Loading ...
Sorry, an error occurred while loading the content.

Exchange 2007 gives 535 5.7.3 Authentication unsuccessful

Expand Messages
  • fleon
    Hello, i am using Debian 7.3 with postfix, and am trying to send email through our Exchange 2007 server. I have read tons of posts but i have been unable to
    Message 1 of 24 , Feb 10, 2014
    • 0 Attachment
      Hello, i am using Debian 7.3 with postfix, and am trying to send email
      through our Exchange 2007 server. I have read tons of posts but i have been
      unable to get it to work

      I am using the postfix package that comes with Debian, and also installed
      libsasl2-modules

      On mail.cf i tried the following:

      relayhost= exchangeserver.ourdomain.com
      smtp_sasl_security_options=
      smtp_sasl_auth_enable=yes
      smtp_sasl_password_maps=hash:/etc/postfix/sasl/sasl_passwd

      I get 5.3.5 5.7.3 Authentication unsuccessful , so i also tried using telnet
      to port 25

      i am using command AUTH NTLM , which returns 334, but so far i have tried
      unsuccessfully to enter the login as follows:

      myuser@...
      domain\myuser
      exchangeserver\myuser

      Using wireshark i did see my outlook client on my windows box tried to login
      to exchange with:

      AUTH3: call_id: 2, Fragment: Single, NTLMSSP_AUTH, User:
      exchangeserver\myuser

      on auth.log i get (2 times):
      NTLM client step 1
      NTLM client step 2
      server flags: ff810205
      server domain: DOMAIN
      calculating NT response

      on /etc/postfix/sasl/sasl_passwd i have:
      exchangeserver.ourdomain.com myuser@...:password

      I did run postmap hash:/etc/postfix/sasl/sasl_passwd and
      /etc/postfix/main.cf as well

      I do have a workaround if i cannot get this to work, which is to user a
      virtual smtp server that is on our windows webserver, which doesn't ask for
      authentication and i have already tested it and it works. But i would like
      to learn how to do this properly.

      Thanks in advance





      --
      View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072.html
      Sent from the Postfix Users mailing list archive at Nabble.com.
    • Viktor Dukhovni
      ... Does this include an NTLM plugin? ... Perhaps you mean: relayhost = [exchangeserver.ourdomain.com] which is better when MX record lookups are not intended.
      Message 2 of 24 , Feb 10, 2014
      • 0 Attachment
        On Mon, Feb 10, 2014 at 09:54:42AM -0800, fleon wrote:

        > Hello, i am using Debian 7.3 with postfix, and am trying to send email
        > through our Exchange 2007 server. I have read tons of posts but i have been
        > unable to get it to work
        >
        > I am using the postfix package that comes with Debian, and also installed
        > libsasl2-modules

        Does this include an NTLM plugin?

        > On mail.cf i tried the following:
        >
        > relayhost= exchangeserver.ourdomain.com

        Perhaps you mean:

        relayhost = [exchangeserver.ourdomain.com]

        which is better when MX record lookups are not intended.

        > smtp_sasl_password_maps=hash:/etc/postfix/sasl/sasl_passwd
        >
        > I get 5.3.5 5.7.3 Authentication unsuccessful, so i also tried using telnet
        > to port 25

        Which mechanism does Postfix attempt to use? (add the destination to
        debug_peer_list and examine the verbose logs).


        > I am using command AUTH NTLM, which returns 334,

        Is that what Postfix uses? 334 just means continue, which means that
        NTLM authentication requires a multi round-trip handshake.

        > but so far i have tried unsuccessfully to enter the login as follows:

        The data should probably be base64 encoded, ... interactive debugging
        is unlikely to be useful.

        > on /etc/postfix/sasl/sasl_passwd i have:
        > exchangeserver.ourdomain.com myuser@...:password

        If you put "[]" around the relayhost setting, do likewise around
        the password table lookup key.

        This may not be the right username format. Perhaps you need:
        DOMAIN\myuser. However, if your server supports GSSAPI, you might
        have more luck with that. You just need a working credential cache
        in KRB5CCNAME. An hourly cron job can run "kinit" to refresh the
        ccache, while KRB5CCNAME can be added to the Postfix SMTP client
        by setting "import_environment" to include all the default values
        plus "KRB5CCNAME=FILE:/some/path".

