Authentication at MS Exchange as a smarthost fails

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Authentication at MS Exchange as a smarthost fails

Jens Kubieziel
Hi,

I'm trying to set up Postfix to use two smarthosts. All mail sent from
domains example.(com|org) should be sent over smtp.gmail.com (default
smarthost) and mails from Domain.A should be sent over mailgw.Domain.A
(MUA is MS Exchange). I set everything up like in the configuration
below. However delivering the mail fails with 535 Authentication
unsuccessful. I have tried to log in via AUTH LOGIN and telnet/openssl.
This worked. So I have no idea, why authnetication doesn't work here. Do
you have any hints what I'm doing wrong?

main.cf:
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
inet_protocols = ipv4
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = golgafrincham.example.com, localhost.example.com, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = [smtp.gmail.com]:587
sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_map
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes


relayhost_map:
[hidden email]    [smtp.gmail.com]:587
[hidden email]        [mailgw.Domain.A]:587

sasl_passwd:
[hidden email]    [hidden email]:Password
[smtp:gmail.com]:587   [hidden email]:Password

mail.log:
Dec 16 09:40:12 golgafrincham postfix/qmgr[26914]: 9044318E: from=<[hidden email]>, size=400, nrcpt=1 (queue active)
Dec 16 09:40:12 golgafrincham postfix/smtp[26921]: smtp_stream_setup: maxtime=300 enable_deadline=0
Dec 16 09:40:12 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 220 mailgw.Domain.A Microsoft ESMTP MAIL Service ready at Tue, 16 Dec 2014 03:40:12 -0500
Dec 16 09:40:12 golgafrincham postfix/smtp[26921]: > mailgw.Domain.A[192.0.2.11]:587: EHLO golgafrincham.example.com
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250-mailgw.Domain.A Hello [195.202.38.154]
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250-SIZE 52428800
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250-PIPELINING
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250-DSN
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250-ENHANCEDSTATUSCODES
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250-STARTTLS
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250-AUTH GSSAPI NTLM
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250-8BITMIME
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250-BINARYMIME
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250 CHUNKING
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: server features: 0x903f size 52428800
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: Using ESMTP PIPELINING, TCP send buffer size is 46080, PIPELINING buffer size is 4096
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: smtp_stream_setup: maxtime=300 enable_deadline=0
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: > mailgw.Domain.A[192.0.2.11]:587: STARTTLS
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 220 2.0.0 SMTP server ready
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: send attr request = lookup
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: send attr cache_type = smtp
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: send attr cache_id = smtp&[mailgw.Domain.A]:587&mailgw.Domain.A&192.0.2.11&&777D63B388B5C434AE11B63E1FCB6213CBD88CF0D5772CD420C390CC2CC7F17E
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: private/tlsmgr: wanted attribute: status
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: input attribute name: status
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: input attribute value: 4294967295
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: private/tlsmgr: wanted attribute: session
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: input attribute name: session
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: input attribute value: (end)
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: private/tlsmgr: wanted attribute: (list terminator)
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: input attribute name: (end)
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: send attr request = seed
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: send attr size = 32
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: private/tlsmgr: wanted attribute: status
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: input attribute name: status
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: input attribute value: 0
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: private/tlsmgr: wanted attribute: seed
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: input attribute name: seed
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: input attribute value: WiQjwFNyFc+HKey9bSGt46OISHmipEh+ZOV1fFILzr4=
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: private/tlsmgr: wanted attribute: (list terminator)
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: input attribute name: (end)
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: send attr request = update
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: send attr cache_type = smtp
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: send attr cache_id = smtp&[mailgw.Domain.A]:587&mailgw.Domain.A&192.0.2.11&&777D63B388B5C434AE11B63E1FCB6213CBD88CF0D5772CD420C390CC2CC7F17E
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: send attr session = [data 1579 bytes]
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: private/tlsmgr: wanted attribute: status
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: input attribute name: status
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: input attribute value: 0
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: private/tlsmgr: wanted attribute: (list terminator)
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: input attribute name: (end)
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: smtp_stream_setup: maxtime=300 enable_deadline=0
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: > mailgw.Domain.A[192.0.2.11]:587: EHLO golgafrincham.example.com
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250-mailgw.Domain.A Hello [195.202.38.154]
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250-SIZE 52428800
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250-PIPELINING
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250-DSN
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250-ENHANCEDSTATUSCODES
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250-AUTH GSSAPI NTLM LOGIN
