Exchange does not work with TLS and SASL

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Exchange does not work with TLS and SASL

Jose Manuel Pozo Pozo
Good night.

The first, sorry for my English :(

I have a problem with TLS and SASL implementation. My scenario is:

Exchange 2003 (mailbox) -> Postfix (relay) -> Internet

I use Postfix in a Centos 5. Also I use Amavisd+ClamAV+Spamassassin and all it's running correctly. My users use OWA. The problem is when I want to configure TLS and SASL that not run.

In my Exchange 2003, in Protocols->SMTP->Access, I have marked the option TLS.

When I want to send an email, this is the result of tail -f /var/log/maillog

May 22 01:08:44 relay postfix/smtpd[3434]: connect from exchange.zubero.local[192.168.1.11]
May 22 01:08:45 relay postfix/smtpd[3434]: 8385458576: client=exchange.zubero.local[192.168.1.11]
May 22 01:08:45 relay postfix/cleanup[3436]: 8385458576: message-id=<8ECDCAE4-1D0B-4CD2-9558-65020330F732@mimectl>
May 22 01:08:45 relay postfix/smtpd[3434]: disconnect from exchange.zubero.local[192.168.1.11]
May 22 01:08:45 relay postfix/qmgr[32455]: 8385458576: from=<[hidden email]>, size=1421, nrcpt=1 (queue active)
May 22 01:08:46 relay clamd[30417]: SelfCheck: Database status OK.
May 22 01:08:55 relay postfix/smtpd[3440]: connect from pruebas[127.0.0.1]
May 22 01:08:55 relay postfix/smtpd[3440]: 76A5258581: client=pruebas[127.0.0.1]
May 22 01:08:55 relay postfix/cleanup[3436]: 76A5258581: message-id=<8ECDCAE4-1D0B-4CD2-9558-65020330F732@mimectl>
May 22 01:08:55 relay amavis[32522]: (32522-01) Passed CLEAN, MYNETS LOCAL [192.168.1.11] <[hidden email]> -> <[hidden email]>, Message-ID: <8ECDCAE4-1D0B-4CD2-9558-65020330F732@mimectl>, mail_id: 8sMbKFbsmOn2, Hits: -0.306, size: 1420, queued_as: 76A5258581, 9739 ms
May 22 01:08:55 relay postfix/smtp[3437]: 8385458576: to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024, delay=10, delays=0.51/0.12/0.11/9.7, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 76A5258581)
May 22 01:08:55 relay postfix/smtpd[3440]: disconnect from pruebas[127.0.0.1]
May 22 01:08:55 relay postfix/qmgr[32455]: 8385458576: removed
May 22 01:08:55 relay postfix/qmgr[32455]: 76A5258581: from=<[hidden email]>, size=1848, nrcpt=1 (queue active)
May 22 01:09:02 relay postfix/smtp[3441]: 76A5258581: to=<[hidden email]>, relay=gmail-smtp-in.l.google.com[66.249.93.114]:25, delay=7.1, delays=0.08/0.05/2.9/4.1, dsn=2.0.0, status=sent (250 2.0.0 OK 1211415680 m4si3961240ugc.31)
May 22 01:09:02 relay postfix/qmgr[32455]: 76A5258581: removed

When I connect for telnet,

220 relay.zubero.eu
helo epi
502 5.5.2 Error: command not recognized
ehlo epi
250-relay.zubero.eu
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


My main.cf,

#postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
empty_address_recipient = MAILER-DAEMON
html_directory = no
invalid_hostname_reject_code = 554
local_recipient_maps = hash:/etc/postfix/exchange_recipients
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
multi_recipient_bounce_reject_code = 554
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = zubero.eu
myhostname = relay.zubero.eu
mynetworks = 192.168.1.11
newaliases_path = /usr/bin/newaliases.postfix
non_fqdn_reject_code = 554
queue_directory = /var/spool/postfix
queue_minfree = 120000000
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains_reject_code = 554
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname
smtpd_helo_required = yes
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transportList
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554


