Unable to send mail via office365

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to send mail via office365

Gerard E. Seibert
postfix 3.6-20200316
FreeBSD 11.3 p7
OpenSSL 1.1.1f

For several years, I was able to sent mail via Outlook. Suddenly, as of
yesterday, it fails.

This is the log output from one attempt from postfix:

Apr  8 05:33:46 scorpio postfix/smtp[73032]: Trusted TLS connection established to smtp.office365.com[40.97.124.210]:587: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Apr  8 05:33:46 scorpio postfix/smtp[73032]: 48xzc94xjxz5cMW: SASL authentication failed; cannot authenticate to server smtp.office365.com[40.97.124.210]: invalid parameter supplied

I know this is not a postfix problem; however, I was wondering is
anyone had any ideas as to what might have suddenly happened.

--
Gerard
Reply | Threaded
Open this post in threaded view
|

Re: Unable to send mail via office365

Erwan David
Le 08/04/2020 à 12:42, Gerard E. Seibert a écrit :

> postfix 3.6-20200316
> FreeBSD 11.3 p7
> OpenSSL 1.1.1f
>
> For several years, I was able to sent mail via Outlook. Suddenly, as of
> yesterday, it fails.
>
> This is the log output from one attempt from postfix:
>
> Apr  8 05:33:46 scorpio postfix/smtp[73032]: Trusted TLS connection established to smtp.office365.com[40.97.124.210]:587: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> Apr  8 05:33:46 scorpio postfix/smtp[73032]: 48xzc94xjxz5cMW: SASL authentication failed; cannot authenticate to server smtp.office365.com[40.97.124.210]: invalid parameter supplied
>
> I know this is not a postfix problem; however, I was wondering is
> anyone had any ideas as to what might have suddenly happened.
>

I got this problem sometime ago. It was due to a difference in the NTLM
used by postfix (I think it comes from dovecot) and the one used by MS.
Adding
smtp_sasl_mechanism_filter = plain, login
made things work again
Reply | Threaded
Open this post in threaded view
|

Re: Unable to send mail via office365

Viktor Dukhovni
On Wed, Apr 08, 2020 at 02:46:00PM +0200, Erwan David wrote:

> I got this problem sometime ago. It was due to a difference in the
> NTLM used by postfix (I think it comes from dovecot) and the one used
> by MS.

For the record, the change is in SASL, and Postfix uses Dovecot SASL
only when receiving mail.  When sending, Postfis uses Cyrus SASL,
which perhaps the OP upgraded to include XOAUTH2 support.

The SASL mechanisms supported by [smtp.office365.com]:587 are:

    posttls-finger: < 250-BL0PR02CA0022.outlook.office365.com Hello [...]
    posttls-finger: < 250-SIZE 157286400
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-DSN
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-AUTH LOGIN XOAUTH2
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-BINARYMIME
    posttls-finger: < 250-CHUNKING
    posttls-finger: < 250 SMTPUTF8
    posttls-finger: > QUIT

"LOGIN" and "XOAUTH2".  Terminology corrections aide, disabling the
latter via:

> Adding
> smtp_sasl_mechanism_filter = plain, login
> made things work again

is most likely the correct solution, with "login" the one that'll be
used in the case of "[smtp.outlook.com]:587".

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Unable to send mail via office365

Viktor Dukhovni

> On Apr 8, 2020, at 12:12 PM, Viktor Dukhovni <[hidden email]> wrote:
>
> The SASL mechanisms supported by [smtp.office365.com]:587 are:
>
>    posttls-finger: < 250-BL0PR02CA0022.outlook.office365.com Hello [...]
>    posttls-finger: < 250-SIZE 157286400
>    posttls-finger: < 250-PIPELINING
>    posttls-finger: < 250-DSN
>    posttls-finger: < 250-ENHANCEDSTATUSCODES
>    posttls-finger: < 250-AUTH LOGIN XOAUTH2
>    posttls-finger: < 250-8BITMIME
>    posttls-finger: < 250-BINARYMIME
>    posttls-finger: < 250-CHUNKING
>    posttls-finger: < 250 SMTPUTF8
>    posttls-finger: > QUIT
>
> "LOGIN" and "XOAUTH2".  Terminology corrections aide, disabling the
> latter via:
>
>> Adding
>> smtp_sasl_mechanism_filter = plain, login
>> made things work again
>
> is most likely the correct solution, with "login" the one that'll be
> used in the case of "[smtp.outlook.com]:587".

That said, we might unfortunately have to figure out how to deal with
XOAUTH2 at some point:

  https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-april-2020-update/ba-p/1275508

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Unable to send mail via office365

Wietse Venema
Viktor Dukhovni:

>
> > On Apr 8, 2020, at 12:12 PM, Viktor Dukhovni <[hidden email]> wrote:
> >
> > The SASL mechanisms supported by [smtp.office365.com]:587 are:
> >
> >    posttls-finger: < 250-BL0PR02CA0022.outlook.office365.com Hello [...]
> >    posttls-finger: < 250-SIZE 157286400
> >    posttls-finger: < 250-PIPELINING
> >    posttls-finger: < 250-DSN
> >    posttls-finger: < 250-ENHANCEDSTATUSCODES
> >    posttls-finger: < 250-AUTH LOGIN XOAUTH2
> >    posttls-finger: < 250-8BITMIME
> >    posttls-finger: < 250-BINARYMIME
> >    posttls-finger: < 250-CHUNKING
> >    posttls-finger: < 250 SMTPUTF8
> >    posttls-finger: > QUIT
> >
> > "LOGIN" and "XOAUTH2".  Terminology corrections aide, disabling the
> > latter via:
> >
> >> Adding
> >> smtp_sasl_mechanism_filter = plain, login
> >> made things work again
> >
> > is most likely the correct solution, with "login" the one that'll be
> > used in the case of "[smtp.outlook.com]:587".
>
> That said, we might unfortunately have to figure out how to deal with
> XOAUTH2 at some point:
>
>   https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-april-2020-update/ba-p/1275508

One courageous person wrote a web page on this:

Setting Up OAUTH2 Support for Fetchmail and Postfix
http://mmogilvi.users.sourceforge.net/software/oauthbearer.html

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Unable to send mail via office365

Viktor Dukhovni


> On Apr 8, 2020, at 6:35 PM, Wietse Venema <[hidden email]> wrote:
>
> One courageous person wrote a web page on this:
>
> Setting Up OAUTH2 Support for Fetchmail and Postfix
> http://mmogilvi.users.sourceforge.net/software/oauthbearer.html


Wow!  And this is what we call progress nowdays... :-(

--
        Viktor.