MS Exchange + TLS+AUTH as a relay host

Discussion:

(too old to reply)

Alex Zepeda

2008-02-01 07:06:51 UTC

So my goal, as handed down to me by my supervisor is to get postfix to
relay all outgoing mail through a hosted Exchange server. Sigh. Said
server requires TLS and user/pass authentication before you can do
anything.

If you connect to the host you'll see:

220 smtpx16.msoutlookonline.net Microsoft ESMTP MAIL Service ready at
Thu, 31 Jan 2008 22:58:54 -0800
EHLO localhost
250-smtpx16.msoutlookonline.net Hello [x.x.x.x]
250-SIZE 52428800
250-PIPELINING
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING

Note that it does indeed show a null auth list (sigh). If I connect
with s_client and hit start tls I'll see:

EHLO localhost
250-smtpx16.msoutlookonline.net Hello [x.x.x.x]
250-SIZE 52428800
250-PIPELINING
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN
250-8BITMIME
250-BINARYMIME
250 CHUNKING

Ah hah, a real list of allowed authentication methods!

However with postfix I see the following in my mail.log:

postfix/smtp[5288]: warning: smtpx16.msoutlookonline.net[207.5.72.190] offered
null AUTH mechanism list
postfix/smtp[5288]: setting up TLS connection to smtpx16.msoutlookonline.net
postfix/smtp[5288]: Verified: subject_CN=smtpx16.msoutlookonline.net,
issuer=Equifax
postfix/smtp[5288]: TLS connection established to smtpx16.msoutlookonline.net:
TLSv1 with cipher RC4-MD5 (128/128 bits)
postfix/smtp[5288]: warning: SASL authentication failure: No worthy mechs found
postfix/smtp[5288]: 75915BF45: to=<***@company.com>,
relay=smtpx16.msoutlookonline.net[207.5.72.190]:25, delay=17993,
delays=17993/0.05/0.15/0, dsn=4.7.0, status=deferred (SASL authentication
failed; cannot authenticate to server
smtpx16.msoutlookonline.net[207.5.72.190]: no mechanism available)

Note that it's checking the auth list before it does its TLS handshake.

Is there any way to get Postfix to re-read the auth list? This is
Postfix 2.3.8 (2.3.8-2+b1) on Debian Etch.

--
alex

Alex Zepeda

2008-02-01 19:02:19 UTC

Permalink

smtp_sasl_security_options = noanonymous
so that LOGIN will be accepted as a method?

Makes no difference, I think the null auth list is catching postfix up.
It doesn't seem to be re-reading the auth list after starttls.

Also, some microsoft products seem to prefer the obsolete "smtps"
submission method; maybe this will help your problem. Here are
http://www.postfix.org/TLS_README.html#client_smtps

Not an option here. It *must* be TLS. Yes, I hate hosted Exchange.

--
alex

Victor Duchovni

2008-02-01 19:25:55 UTC

Permalink

Post by Alex Zepeda

smtp_sasl_security_options = noanonymous
so that LOGIN will be accepted as a method?

Makes no difference, I think the null auth list is catching postfix up.
It doesn't seem to be re-reading the auth list after starttls.

No Postfix (as of at least 2.2.0 which is the first official release
that supports TLS) recomputes all EHLO features after STARTTLS. So your
problem is elsewhere. Perhaps you don't have SASL "login" support in your
Cyrus SASL library.
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Alex Zepeda

2008-02-01 19:33:09 UTC

Permalink

Post by Victor Duchovni
No Postfix (as of at least 2.2.0 which is the first official release
that supports TLS) recomputes all EHLO features after STARTTLS. So your
problem is elsewhere. Perhaps you don't have SASL "login" support in your
Cyrus SASL library.

As in my original post, the server *returns a null auth list* before
TLS, and returns an auth indicating login support *after* TLS. If
Postfix is not recomputing (yay potential man in the middle attacks)
after TLS, then yes it's not a matter of what's been compiled in -- it's
looking at the 'wrong' features list.

Thanks anyhow, I'm using the stock Debian packages. I'd love to be in a
situation where fiddling with the source is an option. Unfortunately, I
guess it's time to evaluate other MTAs.

--
alex

Victor Duchovni

2008-02-01 19:38:45 UTC

Permalink

Post by Alex Zepeda

As in my original post, the server *returns a null auth list* before
TLS, and returns an auth indicating login support *after* TLS.

You don't need to repeat this a 3rd time...

Post by Alex Zepeda
If
Postfix is not recomputing (yay potential man in the middle attacks)
after TLS, then yes it's not a matter of what's been compiled in -- it's
looking at the 'wrong' features list.

As I tried to say (but dropped a comma after "No"), Postfix recomputs
all EHLO features after STARTTLS, including the SASL mechanisms, so
your hypothesis is wrong. Postfix is NOT looking at the wrong feature
list, so resume your debugging with the knowledge that "LOGIN" is seen,
but not being accepted. Are you sure you have not disabled "plaintext"
mechanisms? Are you sure you have Cyrus SASL's "login" module? ...
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Alex Zepeda

2008-02-10 00:33:26 UTC

Permalink

Thanks for the help guys, problem solved.

--
alex

m***@gmail.com

2013-03-25 02:53:19 UTC

Permalink

Post by Alex Zepeda
Thanks for the help guys, problem solved.
--
alex

HOW? HOW was the problem solved? I HATE posts like this.