Scott Sander
2015-08-06 14:02:42 UTC
This is a Postfix question, but allow me to set the stage first. We have SharePoint 2013 and Exchange 2010. Because SharePoint 2013 cannot natively do authenticated SMTP, this means that we are unable to lock down the permitted senders on Exchange email distribution groups that SharePoint needs to be able to send to. In turn, this means that people in the organization are sending email to email distribution groups that we don't want them to be able to send email to.
A potential solution to this problem is to use another email server as a relay for SharePoint. SharePoint delivers email to the relay server (unauthenticated) and then the relay server authenticates with Exchange for final delivery. Then we can lock down the distribution groups to allow the people we want as well as the smarthost authentication account.
We have selected Postfix to use as the relay server. Trouble is: it doesn't work. Well, it sort of works. I can get email to relay through to Exchange if I set up the Exchange receive connector and Postfix to just dump the email to port 25 unauthenticated on the Exchange server. But as soon as I change the Exchange receive connector to only allow use by "Exchange users", it doesn't work. I get the following error response from Exchange when sending mail from Postfix:
"530 5.7.1 Client was not authenticated (in reply to MAIL FROM command)"
Here's the associated log entry in the Postfix mail.log file:
--------------------
Aug 6 09:59:27 testmailhost postfix/smtp[7470]: 5663E2127F: to=<***@domain.com>, relay=mailhost.subdomain.domain.com[<IP of Exchange HT server 1]:25, delay=15, delays=0.07/0.01/10/5, dsn=5.7.1, status=bounced (host mailhost.subdomain.domain.com[<IP of Exchange HT server 1] said: 530 5.7.1 Client was not authenticated (in reply to MAIL FROM command))
--------------------
Note that the email sender is ***@domain.test and the Exchange account we are attempting to use for authentication is ***@subdomain.domain.com (SUBDOMAIN\postfixrelay)
For what it's worth, we also are using Dovecot on the Postfix server because it is doubling as a test email server for test environment servers to send mail to (it is authoritative for the domain.test domain).
Here is my Postfix main.cnf file:
--------------------
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/apps4_combined.pem
smtpd_tls_key_file=/etc/ssl/private/apps4_key.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.semtribe.test
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = testmailhost.subdomain.domain.com, localhost.subdomain.domain.com, localhost, mail.domain.test
relay_domains = domain.com
relayhost = [mailhost.subdomain.domain.com]
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 <IP of Exchange HT server 1> <IP of Exchange HT server 2> <IP of Exchange HT server 3>
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
# Handing off local delivery to Dovecot's LMTP
virtual_transport = lmtp:unix:private/dovecot-lmtp
# Enabling SMTP for authenticated users, and handing off authentication to Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = yes
# For relay with Exchange
#smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#smtp_sasl_mechanism_filter = !gssapi, !ntlm, static:rest
# Virtual domains, users, and aliases
virtual_mailbox_domains = /etc/postfix/virtual_mailbox_domains
#virtual_mailbox_maps = /etc/postfix/virtual_mailbox_maps
--------------------
Here is my /etc/postfix/sasl_passwd file:
--------------------
#destination #credentials
[mail.domain.com] SUBDOMAIN\postfixrelay:password
[mailhost.subdomain.domain.com] SUBDOMAIN\postfixrelay:password
--------------------
Here is my Exchange receive connector configuration:
--------------------
Network tab:
* Receive mail on: all available IPv4 addresses
* Port: 25
* Receive mail from remote servers with these IP addresses: <IP address of Postfix server>
Authentication tab:
NOTE: The options below are checked and all others are unchecked.
* Transport Layer Security (TLS)
* Basic Authentication
* Offer Basic authentication only after starting TLS
Permission Groups:
NOTE: The options below are checked and all others are unchecked.
* Exchange users
--------------------
Does anyone know how I can make this work or what I am doing wrong?
A potential solution to this problem is to use another email server as a relay for SharePoint. SharePoint delivers email to the relay server (unauthenticated) and then the relay server authenticates with Exchange for final delivery. Then we can lock down the distribution groups to allow the people we want as well as the smarthost authentication account.
We have selected Postfix to use as the relay server. Trouble is: it doesn't work. Well, it sort of works. I can get email to relay through to Exchange if I set up the Exchange receive connector and Postfix to just dump the email to port 25 unauthenticated on the Exchange server. But as soon as I change the Exchange receive connector to only allow use by "Exchange users", it doesn't work. I get the following error response from Exchange when sending mail from Postfix:
"530 5.7.1 Client was not authenticated (in reply to MAIL FROM command)"
Here's the associated log entry in the Postfix mail.log file:
--------------------
Aug 6 09:59:27 testmailhost postfix/smtp[7470]: 5663E2127F: to=<***@domain.com>, relay=mailhost.subdomain.domain.com[<IP of Exchange HT server 1]:25, delay=15, delays=0.07/0.01/10/5, dsn=5.7.1, status=bounced (host mailhost.subdomain.domain.com[<IP of Exchange HT server 1] said: 530 5.7.1 Client was not authenticated (in reply to MAIL FROM command))
--------------------
Note that the email sender is ***@domain.test and the Exchange account we are attempting to use for authentication is ***@subdomain.domain.com (SUBDOMAIN\postfixrelay)
For what it's worth, we also are using Dovecot on the Postfix server because it is doubling as a test email server for test environment servers to send mail to (it is authoritative for the domain.test domain).
Here is my Postfix main.cnf file:
--------------------
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/apps4_combined.pem
smtpd_tls_key_file=/etc/ssl/private/apps4_key.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.semtribe.test
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = testmailhost.subdomain.domain.com, localhost.subdomain.domain.com, localhost, mail.domain.test
relay_domains = domain.com
relayhost = [mailhost.subdomain.domain.com]
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 <IP of Exchange HT server 1> <IP of Exchange HT server 2> <IP of Exchange HT server 3>
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
# Handing off local delivery to Dovecot's LMTP
virtual_transport = lmtp:unix:private/dovecot-lmtp
# Enabling SMTP for authenticated users, and handing off authentication to Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = yes
# For relay with Exchange
#smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#smtp_sasl_mechanism_filter = !gssapi, !ntlm, static:rest
# Virtual domains, users, and aliases
virtual_mailbox_domains = /etc/postfix/virtual_mailbox_domains
#virtual_mailbox_maps = /etc/postfix/virtual_mailbox_maps
--------------------
Here is my /etc/postfix/sasl_passwd file:
--------------------
#destination #credentials
[mail.domain.com] SUBDOMAIN\postfixrelay:password
[mailhost.subdomain.domain.com] SUBDOMAIN\postfixrelay:password
--------------------
Here is my Exchange receive connector configuration:
--------------------
Network tab:
* Receive mail on: all available IPv4 addresses
* Port: 25
* Receive mail from remote servers with these IP addresses: <IP address of Postfix server>
Authentication tab:
NOTE: The options below are checked and all others are unchecked.
* Transport Layer Security (TLS)
* Basic Authentication
* Offer Basic authentication only after starting TLS
Permission Groups:
NOTE: The options below are checked and all others are unchecked.
* Exchange users
--------------------
Does anyone know how I can make this work or what I am doing wrong?