        --
        Viktor.
      • fleon
        I added the debug command you requested so you can see the whole error. I don t seem to have dns issues so i haven t felt the need for the brackets. I do seem
        Message 3 of 24 , Feb 10, 2014
        • 0 Attachment
          I added the debug command you requested so you can see the whole error. I
          don't seem to have dns issues so i haven't felt the need for the brackets. I
          do seem to have the NTLM module

          I am aware of base64, so my tests with telnet i did use base64 to enter the
          username but as soon as i pressed enter i got the errors i posted. I wanted
          to find out the proper username syntax so i could edit the sasl password
          file properly.

          My tests are being done with the sendmail command.

          I don't know how to configure the linux box properly, so users by default
          try to use the sendmail command as "user@..." instead of
          "user@...". This box is being configured as a helpdesk
          therefore it has a "helpdesk" hostname.

          syslog.txt <http://postfix.1071664.n5.nabble.com/file/n65074/syslog.txt>



          --
          View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65074.html
          Sent from the Postfix Users mailing list archive at Nabble.com.
        • Viktor Dukhovni
          ... You need to add the [] not because you may or may not have DNS issues, but because they are required to express the fact that you re designating a
          Message 4 of 24 , Feb 10, 2014
          • 0 Attachment
            On Mon, Feb 10, 2014 at 10:39:49AM -0800, fleon wrote:

            > I added the debug command you requested so you can see the whole error. I
            > don't seem to have dns issues so i haven't felt the need for the brackets. I
            > do seem to have the NTLM module

            You need to add the "[]" not because you may or may not have DNS issues,
            but because they are required to express the fact that you're designating
            a destination host, not an MX domain (unless you're relying on MX records).

            > I am aware of base64, so my tests with telnet i did use base64 to enter the
            > username but as soon as i pressed enter i got the errors i posted. I wanted
            > to find out the proper username syntax so i could edit the sasl password
            > file properly.
            I've not delved into NTLM in detail, but I would expect Windows style
            names "EXAMPLE\user" rather than enterprise names "user@...".

            > My tests are being done with the sendmail command.

            This is not important.

            > I don't know how to configure the linux box properly, so users by default
            > try to use the sendmail command as "user@..." instead of
            > "user@...". This box is being configured as a helpdesk
            > therefore it has a "helpdesk" hostname.
            >
            > syslog.txt <http://postfix.1071664.n5.nabble.com/file/n65074/syslog.txt>

            You've almost certainly disclosed the password in (the base64
            content of) these logs, change it as soon as you get a chance.

            -- Viktor.
          • fleon
            Well, i tried with [] in both files, also tried changing the sasl password file to use domain user instead of user@domain.com and still i get the same errors.
            Message 5 of 24 , Feb 10, 2014
            • 0 Attachment
              Well, i tried with [] in both files, also tried changing the sasl password
              file to use domain\user instead of user@... and still i get the same
              errors.

              I wonder if exchange is rejecting anything without TLS. Our exchange has a
              self signed certificate and i know if i want to try TLS i will need to add
              it.

              I am trying to do all of this to integrate the helpdesk request tracker with
              exchange, but i guess i will stick with the virtual smtp server. It is
              insecure since it doesn't do authentication, but that server does not face
              the internet directly, and our webserver already uses it to send email from
              webapps, so we were already at risk anyway.

              Now, to handle incoming mail, which i guess will be handled by fetchmail.



