MS Exchange + TLS+AUTH as a relay host
Alex Zepeda
relay all outgoing mail through a hosted Exchange server. Sigh. Said
server requires TLS and user/pass authentication before you can do
anything.
If you connect to the host you'll see:
220 smtpx16.msoutlookonline.net Microsoft ESMTP MAIL Service ready at
Thu, 31 Jan 2008 22:58:54 -0800
EHLO localhost
250-smtpx16.msoutlookonline.net Hello [x.x.x.x]
250-SIZE 52428800
250-PIPELINING
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING
Note that it does indeed show a null auth list (sigh). If I connect
with s_client and hit start tls I'll see:
EHLO localhost
250-smtpx16.msoutlookonline.net Hello [x.x.x.x]
250-SIZE 52428800
250-PIPELINING
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN
250-8BITMIME
250-BINARYMIME
250 CHUNKING
Ah hah, a real list of allowed authentication methods!
However with postfix I see the following in my mail.log:
postfix/smtp[5288]: warning: smtpx16.msoutlookonline.net[207.5.72.190] offered
null AUTH mechanism list
postfix/smtp[5288]: setting up TLS connection to smtpx16.msoutlookonline.net
postfix/smtp[5288]: Verified: subject_CN=smtpx16.msoutlookonline.net,
issuer=Equifax
postfix/smtp[5288]: TLS connection established to smtpx16.msoutlookonline.net:
TLSv1 with cipher RC4-MD5 (128/128 bits)
postfix/smtp[5288]: warning: SASL authentication failure: No worthy mechs found
postfix/smtp[5288]: 75915BF45: to=<destinati...@company.com>,
relay=smtpx16.msoutlookonline.net[207.5.72.190]:25, delay=17993,
delays=17993/0.05/0.15/0, dsn=4.7.0, status=deferred (SASL authentication
failed; cannot authenticate to server
smtpx16.msoutlookonline.net[207.5.72.190]: no mechanism available)
Note that it's checking the auth list before it does its TLS handshake.
Is there any way to get Postfix to re-read the auth list? This is
Postfix 2.3.8 (2.3.8-2+b1) on Debian Etch.
--
alex
Alex Zepeda
> Have you set in main.cf:
> smtp_sasl_security_options = noanonymous
> so that LOGIN will be accepted as a method?
Makes no difference, I think the null auth list is catching postfix up.
It doesn't seem to be re-reading the auth list after starttls.
> Also, some microsoft products seem to prefer the obsolete "smtps"
> submission method; maybe this will help your problem. Here are
> instructions on how to set it up:
> http://www.postfix.org/TLS_README.html#client_smtps
Not an option here. It *must* be TLS. Yes, I hate hosted Exchange.
--
alex
Victor Duchovni
> Noel Jones wrote:
>
> > Have you set in main.cf:
> > smtp_sasl_security_options = noanonymous
> > so that LOGIN will be accepted as a method?
>
> Makes no difference, I think the null auth list is catching postfix up.
> It doesn't seem to be re-reading the auth list after starttls.
No Postfix (as of at least 2.2.0 which is the first official release
that supports TLS) recomputes all EHLO features after STARTTLS. So your
problem is elsewhere. Perhaps you don't have SASL "login" support in your
Cyrus SASL library.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majo...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Alex Zepeda
> No Postfix (as of at least 2.2.0 which is the first official release
> that supports TLS) recomputes all EHLO features after STARTTLS. So your
> problem is elsewhere. Perhaps you don't have SASL "login" support in your
> Cyrus SASL library.
As in my original post, the server *returns a null auth list* before
TLS, and returns an auth indicating login support *after* TLS. If
Postfix is not recomputing (yay potential man in the middle attacks)
after TLS, then yes it's not a matter of what's been compiled in -- it's
looking at the 'wrong' features list.
Thanks anyhow, I'm using the stock Debian packages. I'd love to be in a
situation where fiddling with the source is an option. Unfortunately, I
guess it's time to evaluate other MTAs.
--
alex
Victor Duchovni
> Victor Duchovni wrote:
>
> > No Postfix (as of at least 2.2.0 which is the first official release
> > that supports TLS) recomputes all EHLO features after STARTTLS. So your
> > problem is elsewhere. Perhaps you don't have SASL "login" support in your
> > Cyrus SASL library.
>
> As in my original post, the server *returns a null auth list* before
> TLS, and returns an auth indicating login support *after* TLS.
You don't need to repeat this a 3rd time...
> If
> Postfix is not recomputing (yay potential man in the middle attacks)
> after TLS, then yes it's not a matter of what's been compiled in -- it's
> looking at the 'wrong' features list.
As I tried to say (but dropped a comma after "No"), Postfix recomputs
all EHLO features after STARTTLS, including the SASL mechanisms, so
your hypothesis is wrong. Postfix is NOT looking at the wrong feature
list, so resume your debugging with the knowledge that "LOGIN" is seen,
but not being accepted. Are you sure you have not disabled "plaintext"
mechanisms? Are you sure you have Cyrus SASL's "login" module? ...
Alex Zepeda
--
alex