#cat /usr/lib/sasl2/smtp.conf
pwcheck_method: saslauthd
mech_list: plain login
log_level: 5

Reply | Threaded
Open this post in threaded view
|

Re: Exchange does not work with TLS and SASL

Patrick Ben Koetter
* Jose Manuel Pozo Pozo <[hidden email]>:

> Good night.
>
> The first, sorry for my English :(
>
> I have a problem with TLS and SASL implementation. My scenario is:
>
> Exchange 2003 (mailbox) -> Postfix (relay) -> Internet
>
> I use Postfix in a Centos 5. Also I use Amavisd+ClamAV+Spamassassin and all
> it's running correctly. My users use OWA. The problem is when I want to
> configure TLS and SASL that not run.
>
> In my Exchange 2003, in Protocols->SMTP->Access, I have marked the option
> TLS.
>
> When I want to send an email, this is the result of tail -f /var/log/maillog
>
>
> May 22 01:08:44 relay postfix/smtpd[3434]: connect from > exchange.zubero.local[192.168.1.11]
> May 22 01:08:45 relay postfix/smtpd[3434]: 8385458576: > client=exchange.zubero.local[192.168.1.11]
> May 22 01:08:45 relay postfix/cleanup[3436]: 8385458576: > message-id=<8ECDCAE4-1D0B-4CD2-9558-65020330F732@mimectl>
> May 22 01:08:45 relay postfix/smtpd[3434]: disconnect from > exchange.zubero.local[192.168.1.11]

Your server does not use SMTP AUTH. Did you configure it to authenticate?
It also does not attempt to establish a TLS encrypted session. What does the
Log of your SMTP connector report? Does your exchange server have access to
the CA certificate of your Postfix servers TLS cert?

> When I connect for telnet,
>
> 220 relay.zubero.eu
> helo epi
> 502 5.5.2 Error: command not recognized
> ehlo epi
> 250-relay.zubero.eu
> 250-PIPELINING
> 250-SIZE 10240000
> 250-ETRN
> 250-STARTTLS
> 250-AUTH LOGIN PLAIN
> 250-AUTH=LOGIN PLAIN

TLS and SMTP AUTH get announced. So far so good.

> My main.cf,
>
> #postconf -n
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain =
> smtpd_sasl_security_options = noanonymous
> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
> smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
> smtpd_tls_auth_only = no
> smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
> smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
>
> #cat /usr/lib/sasl2/smtp.conf

Is this a typo? It must be /usr/lib/sasl2/smtpd.conf and not smtp.conf.
                                          ^^^^^

> pwcheck_method: saslauthd
> mech_list: plain login
> log_level: 5

p@rick


--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Reply | Threaded
Open this post in threaded view
|

Re: Exchange does not work with TLS and SASL

Jose Manuel Pozo Pozo


2008/5/22, Patrick Ben Koetter <[hidden email]>:
* Jose Manuel Pozo Pozo <[hidden email]>:

> Good night.
>
> The first, sorry for my English :(
>
> I have a problem with TLS and SASL implementation. My scenario is:
>
> Exchange 2003 (mailbox) -> Postfix (relay) -> Internet
>
> I use Postfix in a Centos 5. Also I use Amavisd+ClamAV+Spamassassin and all
> it's running correctly. My users use OWA. The problem is when I want to
> configure TLS and SASL that not run.
>
> In my Exchange 2003, in Protocols->SMTP->Access, I have marked the option
> TLS.
>
> When I want to send an email, this is the result of tail -f /var/log/maillog
>
>
> May 22 01:08:44 relay postfix/smtpd[3434]: connect from > exchange.zubero.local[192.168.1.11]
> May 22 01:08:45 relay postfix/smtpd[3434]: 8385458576: > client=exchange.zubero.local[192.168.1.11]
> May 22 01:08:45 relay postfix/cleanup[3436]: 8385458576: > message-id=<8ECDCAE4-1D0B-4CD2-9558-65020330F732@mimectl>
> May 22 01:08:45 relay postfix/smtpd[3434]: disconnect from > exchange.zubero.local[192.168.1.11]


Your server does not use SMTP AUTH. Did you configure it to authenticate?