              --
              View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65079.html
              Sent from the Postfix Users mailing list archive at Nabble.com.
            • lists@rhsoft.net
              ... uninstall the NTLM module on my Fedora machines i had the same until yum remove cyrus-sasl-ntlm after uninstall it falls back to MD5 auth over TLS in
              Message 6 of 24 , Feb 10, 2014
              • 0 Attachment
                Am 10.02.2014 19:39, schrieb fleon:
                > I added the debug command you requested so you can see the whole error. I
                > don't seem to have dns issues so i haven't felt the need for the brackets. I
                > do seem to have the NTLM module

                uninstall the NTLM module

                on my Fedora machines i had the same until "yum remove cyrus-sasl-ntlm"
                after uninstall it falls back to MD5 auth over TLS in case TLS is
                available on both sides
              • Viktor Dukhovni
                ... Uninstalling is a crude solution that is not always easy (the module may not be delivered separately) and impact other application that need NTLM. Postfix
                Message 7 of 24 , Feb 10, 2014
                • 0 Attachment
                  On Mon, Feb 10, 2014 at 11:51:31PM +0100, lists@... wrote:

                  > Am 10.02.2014 19:39, schrieb fleon:
                  > > I added the debug command you requested so you can see the whole error. I
                  > > don't seem to have dns issues so i haven't felt the need for the brackets. I
                  > > do seem to have the NTLM module
                  >
                  > uninstall the NTLM module

                  Uninstalling is a crude solution that is not always easy (the module
                  may not be delivered separately) and impact other application that
                  need NTLM.

                  Postfix has "smtp_sasl_mechanism_filter" to deal with unwanted
                  mechanisms.

                  --
                  Viktor.
                • fleon
                  i disabled NTLM with sasl_mechanism_filter = !ntlm but of course now i get an error that the server offered no compatible authentication mechanism When i
                  Message 8 of 24 , Feb 11, 2014
                  • 0 Attachment
                    i disabled NTLM with sasl_mechanism_filter = !ntlm but of course now i get an
                    error that the server offered no compatible authentication mechanism

                    When i telnet to my exchange server i only get:

                    STARTTLS
                    X-ANONYMOUS TLS
                    AUTH NTLM
                    X-EXPS GSSAPI NTLM

                    Like i said, if i cannot get this to work, i will rely on the virtual smtp
                    server that is located on my webserver, which is what we already use for our
                    website.







                    --
                    View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65095.html
                    Sent from the Postfix Users mailing list archive at Nabble.com.
                  • lists@rhsoft.net
                    ... * we relay to a customer with Microsoft ESMTP MAIL Service because we don t host their email but webservices sending messages with their sender domain as
                    Message 9 of 24 , Feb 11, 2014
                    • 0 Attachment
                      Am 11.02.2014 13:13, schrieb fleon:
                      > i disabled NTLM with sasl_mechanism_filter = !ntlm but of course now i get an
                      > error that the server offered no compatible authentication mechanism
                      >
                      > When i telnet to my exchange server i only get:
                      >
                      > STARTTLS
                      > X-ANONYMOUS TLS
                      > AUTH NTLM
                      > X-EXPS GSSAPI NTLM
                      >
                      > Like i said, if i cannot get this to work, i will rely on the virtual smtp
                      > server that is located on my webserver, which is what we already use for our
                      > website

                      * we relay to a customer with Microsoft ESMTP MAIL Service
                      because we don't host their email but webservices sending
                      messages with their sender domain as envelope
                      * the exchange machine pretends the same as yours
                      * but SASL auth works for sure

                      250-SIZE 10485760
                      250-PIPELINING
                      250-DSN
                      250-ENHANCEDSTATUSCODES
                      250-STARTTLS
                      250-AUTH NTLM
                      250-8BITMIME
                      250-BINARYMIME
                      250 CHUNKING
                      ____________________________

                      on our postfix relay these packages are installed

                      * no ntlm
                      * no gssapi

                      cyrus-sasl-2.1.26-10.fc19.x86_64
                      cyrus-sasl-md5-2.1.26-10.fc19.x86_64
                      cyrus-sasl-lib-2.1.26-10.fc19.x86_64
                      cyrus-sasl-plain-2.1.26-10.fc19.x86_64
                    • fleon
                      Hello, can you please put your relevant main.cf, /etc/postfix/generic, etc/postfix/sasl/sasl_passwd (or the file you set up in main.cf), /etc/aliases and maybe
                      Message 10 of 24 , Feb 11, 2014
                      • 0 Attachment
                        Hello, can you please put your relevant main.cf, /etc/postfix/generic,
                        etc/postfix/sasl/sasl_passwd (or the file you set up in main.cf),
                        /etc/aliases and maybe a syslog entry after doing a test with
                        /usr/sbin/sendmail?

