Postfix client against Windows Exchange server
Michael Sperber
I'm trying to get my Postfix client to work with an Exchange server -
I've tried a number of things suggested on the Internets and have
failed. I have the Postfix that ships with Mac OS X Snow Leopard, which
I believe to be 2.5.5. It comes precompiled against Cyrus SASL, and I
have this:
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
However, I get this:
Nov 7 15:52:51 eta postfix/smtp[1474]: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)
Nov 7 15:52:51 eta postfix/smtp[1474]: 7D8BB912423: to=<US...@XXX.COM>, relay=EXCHANGE.XXX.COM[...]:587, delay=8, delays=0.02/0.02/8/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server EXCHANGE.XXX.COM[...]: generic failure)
I saw advice on the Internets to turn off GSSAPI or configure it
correctly. So I did this:
smtp_sasl_mechanism_filter = !gssapi, !ntlm, static:rest
But this gets me this:
Nov 7 16:35:32 eta postfix/smtp[2036]: warning: EXCHANGE.XXX.COM[...]:587 offered no supported AUTH mechanisms: 'GSSAPI NTLM'
com>, relay=EXCHANGE.XXX.COM[...]:587, delay=545, delays=536/0.04/9.6/0, dsn=4.7.0, status=deferred (SASL authentication failed: server EXCHANGE.XXX.COM[...] offered no compatible authentication mechanisms for this type of connection security)
. and indeed, telnetting to the Exchange server shows "AUTH GSSAPI
NTLM" ...
Is there any way to make Postfix work in this environment? Or anything
helpful I could tell the Exchange admin, like how to turn on another
authentication mechanism? Help would be much appreciated ...
--
Regards,
Mike
Walter Pinto
Walter Pinto
Michael Sperber
> You would probably need to compile SASL with the required auth mechanisms.
Well, the SASL that ships with Mac OS X does have GSSAPI and NTLM
plugins. They just don't seem to get used.
--
Regards,
Mike
Victor Duchovni
> . and indeed, telnetting to the Exchange server shows "AUTH GSSAPI
> NTLM" ...
The Postfix SMTP client can do GSSAPI, if you place a suitable
keytab on the Postfix server, and use it from cron to keep a
credential cache file current.
If you want to use a password, your Exchange administrator needs
to enable AUTH PLAIN.
--
Viktor.
Michael Sperber
Thanks for the prompt response!
Victor Duchovni <Victor....@morganstanley.com> writes:
> On Mon, Nov 08, 2010 at 02:30:33AM +0100, Michael Sperber wrote:
>
>> . and indeed, telnetting to the Exchange server shows "AUTH GSSAPI
>> NTLM" ...
>
> The Postfix SMTP client can do GSSAPI, if you place a suitable
> keytab on the Postfix server, and use it from cron to keep a
> credential cache file current.
Are there instructions somewhere on how to do it?
> If you want to use a password, your Exchange administrator needs
> to enable AUTH PLAIN.
I'm a bit confused - how does a normal Exchange client (like Apple Mail)
do this? There, I just give an Active Directory password, and it works.
--
Regards,
Mike
Victor Duchovni
> > On Mon, Nov 08, 2010 at 02:30:33AM +0100, Michael Sperber wrote:
> >
> >> . and indeed, telnetting to the Exchange server shows "AUTH GSSAPI
> >> NTLM" ...
> >
> > The Postfix SMTP client can do GSSAPI, if you place a suitable
> > keytab on the Postfix server, and use it from cron to keep a
> > credential cache file current.
>
> Are there instructions somewhere on how to do it?
Obtain the current (or default) value of the Postfix 'import_environment'
setting:
$ postconf 'import_environment'
import_environment = MAIL_CONFIG MAIL_SECONDARY MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
If you don't use an X11 debugger on Postfix, feel free to ignore the
"XAUTHORITY" and "DISPLAY" elements. Take all the others, and append:
KRB5CCNAME=${data_directory}/smtp
which (with my Postfix version) should be:
import_environment =
MAIL_CONFIG MAIL_SECONDARY MAIL_DEBUG MAIL_LOGTAG TZ LANG=C
KRB5CCNAME=${data_directory}/smtp_ccache
add the above to main.cf. Then you need a cron job that keeps
this file (if data_directory is /var/lib/postfix, then the file is
/var/lib/postfix/smtp_ccache) populated with fresh tickets.
We have a job that runs once an hour and uses a keytab file to obtain
a ticket stored in /var/lib/postfix/smtp_ccache and owned by "postfix"
mode 0600. The keytab belongs to "root" with group equal to the
primary group of the "postfix" user, mode 0640,.
The cron job creates the credential cache. The keytab file contains
the keys for the user authorized to submit mail to Exchange.
The cron job runs:
kinit -k -t /etc/postfix/postfix.keytab \
-c /var/lib/postfix/smtp_ccache.new ${PRINC} &&
mv /var/lib/postfix/smtp_ccache.new /var/lib/postfix/smtp_ccache
where "$PRINC" is the Kerberos principal name (user@REALM) of Exchange
login in question. You may also need an /etc/krb5.conf file that lists
the locations of the Exchange KDCs or enables DNS lookups via SRV
records, ...
> > If you want to use a password, your Exchange administrator needs
> > to enable AUTH PLAIN.
>
> I'm a bit confused - how does a normal Exchange client (like Apple Mail)
> do this? There, I just give an Active Directory password, and it works.
The Apple client likely talks MAPI when configured to use Exchange. It
probably also supports NTLM, but I would not bother with NTLM. Exchange
supports PLAIN, you just have to turn it on.
Why are you bothering with SASL at all. Why not just have Exchange
allow the IP address of the Postfix server?
--
Viktor.