NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2008-02

Re: MS Exchange + TLS+AUTH as a relay host

From: Noel Jones (njonesmegan.vbhcs.org)
Date: Fri Feb 01 2008 - 11:06:43 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Alex Zepeda wrote:
> So my goal, as handed down to me by my supervisor is to get postfix to
> relay all outgoing mail through a hosted Exchange server. Sigh. Said
> server requires TLS and user/pass authentication before you can do
> anything.
>
> If you connect to the host you'll see:
>
> 220 smtpx16.msoutlookonline.net Microsoft ESMTP MAIL Service ready at
> Thu, 31 Jan 2008 22:58:54 -0800
> EHLO localhost
> 250-smtpx16.msoutlookonline.net Hello [x.x.x.x]
> 250-SIZE 52428800
> 250-PIPELINING
> 250-ENHANCEDSTATUSCODES
> 250-STARTTLS
> 250-AUTH
> 250-8BITMIME
> 250-BINARYMIME
> 250 CHUNKING
>
> Note that it does indeed show a null auth list (sigh). If I connect
> with s_client and hit start tls I'll see:
>
> EHLO localhost
> 250-smtpx16.msoutlookonline.net Hello [x.x.x.x]
> 250-SIZE 52428800
> 250-PIPELINING
> 250-ENHANCEDSTATUSCODES
> 250-AUTH LOGIN
> 250-8BITMIME
> 250-BINARYMIME
> 250 CHUNKING
>
> Ah hah, a real list of allowed authentication methods!
>
> However with postfix I see the following in my mail.log:
>
> postfix/smtp[5288]: warning: smtpx16.msoutlookonline.net[207.5.72.190] offered
> null AUTH mechanism list
> postfix/smtp[5288]: setting up TLS connection to smtpx16.msoutlookonline.net
> postfix/smtp[5288]: Verified: subject_CN=smtpx16.msoutlookonline.net,
> issuer=Equifax
> postfix/smtp[5288]: TLS connection established to smtpx16.msoutlookonline.net:
> TLSv1 with cipher RC4-MD5 (128/128 bits)
> postfix/smtp[5288]: warning: SASL authentication failure: No worthy mechs found
> postfix/smtp[5288]: 75915BF45: to=<destination.addresscompany.com>,
> relay=smtpx16.msoutlookonline.net[207.5.72.190]:25, delay=17993,
> delays=17993/0.05/0.15/0, dsn=4.7.0, status=deferred (SASL authentication
> failed; cannot authenticate to server
> smtpx16.msoutlookonline.net[207.5.72.190]: no mechanism available)
>
> Note that it's checking the auth list before it does its TLS handshake.
>
> Is there any way to get Postfix to re-read the auth list? This is
> Postfix 2.3.8 (2.3.8-2+b1) on Debian Etch.
>

Have you set in main.cf:
smtp_sasl_security_options = noanonymous
so that LOGIN will be accepted as a method?

Also, some microsoft products seem to prefer the obsolete
"smtps" submission method; maybe this will help your problem.
Here are instructions on how to set it up:
http://www.postfix.org/TLS_README.html#client_smtps

If you do use smtps, the lookup key for the sasl_passwd table
lookup will be the local nexthop rather than the final
destination.
[127.0.0.1]:11125 user:pass

HTH.

--
Noel Jones

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]