                        Please mangle your username, domain and password hashes.

                        Your server seems quite similar to mine, but if you don't have NTLM
                        installed, i think you may be using TLS to connect, and probably would need
                        the syslog entry to confirm.

                        My exchange server is "exchangeserver.ourdomain.com" and it's the 2007
                        version.
                        Our windows "long" domain name is "ourdomain.com"
                        Our windows "short" domain name is "SEGCAT"

                        I tried using EXCHANGESERVER\myuser, myuser@... and SEGCAT\myuser
                        in the sasl hash file and didn't work.

                        I am using debian 7.3, with apt-get install postfix libsasl2-modules





                        --
                        View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65097.html
                        Sent from the Postfix Users mailing list archive at Nabble.com.
                      • lists@rhsoft.net
                        ... all database configuration ... for sure it uses TLS because we use *everywhere* encryption if it is possible maybe that is the reason why it just works and
                        Message 11 of 24 , Feb 11, 2014
                        • 0 Attachment
                          Am 11.02.2014 13:31, schrieb fleon:
                          > Hello, can you please put your relevant main.cf, /etc/postfix/generic,
                          > etc/postfix/sasl/sasl_passwd (or the file you set up in main.cf),
                          > /etc/aliases and maybe a syslog entry after doing a test with
                          > /usr/sbin/sendmail?

                          all database configuration

                          > Please mangle your username, domain and password hashes.
                          >
                          > Your server seems quite similar to mine, but if you don't have NTLM
                          > installed, i think you may be using TLS to connect, and probably would need
                          > the syslog entry to confirm.

                          for sure it uses TLS because we use *everywhere* encryption if it is possible
                          maybe that is the reason why it just works and falls back to PLAIN which
                          you don't see in the outgoing postfix log

                          Trusted TLS connection established to exchange.xx.xx[xx.xx.xx.xx]:25: TLSv1 with cipher AES128-SHA (128/128 bits)

                          you posted your server says "STARTTLS"
                          well, then configure it on the postfix client

                          smtp_use_tls = yes
                          smtp_tls_loglevel = 1
                          smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
                          smtp_tls_security_level = may
                          smtp_tls_note_starttls_offer = yes
                          smtp_tls_session_cache_timeout = 3600s
                          smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
                          smtp_tls_exclude_ciphers = DES-CBC3-SHA, DES-CBC3-MD5, ADH-DES-CBC3-SHA, ADH-DES-CBC3-MD5, EDH-RSA-DES-CBC3-SHA,
                          EDH-RSA-DES-CBC3-MD5, DES, DES+MD5


                          > My exchange server is "exchangeserver.ourdomain.com" and it's the 2007
                          > version.
                          > Our windows "long" domain name is "ourdomain.com"
                          > Our windows "short" domain name is "SEGCAT"
                          >
                          > I tried using EXCHANGESERVER\myuser, myuser@... and SEGCAT\myuser
                          > in the sasl hash file and didn't work

                          there is no valid reason to guess usernames
                          just use the same credentials as you enter in a ordinary MUA
                        • fleon
                          I tried to connect with this command: openssl s_client -starttls -smtp -crlf -connect exchangeserver.ourdomain.com:25 It connects, though it says it can t
                          Message 12 of 24 , Feb 11, 2014
                          • 0 Attachment
                            I tried to connect with this command:

                            openssl s_client -starttls -smtp -crlf -connect
                            exchangeserver.ourdomain.com:25

                            It connects, though it says it can't validate certificate (which is
                            expected, our exchange certificate is self signed)

                            After EHLO i now get:
                            AUTH NTLM LOGIN

                            So i tried with login and it requested my username and password in base64.

                            After typing then manually encoded, i got a RENEGOTIATING and finally a
                            handshake failure. Don't know if it's because i typed the username in wrong
                            format or if just it didn't like the certificate.