I think so 


It also does not attempt to establish a TLS encrypted session. What does the
Log of your SMTP connector report?

This is an extract of my Exchange's log related to the SMTP connector:

SMTP GetNextHop devolvió hr=0x0 en 0 ms.
Dirección de destino=<gmail.com>, Tipo=<SMTP>
Tipo de mensaje=0x0, Siguiente tipo de salto=OTHER_ROUTING_GROUP
Tipo=<SMTP>, Clase=<*>, Id. de programa=0x0
Dirección de enrutamiento=<[192.168.1.13]>
Conector=<fbec72b5-7e7f-4ae3-9df4-adf77c1fd3e9>


and this is an extract of the postfix:

relay postfix/smtpd[4299]: generic_checks: name=permit_sasl_authenticated
relay postfix/smtpd[4299]: generic_checks: name=permit_sasl_authenticated status=0


Does your exchange server have access to
the CA certificate of your Postfix servers TLS cert?


It may be a newbie's question, but... How can I verify it?
 

> When I connect for telnet,
>
> 220 relay.zubero.eu
> helo epi
> 502 5.5.2 Error: command not recognized
> ehlo epi
> 250-relay.zubero.eu
> 250-PIPELINING
> 250-SIZE 10240000
> 250-ETRN
> 250-STARTTLS
> 250-AUTH LOGIN PLAIN
> 250-AUTH=LOGIN PLAIN


TLS and SMTP AUTH get announced. So far so good.


> My main.cf,
>
> #postconf -n

> broken_sasl_auth_clients = yes

> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain =
> smtpd_sasl_security_options = noanonymous
> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
> smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
> smtpd_tls_auth_only = no
> smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
> smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
>

> #cat /usr/lib/sasl2/smtp.conf


Is this a typo? It must be /usr/lib/sasl2/smtpd.conf and not smtp.conf.

                                          ^^^^^

Yes, it is a typo.

Kind Regards.
Reply | Threaded
Open this post in threaded view
|

Re: Exchange does not work with TLS and SASL

Patrick Ben Koetter
* Jose Manuel Pozo Pozo <[hidden email]>:

> > > May 22 01:08:44 relay postfix/smtpd[3434]: connect from >
> > exchange.zubero.local[192.168.1.11]
> > > May 22 01:08:45 relay postfix/smtpd[3434]: 8385458576: >
> > client=exchange.zubero.local[192.168.1.11]
> > > May 22 01:08:45 relay postfix/cleanup[3436]: 8385458576: >
> > message-id=<8ECDCAE4-1D0B-4CD2-9558-65020330F732@mimectl>
> > > May 22 01:08:45 relay postfix/smtpd[3434]: disconnect from >
> > exchange.zubero.local[192.168.1.11]
> >
> >
> > Your server does not use SMTP AUTH. Did you configure it to authenticate?
>
>
> I think so

Verify.


> It also does not attempt to establish a TLS encrypted session. What does the
> > Log of your SMTP connector report?
>
> This is an extract of my Exchange's log related to the SMTP connector:
>
> SMTP GetNextHop devolvió hr=0x0 en 0 ms.
> Dirección de destino=<gmail.com>, Tipo=<SMTP>
> Tipo de mensaje=0x0, Siguiente tipo de salto=OTHER_ROUTING_GROUP
> Tipo=<SMTP>, Clase=<*>, Id. de programa=0x0
> Dirección de enrutamiento=<[192.168.1.13]>
> Conector=<fbec72b5-7e7f-4ae3-9df4-adf77c1fd3e9>

I don't see any TLS or SASL related info in there, but I am not an Exchange
expert to tell.

