you must respond, please put
              "It worked, thanks" in the "Subject" so I can delete these quickly.
            • Wietse Venema
              ... Check out these parameters: smtp_sasl_security_options (options BEFORE STARTTLS) smtp_sasl_tls_security_options (options AFTER STARTTLS) If
              Message 6 of 8 , Feb 1, 2008
              • 0 Attachment
                Victor Duchovni:
                > On Fri, Feb 01, 2008 at 11:33:09AM -0800, Alex Zepeda wrote:
                >
                > > Victor Duchovni wrote:
                > >
                > > > No Postfix (as of at least 2.2.0 which is the first official release
                > > > that supports TLS) recomputes all EHLO features after STARTTLS. So your
                > > > problem is elsewhere. Perhaps you don't have SASL "login" support in your
                > > > Cyrus SASL library.
                > >
                > > As in my original post, the server *returns a null auth list* before
                > > TLS, and returns an auth indicating login support *after* TLS.
                >
                > You don't need to repeat this a 3rd time...
                >
                > > If
                > > Postfix is not recomputing (yay potential man in the middle attacks)
                > > after TLS, then yes it's not a matter of what's been compiled in -- it's
                > > looking at the 'wrong' features list.
                >
                > As I tried to say (but dropped a comma after "No"), Postfix recomputs
                > all EHLO features after STARTTLS, including the SASL mechanisms, so
                > your hypothesis is wrong. Postfix is NOT looking at the wrong feature
                > list, so resume your debugging with the knowledge that "LOGIN" is seen,
                > but not being accepted. Are you sure you have not disabled "plaintext"
                > mechanisms? Are you sure you have Cyrus SASL's "login" module? ...

                Check out these parameters:

                smtp_sasl_security_options (options BEFORE STARTTLS)
                smtp_sasl_tls_security_options (options AFTER STARTTLS)

                If smtp_sasl_tls_security_options disallows plaintext login
                then Postfix won't use the LOGIN method.

                Of course, if you don't have the SASL shared library object for LOGIN,
                then Postfix won't use the LOGIN method either.

                Wietse
              • Alex Zepeda
                Thanks for the help guys, problem solved. -- alex
                Message 7 of 8 , Feb 9, 2008
                • 0 Attachment
                  Thanks for the help guys, problem solved.

                  --
                  alex
                Your message has been successfully submitted and would be delivered to recipients shortly.