                            --
                            View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65116.html
                            Sent from the Postfix Users mailing list archive at Nabble.com.
                          • Wietse Venema
                            ... Openssl s_client will renegotiate when you type R . Try using lowercase characters only. Wietse
                            Message 13 of 24 , Feb 11, 2014
                            • 0 Attachment
                              fleon:
                              > I tried to connect with this command:
                              >
                              > openssl s_client -starttls -smtp -crlf -connect
                              > exchangeserver.ourdomain.com:25
                              ...
                              > After typing then manually encoded, i got a RENEGOTIATING and finally a

                              Openssl s_client will "renegotiate" when you type "R". Try using
                              lowercase characters only.

                              Wietse
                            • Viktor Dukhovni
                              ... openssl s_client is testing tool, not a netcat replacement. It processes R at the beginning of a line as an SSL re-negotiate request. If you enable TLS
                              Message 14 of 24 , Feb 11, 2014
                              • 0 Attachment
                                On Tue, Feb 11, 2014 at 09:48:03AM -0800, fleon wrote:

                                > After EHLO i now get:
                                > AUTH NTLM LOGIN
                                >
                                > So i tried with login and it requested my username and password in base64.
                                >
                                > After typing then manually encoded, i got a RENEGOTIATING and finally a
                                > handshake failure. Don't know if it's because i typed the username in wrong
                                > format or if just it didn't like the certificate.

                                openssl s_client is testing tool, not a netcat replacement. It
                                processes "R" at the beginning of a line as an SSL re-negotiate
                                request.

                                If you enable TLS in Postfix, it should be able to use "LOGIN",
                                and you'll be all set. The username will likely work without any
                                domain, but you can try a few formats if a bare username does not
                                work.

                                --
                                Viktor.
                              • fleon
                                I have this in my main.cf (note: i didn t set this up, my guess is that debian itself did, or maybe when i installed libsasl2-modules, but i don t think so)
                                Message 15 of 24 , Feb 11, 2014
                                • 0 Attachment
                                  I have this in my main.cf (note: i didn't set this up, my guess is that
                                  debian itself did, or maybe when i installed libsasl2-modules, but i don't
                                  think so)

                                  smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
                                  smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
                                  smtpd_use_tls = yes
                                  smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
                                  smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

                                  This is the rest of the relevant content in main.cf
                                  myhostname = helpdesk.ourdomain.com
                                  alias_maps = hash:/etc/aliases
                                  alias_database = hash:/etc/aliases
                                  myorigin = /etc/mailname
                                  mydestination = helpdesk.ourdomain.com

                                  relayhost = [exchangeserver.ourdomain.com]
                                  smtp_sasl_security_options =
                                  smtp_sasl_auth_enable = yes
                                  smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
                                  broken_sasl_auth_clients = yes
                                  smtp_always_send_ehlo = yes

                                  I tried then:

                                  smtp_sasl_tls_security_options
                                  smtp_sasl_mechanism_filter = login

                                  But if i do the last line, then it says NTLM isn't allowed.

                                  What am i missing to enable TLS properly and then be able to use AUTH LOGIN?




                                  --
                                  View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65121.html
                                  Sent from the Postfix Users mailing list archive at Nabble.com.
                                • Viktor Dukhovni
                                  ... Server-side TLS enabled. Use smtpd_tls_security_level = may instead of the obsolete smtpd_use_tls = yes . ... Client-side TLS is not enabled. Enable
                                  Message 16 of 24 , Feb 11, 2014
                                  • 0 Attachment
                                    On Tue, Feb 11, 2014 at 10:36:54AM -0800, fleon wrote:

                                    > I have this in my main.cf (note: i didn't set this up, my guess is that
                                    > debian itself did, or maybe when i installed libsasl2-modules, but i don't
                                    > think so)
                                    >
                                    > smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
                                    > smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
                                    > smtpd_use_tls = yes
                                    > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

                                    Server-side TLS enabled. Use "smtpd_tls_security_level = may"
                                    instead of the obsolete "smtpd_use_tls = yes".

                                    > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

                                    Client-side TLS is not enabled. Enable client-side TLS:

                                    smtp_tls_security_level = may

                                    > What am i missing to enable TLS properly and then be able to use AUTH LOGIN?

                                    See above.