> and this is an extract of the postfix:
>
> relay postfix/smtpd[4299]: generic_checks: name=permit_sasl_authenticated
> relay postfix/smtpd[4299]: generic_checks: name=permit_sasl_authenticated
> status=0
>
>
> Does your exchange server have access to
> > the CA certificate of your Postfix servers TLS cert?
>
> It may be a newbie's question, but... How can I verify it?

Well, if it is a self-signed certificate you need to ouput a DER version of
your CA certificate, copy it to your Exchange server and import it into the
certificate store.

If you didn't do that yet, you will probably have to do so or your Exchange
server might decide not to talk TLS with a party whose CA certificate it
doesn't know.


If the Postfix server certificate has been signed by an official CA, check if
it is available in the certificate store and import that CA's CA certificate
into your Exchange server, in case it wasn't there in the first place.

p@rick



--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Reply | Threaded
Open this post in threaded view
|

Re: Exchange does not work with TLS and SASL

Jose Manuel Pozo Pozo


2008/5/22, Patrick Ben Koetter <[hidden email]>:
* Jose Manuel Pozo Pozo <[hidden email]>:

> > > May 22 01:08:44 relay postfix/smtpd[3434]: connect from >
> > exchange.zubero.local[192.168.1.11]
> > > May 22 01:08:45 relay postfix/smtpd[3434]: 8385458576: >
> > client=exchange.zubero.local[192.168.1.11]
> > > May 22 01:08:45 relay postfix/cleanup[3436]: 8385458576: >
> > message-id=<8ECDCAE4-1D0B-4CD2-9558-65020330F732@mimectl>
> > > May 22 01:08:45 relay postfix/smtpd[3434]: disconnect from >
> > exchange.zubero.local[192.168.1.11]
> >
> >
> > Your server does not use SMTP AUTH. Did you configure it to authenticate?
>
>
> I think so


Verify.

I have changed the master.cf (marked in red, before this lines are commented and I uncommented them)  and some properties from Exchange Server,
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

### BEGIN AMAVISD-NEW CONFIG

smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
### END AMAVISD-NEW CONFIG

Exchange:

1. Expand the Administrative Groups and navigate to SMTP virtual server located in the Protocols folder.
2. Right click on Default SMTP Virtual Server and go to Properties
3. In the "IP address:" field, you should click on the down arrow and change the option from "(All Unassigned") to a specific IP address of your e-mail server.
4. You should also enable login and select NCSA Common Log File Format. The SMTP log files will help you with debugging and troubleshooting issues with TLS.
5. Click on "Authentication" button and select the following check boxes:

• Anonymous access

• Basic authentication (password is sent in clear text)

• Requires TLS encryption

• Integrated Windows

6.The second step is to configure appropriate routing group connectors for each domain that requires TLS encryption. First you navigate to the Routing Groups folder, expand it and go to the appropriate Routing Group. After you expand it, you will go to Connectors folder and right click it, then select New > SMTP Connector which will open the following properties:

7. You will click on Advance tab to configure TLS encryption for this connector.You will click on Outbound Security and check the TLS encryption box.

And this is the result of tail -f /var/log/maillog

May 23 16:14:52 relay postfix/smtpd[2632]: connect from exchange.zubero.local[192.168.1.11]
May 23 16:14:52 relay postfix/smtpd[2632]: setting up TLS connection from exchange.zubero.local[192.168.1.11]
May 23 16:14:52 relay postfix/smtpd[2632]: TLS connection established from exchange.zubero.local[192.168.1.11]: TLSv1 with cipher RC4-MD5 (128/128 bits)