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250-8BITMIME
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250-BINARYMIME
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 250 CHUNKING
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: server features: 0x902f size 52428800
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: Using ESMTP PIPELINING, TCP send buffer size is 46080, PIPELINING buffer size is 4096
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: maps_find: smtp_sasl_passwd: hash:/etc/postfix/sasl_passwd(0,lock|fold_fix): [hidden email] = [hidden email]:Password
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: mail_addr_find: [hidden email] -> [hidden email]:Password
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: smtp_sasl_passwd_lookup: host `mailgw.Domain.A' user `[hidden email]' pass `Password'
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: starting new SASL client
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: name_mask: noanonymous
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: smtp_sasl_authenticate: mailgw.Domain.A[192.0.2.11]:587: SASL mechanisms GSSAPI NTLM LOGIN
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: xsasl_cyrus_client_first: uncoded initial reply: NTLMSSP\0\1\0\0\0\a\2\0\0\0\0\0\0 \0\0\0\0\0\0\0 \0\0\000
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: > mailgw.Domain.A[192.0.2.11]:587: AUTH NTLM TlRMTVNTUAABAAAABwIAAAAAAAAgAAAAAAAAACAAAAA=
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 334 TlRMTVNTUAACAAAABAAEA...
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: xsasl_cyrus_client_next: decoded challenge: NTLMSSP
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: xsasl_cyrus_client_get_user: [hidden email]
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: xsasl_cyrus_client_get_passwd: Password
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: xsasl_cyrus_client_next: uncoded client response NTLMSSP
Dec 16 09:40:13 golgafrincham postfix/smtp[26921]: > mailgw.Domain.A[192.0.2.11]:587: TlRMTVNTUAADAAAAAAAAAEA...
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: < mailgw.Domain.A[192.0.2.11]:587: 535 5.7.3 Authentication unsuccessful
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: connect to subsystem private/defer
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: send attr nrequest = 0
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: send attr flags = 0
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: send attr queue_id = 9044318E
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: send attr original_recipient = [hidden email]
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: send attr recipient = [hidden email]
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: send attr offset = 607
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: send attr dsn_orig_rcpt = rfc822;[hidden email]
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: send attr notify_flags = 0
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: send attr status = 4.7.3
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: send attr diag_type = smtp
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: send attr diag_text = 535 5.7.3 Authentication unsuccessful
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: send attr mta_type = dns
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: send attr mta_mname = mailgw.Domain.A
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: send attr action = delayed
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: send attr reason = SASL authentication failed; server mailgw.Domain.A[192.0.2.11] said: 535 5.7.3 Authentication unsuccessful
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: private/defer socket: wanted attribute: status
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: input attribute name: status
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: input attribute value: 0
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: private/defer socket: wanted attribute: (list terminator)
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: input attribute name: (end)
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: 9044318E: to=<[hidden email]>, relay=mailgw.Domain.A[192.0.2.11]:587, delay=71182, delays=71176/0.09/6.2/0, dsn=4.7.3, status=deferred (SASL authentication failed; server mailgw.Domain.A[192.0.2.11] said: 535 5.7.3 Authentication unsuccessful)
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: flush_add: site example.org id 9044318E
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: match_hostname: example.org ~? golgafrincham.example.com
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: match_hostname: example.org ~? localhost.example.com
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: match_hostname: example.org ~? localhost
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: match_list_match: example.org: no match
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: flush_add: site example.org id 9044318E status 4
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: smtp_stream_setup: maxtime=300 enable_deadline=0
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: > mailgw.Domain.A[192.0.2.11]:587: QUIT
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: name_mask: resource
Dec 16 09:40:18 golgafrincham postfix/smtp[26921]: name_mask: software
Dec 16 09:40:19 golgafrincham postfix/smtp[26921]: disposing SASL state information


--
In a successful advertisement it's the graphics that grab you,  but it's
the text that does the selling.
                -- Pablo PigCasso
Reply | Threaded
Open this post in threaded view
|

Re: Authentication at MS Exchange as a smarthost fails

lists@rhsoft.net

Am 16.12.2014 um 13:05 schrieb Jens Kubieziel:
> I'm trying to set up Postfix to use two smarthosts. All mail sent from
> domains example.(com|org) should be sent over smtp.gmail.com (default
> smarthost) and mails from Domain.A should be sent over mailgw.Domain.A
> (MUA is MS Exchange). I set everything up like in the configuration
> below. However delivering the mail fails with 535 Authentication
> unsuccessful. I have tried to log in via AUTH LOGIN and telnet/openssl.
> This worked. So I have no idea, why authnetication doesn't work here. Do
> you have any hints what I'm doing wrong?
 >
 > mailgw.Domain.A[192.0.2.11]:587: AUTH NTLM

just disable NTLM auth on your SMTP client
been there, done that

on Fedora "yum remove cyrus-sasl-ntlm" and restart postfix

should also be possible with a config change, Google!