                                    --
                                    Viktor.
                                  • lists@rhsoft.net
                                    ... to say it clear: anything with smtpd_ as prefix has nothing to do with send a message to another server ... and that is why i hours ago posted the *client*
                                    Message 17 of 24 , Feb 11, 2014
                                    • 0 Attachment
                                      Am 11.02.2014 20:01, schrieb Viktor Dukhovni:
                                      > On Tue, Feb 11, 2014 at 10:36:54AM -0800, fleon wrote:
                                      >
                                      >> I have this in my main.cf (note: i didn't set this up, my guess is that
                                      >> debian itself did, or maybe when i installed libsasl2-modules, but i don't
                                      >> think so)
                                      >>
                                      >> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
                                      >> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
                                      >> smtpd_use_tls = yes
                                      >> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
                                      >
                                      > Server-side TLS enabled. Use "smtpd_tls_security_level = may"
                                      > instead of the obsolete "smtpd_use_tls = yes".

                                      to say it clear: anything with smtpd_ as prefix has
                                      nothing to do with send a message to another server

                                      >> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
                                      >
                                      > Client-side TLS is not enabled. Enable client-side TLS:
                                      >
                                      > smtp_tls_security_level = may
                                      >
                                      >> What am i missing to enable TLS properly and then be able to use AUTH LOGIN?
                                      >
                                      > See above

                                      and that is why i hours ago posted the *client* configuration
                                      of the machine happily sends authenticated mail over TLS to
                                      exchange

                                      smtp_use_tls = yes
                                      smtp_tls_loglevel = 1
                                      smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
                                      smtp_tls_security_level = may
                                      smtp_tls_note_starttls_offer = yes
                                      smtp_tls_session_cache_timeout = 3600s
                                      smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
                                      smtp_tls_exclude_ciphers = DES-CBC3-SHA, DES-CBC3-MD5, ADH-DES-CBC3-SHA, ADH-DES-CBC3-MD5, EDH-RSA-DES-CBC3-SHA,
                                      EDH-RSA-DES-CBC3-MD5, DES, DES+MD5
                                    • Viktor Dukhovni
                                      ... Obsolete. ... Leaving it blank is better. The browser CA bundle has no relevance to SMTP. ... Correct. ... Pointless, since the security level is may .
                                      Message 18 of 24 , Feb 11, 2014
                                      • 0 Attachment
                                        On Tue, Feb 11, 2014 at 08:06:17PM +0100, lists@... wrote:

                                        > and that is why i hours ago posted the *client* configuration
                                        > of the machine happily sends authenticated mail over TLS to
                                        > exchange
                                        >
                                        > smtp_use_tls = yes

                                        Obsolete.

                                        > smtp_tls_loglevel = 1
                                        > smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

                                        Leaving it blank is better. The browser CA bundle has no relevance
                                        to SMTP.

                                        > smtp_tls_security_level = may

                                        Correct.

                                        > smtp_tls_note_starttls_offer = yes

                                        Pointless, since the security level is "may".

                                        > smtp_tls_session_cache_timeout = 3600s
                                        > smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache

                                        Better to use ${data_directory} instead of explicit /var/lib/postfix.

                                        > smtp_tls_exclude_ciphers = DES-CBC3-SHA, DES-CBC3-MD5, ADH-DES-CBC3-SHA, ADH-DES-CBC3-MD5, EDH-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-MD5, DES, DES+MD5

                                        If one wants to exclude 3DES and DES, it is far easier to set:

                                        smtp_tls_exclude_ciphers = 3DES DES

                                        which covers all the above much more concisely. I imagine this is
                                        intended to avoid CBC problems with Microsoft Exchange 2003.

                                        --
                                        Viktor.
                                      • fleon
                                        FINALLY it worked, but not before i disabled NTLM in the config, because otherwise it would try it. So, i had to enable client side TLS and disabling NTLM. It
                                        Message 19 of 24 , Feb 11, 2014
                                        • 0 Attachment
                                          FINALLY it worked, but not before i disabled NTLM in the config, because
                                          otherwise it would try it.

                                          So, i had to enable client side TLS and disabling NTLM. It says untrusted
                                          connection in the logs, and i tried modifying the mynetworks variable below
                                          but couldn't fix it. It may be untrusted because of the invalid exchange
                                          certificate.