May 23 16:14:52 relay postfix/smtpd[2632]: D14F75857E: client=exchange.zubero.local[192.168.1.11]
May 23 16:14:52 relay postfix/cleanup[2634]: D14F75857E: message-id=<A3417DB8-EEEF-455F-9A7F-091DB274D67C@mimectl>
May 23 16:14:52 relay postfix/qmgr[2047]: D14F75857E: from=<[hidden email]>, size=2035, nrcpt=1 (queue active)
May 23 16:14:52 relay postfix/smtpd[2632]: disconnect from exchange.zubero.local[192.168.1.11]
May 23 16:14:53 relay postfix/smtpd[2637]: connect from relay.zubero.eu[127.0.0.1]
May 23 16:14:53 relay postfix/smtpd[2637]: 11A9E585B8: client=relay.zubero.eu[127.0.0.1]
May 23 16:14:53 relay postfix/cleanup[2634]: 11A9E585B8: message-id=<A3417DB8-EEEF-455F-9A7F-091DB274D67C@mimectl>
May 23 16:14:53 relay postfix/qmgr[2047]: 11A9E585B8: from=<[hidden email]>, size=2464, nrcpt=1 (queue active)
May 23 16:14:53 relay postfix/smtpd[2637]: disconnect from relay.zubero.eu[127.0.0.1]
May 23 16:14:53 relay amavis[2192]: (02192-04) Passed CLEAN, MYNETS LOCAL [192.168.1.11] <[hidden email]> -> <[hidden email]>, Message-ID: <A3417DB8-EEEF-455F-9A7F-091DB274D67C@mimectl>, mail_id: K3zv9-JKd8wn, Hits: -0.933, size: 2034, queued_as: 11A9E585B8, 215 ms
May 23 16:14:53 relay postfix/smtp[2635]: D14F75857E: to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.27, delays=0.04/0/0.01/0.22, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 11A9E585B8)
May 23 16:14:53 relay postfix/qmgr[2047]: D14F75857E: removed
May 23 16:14:53 relay postfix/smtp[2638]: 11A9E585B8: to=<[hidden email]>, relay=mx.ya.com[62.151.4.44]:25, delay=0.42, delays=0.01/0/0.25/0.16, dsn=2.0.0, status=sent (250 V3XX1Z0015JPXw40000000 mail accepted for delivery)
May 23 16:14:53 relay postfix/qmgr[2047]: 11A9E585B8: removed

But I have another question. I send me one e-mail from ya.com and this is the result,

May 23 16:17:55 relay postfix/smtpd[2660]: connect from mxb06.ya.com[62.151.11.212]
May 23 16:17:56 relay postfix/smtpd[2660]: setting up TLS connection from mxb06.ya.com[62.151.11.212]
May 23 16:17:56 relay postfix/smtpd[2660]: TLS connection established frommxb06.ya.com[62.151.11.212]: TLSv1 with cipher AES256-SHA (256/256 bits)
May 23 16:18:16 relay postfix/smtpd[2660]: warning: 212.11.151.62.sbl-xbl.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=212.11.151.62.sbl-xbl.spamhaus.org type=A: Host not found, try again
May 23 16:18:16 relay postfix/smtpd[2660]: 4AF8E5857E: client=mxb06.ya.com[62.151.11.212]
May 23 16:18:16 relay postfix/cleanup[2662]: 4AF8E5857E: message-id=<[hidden email]>
May 23 16:18:16 relay postfix/qmgr[2047]: 4AF8E5857E: from=<[hidden email]>, size=910, nrcpt=1 (queue active)
May 23 16:18:16 relay postfix/smtpd[2660]: disconnect from mxb06.ya.com[62.151.11.212]
May 23 16:18:21 relay postfix/smtpd[2666]: connect from relay.zubero.eu[127.0.0.1]
May 23 16:18:21 relay postfix/smtpd[2666]: 12709585B8: client=relay.zubero.eu[127.0.0.1]
May 23 16:18:21 relay postfix/cleanup[2662]: 12709585B8: message-id=<[hidden email]>
May 23 16:18:21 relay postfix/qmgr[2047]: 12709585B8: from=<[hidden email]>, size=1341, nrcpt=1 (queue active)
May 23 16:18:21 relay amavis[2193]: (02193-04) Passed CLEAN, [62.151.11.212] <[hidden email]> -> <[hidden email]>, Message-ID: <[hidden email]>, mail_id: q3DJIugPRlQO, Hits: -4, size: 910, queued_as: 12709585B8, 4691 ms
May 23 16:18:21 relay postfix/smtp[2663]: 4AF8E5857E: to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024, delay=25, delays=20/0.03/0.01/4.7, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 12709585B8)
May 23 16:18:21 relay postfix/qmgr[2047]: 4AF8E5857E: removed
May 23 16:18:21 relay postfix/smtpd[2666]: disconnect from relay.zubero.eu[127.0.0.1]
May 23 16:18:21 relay postfix/smtp[2667]: 12709585B8: to=<[hidden email]>, relay=192.168.1.11[192.168.1.11]:25, delay=0.1, delays=0.02/0.02/0.02/0.05, dsn=2.6.0, status=sent (250 2.6.0 <[hidden email]> Queued mail for delivery)
May 23 16:18:21 relay postfix/qmgr[2047]: 12709585B8: removed


The ya.com Server use TLS with my Postfix Server. I see as my Exchange Server and Postfix Server use TLS between them but, how can I make my postfix use TLS with other servers when send out?


 


> and this is an extract of the postfix:
>
> relay postfix/smtpd[4299]: generic_checks: name=permit_sasl_authenticated
> relay postfix/smtpd[4299]: generic_checks: name=permit_sasl_authenticated
> status=0
>
>
> Does your exchange server have access to
> > the CA certificate of your Postfix servers TLS cert?
>
> It may be a newbie's question, but... How can I verify it?


Well, if it is a self-signed certificate you need to ouput a DER version of
your CA certificate, copy it to your Exchange server and import it into the
certificate store.

If you didn't do that yet, you will probably have to do so or your Exchange
server might decide not to talk TLS with a party whose CA certificate it
doesn't know.


If the Postfix server certificate has been signed by an official CA, check if
it is available in the certificate store and import that CA's CA certificate
into your Exchange server, in case it wasn't there in the first place.

I've tried to generate DER file but does not work in Exchange. 

Thanks. Best regards,
Reply | Threaded
Open this post in threaded view
|

Re: Exchange does not work with TLS and SASL

Jose Manuel Pozo Pozo
2008/5/22, Patrick Ben Koetter <[hidden email]>:
* Jose Manuel Pozo Pozo <[hidden email]>:

> > > May 22 01:08:44 relay postfix/smtpd[3434]: connect from >
> > exchange.zubero.local[192.168.1.11]
> > > May 22 01:08:45 relay postfix/smtpd[3434]: 8385458576: >
> > client=exchange.zubero.local[192.168.1.11]
> > > May 22 01:08:45 relay postfix/cleanup[3436]: 8385458576: >
> > message-id=<8ECDCAE4-1D0B-4CD2-9558-65020330F732@mimectl>
> > > May 22 01:08:45 relay postfix/smtpd[3434]: disconnect from >
> > exchange.zubero.local[192.168.1.11]
> >
> >
> > Your server does not use SMTP AUTH. Did you configure it to authenticate?
>
>
> I think so


Verify.