                                          For reference, here is the the main.cf i used. I am aware of the obsolete
                                          and unneeded entries.

                                          smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
                                          myhostname = helpdesk.seguroscatatumbo.com
                                          relayhost = [mar-exch01.seguroscatatumbo.com]
                                          smtp_sasl_tls_security_options =
                                          smtp_sasl_mechanism_filter = login !ntlm
                                          smtp_use_tls = yes
                                          smtp_tls_loglevel = 1
                                          smtp_tls_note_starttls_offer = yes
                                          smtp_tls_security_level = may
                                          smtp_tls_session_cache_timeout = 3600s
                                          smtp_tls_CAfile =
                                          smtp_sasl_auth_enable = yes
                                          smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
                                          broken_sasl_auth_clients = yes
                                          smtp_always_send_ehlo = yes
                                          ###
                                          mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.100.0/24

                                          /etc/aliases contains one modification:
                                          root: myuser

                                          /etc/postfix/generic has one line:
                                          root@... myuser@...

                                          /etc/postfix/sasl/sasl_passwd has one line:
                                          [exchangeserver.ourdomain.com] DOMAIN\myuser:mypass

                                          Now, a final question that isn't exactly relevant to postfix. Can i make
                                          emails sent to come as "myuser@..." instead of the default
                                          "myuser@..."

                                          I am aware that my linux box is called "helpdesk" and that /etc/hosts says:

                                          127.0.0.1 helpdesk
                                          127.0.0.1 helpdesk.ourdomain.com helpdesk

                                          I tried setting the mydestination in main.cf to ourdomain.com but then
                                          postfix didn't try relay to exchange which i guess it's the right behaviour.
                                          I am aware that when i configure the helpdesk i may try just impersonating
                                          the account as helpdesk@... without touching anything else.




                                          --
                                          View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65126.html
                                          Sent from the Postfix Users mailing list archive at Nabble.com.
                                        • lists@rhsoft.net
                                          ... as said in my first reply uninstall the NTLM module as long you have no damned good reason to install it in case of the distributions i work with it is a
                                          Message 20 of 24 , Feb 11, 2014
                                          • 0 Attachment
                                            Am 11.02.2014 21:15, schrieb fleon:
                                            > FINALLY it worked, but not before i disabled NTLM in the config, because
                                            > otherwise it would try it.

                                            as said in my first reply "uninstall the NTLM module"

                                            as long you have no damned good reason to install it
                                            in case of the distributions i work with it is a own
                                            sub-apckage with no frther dependencies and so you
                                            don't have to bother about configurations

                                            i never faced any positive effect in install and configure
                                            the NTLM crap except troubles over troubles, be it mail
                                            delivery or stupid Apple clients perfer it in their config
                                            while from time to time fail to handle NTLM correct

                                            > So, i had to enable client side TLS and disabling NTLM. It says untrusted
                                            > connection in the logs, and i tried modifying the mynetworks variable below
                                            > but couldn't fix it. It may be untrusted because of the invalid exchange
                                            > certificate

                                            it says untrusted because the certificate on the remote side is
                                            not from a trusted CA or postfix doe snot know the CA

                                            and that is why i have
                                            smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

                                            connections to Google as example are trusted with and Untrusted without
                                            http://www.postfix.org/postconf.5.html#smtp_tls_CAfile

                                            Am 11.02.2014 20:17, schrieb Viktor Dukhovni:
                                            >> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
                                            >
                                            > Leaving it blank is better. The browser CA bundle has no relevance to SMTP

                                            it has no relevance in case of oppotunistic TLS but it makes a difference
                                          • Viktor Dukhovni
                                            ... Which is just fine in the majority of cases. ... Too many CAs to claim meanigful trust, too few CAs to authenticate everyone. In particular, for the OP
                                            Message 21 of 24 , Feb 11, 2014
                                            • 0 Attachment
                                              On Tue, Feb 11, 2014 at 10:14:10PM +0100, lists@... wrote:

                                              > > So, i had to enable client side TLS and disabling NTLM. It says untrusted
                                              > > connection in the logs, and i tried modifying the mynetworks variable below
                                              > > but couldn't fix it. It may be untrusted because of the invalid exchange
                                              > > certificate
                                              >
                                              > it says untrusted because the certificate on the remote side is
                                              > not from a trusted CA or postfix does not know the CA

                                              Which is just fine in the majority of cases.