I have changed the master.cf (marked in red, before this lines are
commented and I uncommented them)  and some properties from Exchange
Server,
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

### BEGIN AMAVISD-NEW CONFIG

smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
### END AMAVISD-NEW CONFIG

Exchange:

1. Expand the Administrative Groups and navigate to SMTP virtual
server located in the Protocols folder.
2. Right click on Default SMTP Virtual Server and go to Properties
3. In the "IP address:" field, you should click on the down arrow and
change the option from "(All Unassigned") to a specific IP address of
your e-mail server.
4. You should also enable login and select NCSA Common Log File
Format. The SMTP log files will help you with debugging and
troubleshooting issues with TLS.
5. Click on "Authentication" button and select the following check boxes:

• Anonymous access

• Basic authentication (password is sent in clear text)

• Requires TLS encryption

• Integrated Windows

6.The second step is to configure appropriate routing group connectors
for each domain that requires TLS encryption. First you navigate to
the Routing Groups folder, expand it and go to the appropriate Routing
Group. After you expand it, you will go to Connectors folder and right
click it, then select New > SMTP Connector which will open the
following properties:

7. You will click on Advance tab to configure TLS encryption for this
connector.You will click on Outbound Security and check the TLS
encryption box.

And this is the result of tail -f /var/log/maillog

May 23 16:14:52 relay postfix/smtpd[2632]: connect from
exchange.zubero.local[192.168.1.11]
May 23 16:14:52 relay postfix/smtpd[2632]: setting up TLS connection
from exchange.zubero.local[192.168.1.11]
May 23 16:14:52 relay postfix/smtpd[2632]: TLS connection established
from exchange.zubero.local[192.168.1.11]: TLSv1 with cipher RC4-MD5
(128/128 bits)
May 23 16:14:52 relay postfix/smtpd[2632]: D14F75857E:
client=exchange.zubero.local[192.168.1.11]
May 23 16:14:52 relay postfix/cleanup[2634]: D14F75857E:
message-id=<A3417DB8-EEEF-455F-9A7F-091DB274D67C@mimectl>
May 23 16:14:52 relay postfix/qmgr[2047]: D14F75857E:
from=<[hidden email]>, size=2035, nrcpt=1 (queue active)
May 23 16:14:52 relay postfix/smtpd[2632]: disconnect from
exchange.zubero.local[192.168.1.11]
May 23 16:14:53 relay postfix/smtpd[2637]: connect from
relay.zubero.eu[127.0.0.1]
May 23 16:14:53 relay postfix/smtpd[2637]: 11A9E585B8:
client=relay.zubero.eu[127.0.0.1]
May 23 16:14:53 relay postfix/cleanup[2634]: 11A9E585B8:
message-id=<A3417DB8-EEEF-455F-9A7F-091DB274D67C@mimectl>
May 23 16:14:53 relay postfix/qmgr[2047]: 11A9E585B8:
from=<[hidden email]>, size=2464, nrcpt=1 (queue active)
May 23 16:14:53 relay postfix/smtpd[2637]: disconnect from
relay.zubero.eu[127.0.0.1]
May 23 16:14:53 relay amavis[2192]: (02192-04) Passed CLEAN, MYNETS
LOCAL [192.168.1.11] <[hidden email]> -> <[hidden email]>, Message-ID:
<A3417DB8-EEEF-455F-9A7F-091DB274D67C@mimectl>, mail_id: K3zv9-JKd8wn,
Hits: -0.933, size: 2034, queued_as: 11A9E585B8, 215 ms
May 23 16:14:53 relay postfix/smtp[2635]: D14F75857E:
to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.27,
delays=0.04/0/0.01/0.22, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
as 11A9E585B8)
May 23 16:14:53 relay postfix/qmgr[2047]: D14F75857E: removed
May 23 16:14:53 relay postfix/smtp[2638]: 11A9E585B8:
to=<[hidden email]>, relay=mx.ya.com[62.151.4.44]:25, delay=0.42,
delays=0.01/0/0.25/0.16, dsn=2.0.0, status=sent (250
V3XX1Z0015JPXw40000000 mail accepted for delivery)
May 23 16:14:53 relay postfix/qmgr[2047]: 11A9E585B8: removed



But I have another question. I send me one e-mail from ya.com and this
is the result,



May 23 16:17:55 relay postfix/smtpd[2660]: connect from
mxb06.ya.com[62.151.11.212]
May 23 16:17:56 relay postfix/smtpd[2660]: setting up TLS connection
from mxb06.ya.com[62.151.11.212]
May 23 16:17:56 relay postfix/smtpd[2660]: TLS connection established
frommxb06.ya.com[62.151.11.212]: TLSv1 with cipher AES256-SHA (256/256
bits)
May 23 16:18:16 relay postfix/smtpd[2660]: warning:
212.11.151.62.sbl-xbl.spamhaus.org: RBL lookup error: Host or domain
name not found. Name service error for
name=212.11.151.62.sbl-xbl.spamhaus.org type=A: Host not found, try
again
May 23 16:18:16 relay postfix/smtpd[2660]: 4AF8E5857E:
client=mxb06.ya.com[62.151.11.212]
May 23 16:18:16 relay postfix/cleanup[2662]: 4AF8E5857E:
message-id=<[hidden email]>
May 23 16:18:16 relay postfix/qmgr[2047]: 4AF8E5857E:
from=<[hidden email]>, size=910, nrcpt=1 (queue active)
May 23 16:18:16 relay postfix/smtpd[2660]: disconnect from
mxb06.ya.com[62.151.11.212]
May 23 16:18:21 relay postfix/smtpd[2666]: connect from
relay.zubero.eu[127.0.0.1]
May 23 16:18:21 relay postfix/smtpd[2666]: 12709585B8:
client=relay.zubero.eu[127.0.0.1]
May 23 16:18:21 relay postfix/cleanup[2662]: 12709585B8:
message-id=<[hidden email]>
May 23 16:18:21 relay postfix/qmgr[2047]: 12709585B8:
from=<[hidden email]>, size=1341, nrcpt=1 (queue active)
May 23 16:18:21 relay amavis[2193]: (02193-04) Passed CLEAN,
[62.151.11.212] <[hidden email]> -> <[hidden email]>, Message-ID:
<[hidden email]>, mail_id: q3DJIugPRlQO,
Hits: -4, size: 910, queued_as: 12709585B8, 4691 ms
May 23 16:18:21 relay postfix/smtp[2663]: 4AF8E5857E:
to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024, delay=25,
delays=20/0.03/0.01/4.7, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
as 12709585B8)
May 23 16:18:21 relay postfix/qmgr[2047]: 4AF8E5857E: removed
May 23 16:18:21 relay postfix/smtpd[2666]: disconnect from
relay.zubero.eu[127.0.0.1]
May 23 16:18:21 relay postfix/smtp[2667]: 12709585B8:
to=<[hidden email]>, relay=192.168.1.11[192.168.1.11]:25, delay=0.1,
delays=0.02/0.02/0.02/0.05, dsn=2.6.0, status=sent (250 2.6.0
<[hidden email]> Queued mail for delivery)
May 23 16:18:21 relay postfix/qmgr[2047]: 12709585B8: removed




The ya.com Server use TLS with my Postfix Server. I see as my Exchange
Server and Postfix Server use TLS between them but...

How can I make my postfix use TLS with other servers when send out?





> and this is an extract of the postfix:
>
> relay postfix/smtpd[4299]: generic_checks: name=permit_sasl_authenticated
> relay postfix/smtpd[4299]: generic_checks: name=permit_sasl_authenticated
> status=0
>
>
> Does your exchange server have access to
> > the CA certificate of your Postfix servers TLS cert?
>
> It may be a newbie's question, but... How can I verify it?


Well, if it is a self-signed certificate you need to ouput a DER version of
your CA certificate, copy it to your Exchange server and import it into the
certificate store.

If you didn't do that yet, you will probably have to do so or your Exchange
server might decide not to talk TLS with a party whose CA certificate it
doesn't know.


If the Postfix server certificate has been signed by an official CA, check if
it is available in the certificate store and import that CA's CA certificate
into your Exchange server, in case it wasn't there in the first place.

I've tried to generate DER file but does not work in Exchange.

Thanks. Best regards,