                                              > and that is why i have
                                              > smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

                                              Too many CAs to claim meanigful trust, too few CAs to authenticate
                                              everyone. In particular, for the OP the Exchange server's certificate
                                              is internally provisioned, and the CA in question is not in the
                                              browser ca bundle.

                                              The OP may choose the specify the actualy issue for his server cert
                                              in CAfile, and to use the policy table or a dedicated transport to
                                              make TLS mandatory (perhaps smtp_tls_security_level = "secure")
                                              for the destination in question.

                                              --
                                              Viktor.
                                            • Noel Jones
                                              ... Maybe you re looking for http://www.postfix.org/postconf.5.html#masquerade_domains # main.cf masquerade_domains = ourdomain.com Alternately, this can be
                                              Message 22 of 24 , Feb 11, 2014
                                              • 0 Attachment
                                                On 2/11/2014 2:15 PM, fleon wrote:
                                                > ...
                                                > Now, a final question that isn't exactly relevant to postfix. Can i make
                                                > emails sent to come as "myuser@..." instead of the default
                                                > "myuser@..."

                                                Maybe you're looking for
                                                http://www.postfix.org/postconf.5.html#masquerade_domains

                                                # main.cf
                                                masquerade_domains = ourdomain.com

                                                Alternately, this can be done with smtp_generic_maps
                                                http://www.postfix.org/postconf.5.html#smtp_generic_maps


                                                See the docs for more details.
                                                http://www.postfix.org/ADDRESS_REWRITING_README.html
                                                http://www.postfix.org/STANDARD_CONFIGURATION_README.html




                                                -- Noel Jones
                                              • fleon
                                                I am fine with the end result. The untrusted message is rather cosmetic, i would like to know how to import the certificate or rather trust the server (as i
                                                Message 23 of 24 , Feb 11, 2014
                                                • 0 Attachment
                                                  I am fine with the end result. The untrusted message is rather cosmetic, i
                                                  would like to know how to import the certificate or rather trust the server
                                                  (as i thought the mynetwork variable would do), but it's no biggie.

                                                  The server is inside our lan and the relay will only be used for our
                                                  helpdesk, which will be internal.

                                                  Some would argue that using the virtual smtp server (that asks for no
                                                  password) is better, since with the current setup i have to make sure the
                                                  user that will send the mail (which should be static, as they will be
                                                  automatically sent by the helpdesk) has a password that either doesn't
                                                  change or keep the password updated in the hash.



                                                  --
                                                  View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65129.html
                                                  Sent from the Postfix Users mailing list archive at Nabble.com.
                                                • Viktor Dukhovni
                                                  ... Key management is a bear. Since by day I m in the Kerberos infrastructure game, I tend to use Kerberos credentials, with a bunch of tooling around
                                                  Message 24 of 24 , Feb 11, 2014
                                                  • 0 Attachment
                                                    On Tue, Feb 11, 2014 at 01:37:17PM -0800, fleon wrote:

                                                    > Some would argue that using the virtual smtp server (that asks for no
                                                    > password) is better, since with the current setup i have to make sure the
                                                    > user that will send the mail (which should be static, as they will be
                                                    > automatically sent by the helpdesk) has a password that either doesn't
                                                    > change or keep the password updated in the hash.

                                                    Key management is a bear. Since by day I'm in the Kerberos
                                                    infrastructure game, I tend to use Kerberos credentials, with a
                                                    bunch of tooling around automated provisioning of Kerberos tickets
                                                    and service keytabs. Without a key management infrastructure,
                                                    you're basically stuck hand managing passwords, or more complicated
                                                    things are functionally equivalent to passwords.

                                                    So long as an unuathenticated entry point exists and provides
                                                    similar performance, there is indeed not much point in using
                                                    the authenticated entry point, except for educational value.
                                                    You may not have the choice at some time in the future.

                                                    --
                                                    Viktor.
                                                  Your message has been successfully submitted and would be delivered to recipients shortly.