Hi all, Don't you love it when you can struggle with something for 2 days, 'give up' and post to a mailing list only to look like a fool and solve the problem a few minutes later? Yeah, that's me.
But for posterity/mailing list's sake: In addition to the info below, all I had to do was add `smtp_tls_security_level = encrypt` to my /etc/postfix/main.cf, restart the daemon by `/etc/init.d/postfix restart` and all was well. My interpretation is that setting smtpd_use_tls = yes only "allows" you to use TLS, but you need to have smtp_tls_security_level set to something OTHER than none to actually work over an encrypted channel. Perhaps I am misstating things, but that is not intuitive at all for a newbie like myself and it was not obvious that encryption is not enabled by default... Wouldn't the "smtp_tls_security_level<http://www.postfix.org/postconf.5.html#smtp_tls_security_level>= may" be a more sensible default when the user already enabled "smtpd_use_tls = yes". At the very least I recommend someone more knowledgeable than me add some information to the existing documentation linked below, and provide a hint connecting the two configuration parameters. http://www.postfix.org/postconf.5.html#smtpd_use_tls http://www.postfix.org/TLS_README.html#client_tls Also I found the following websites helpful when testing the connection by hand (to test and see if the problem was on the Exchange side): http://qmail.jms1.net/test-auth.shtml (provides most steps necessary) http://www.fehcom.de/qmail/smtpauth.html (provided the hand-to-forehead moment when i realized the exchange provider requires AUTH LOGIN, and using the base64 encoding method above to login interactively) Thanks :) Matt Van Mater On Wed, Jun 20, 2012 at 2:07 PM, Matt Van Mater <matt.vanma...@gmail.com>wrote: > Hi all, > > I have searched the marc.info list archives but can't seem to find an > answer for what I am sure is a simple problem, my apologies in advance. I > have a php webapp that I need to send emails from, and would like to > configure postfix 'client' on the webserver(s) as a smarthost to relay > messages to an upstream Exchange server (managed hosting). I have reviewed > many howtos and guides to no avail, but the example below is primarily > based off of this > http://www.howtoforge.com/postfix_relaying_through_another_mailserver > > My provider's FAQ is a bit light on the details (IMO) and simply states > that a TLS or SSL connection is required. I _think_ that means they are > using STARTTLS under the hood, since they definitely are not doing a full > SSL tunnel of all traffic traversing TCP/25. I believe the logs below > verify this. > > My system is Ubuntu 10.04.4 LTS fully patched, dpkg -l shows I am running > Postfix version "2.7.0-1ubuntu0.2". I enabled additional debugging and > reviewed the logs but don't see an obvious next step. I have also tried > the noanonymous and noplaintext sasl security options but seem to recieve > the same errors regarding "offered null AUTH mechanism list" and "no > compatible authentication mechanisms" no matter what setting I change. > > What's the best next step? My config is as follows... > > executing `postconf -n` shows: > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/aliases > append_dot_mydomain = no > biff = no > config_directory = /etc/postfix > debug_peer_list = east.my.exchange.provider.net > inet_interfaces = loopback-only > mailbox_size_limit = 0 > mydestination = WebPortal.mycompany.com, WebPortal, > localhost.localdomain, localhost > myhostname = WebPortal > mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 > myorigin = /etc/mailname > readme_directory = no > recipient_delimiter = + > relayhost = east.my.exchange.provider.net > smtp_sasl_auth_enable = yes > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd > smtp_sasl_security_options = > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache > smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) > smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem > smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache > smtpd_use_tls = yes > > executing `openssl s_client -connect > east.my.exchange.provider.net:25-starttls smtp` shows that the exchange > server has a valid certificate. > > executing `cat /var/log/mail.log` shows: > Jun 20 07:35:42 WebPortal postfix/master[2756]: daemon started -- version > 2.7.0, configuration /etc/postfix > Jun 20 07:36:30 WebPortal postfix/pickup[2758]: 5C881213B3: uid=0 > from=<root> > Jun 20 07:36:30 WebPortal postfix/cleanup[2929]: 5C881213B3: > message-id=<20120620113630.5C881213B3@WebPortal> > Jun 20 07:36:30 WebPortal postfix/qmgr[2759]: 5C881213B3: from=< > r...@webportal.mycompany.com>, size=342, nrcpt=1 (queue active) > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: < > east.my.exchange.provider.net[5.6.7.8]:25: 220 > east.my.exchange.provider.net Microsoft ESMTP MAIL Service ready at Wed, > 20 Jun 2012 10:08:46 -070 > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: > > east.my.exchange.provider.net[5.6.7.8]:25: EHLO WebPortal > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: < > east.my.exchange.provider.net[5.6.7.8]:25: > 250-east.my.exchange.provider.net Hello [1.2.3.4] > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: < > east.my.exchange.provider.net[5.6.7.8]:25: 250-SIZE 52428800 > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: < > east.my.exchange.provider.net[5.6.7.8]:25: 250-PIPELINING > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: < > east.my.exchange.provider.net[5.6.7.8]:25: 250-DSN > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: < > east.my.exchange.provider.net[5.6.7.8]:25: 250-ENHANCEDSTATUSCODES > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: < > east.my.exchange.provider.net[5.6.7.8]:25: 250-STARTTLS > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: < > east.my.exchange.provider.net[5.6.7.8]:25: 250-AUTH > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: < > east.my.exchange.provider.net[5.6.7.8]:25: 250-8BITMIME > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: < > east.my.exchange.provider.net[5.6.7.8]:25: 250-BINARYMIME > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: < > east.my.exchange.provider.net[5.6.7.8]:25: 250 CHUNKING > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: warning: > east.my.exchange.provider.net[5.6.7.8]:25 offered null AUTH mechanism list > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: server features: 0x903f > size 52428800 > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: Using ESMTP PIPELINING, TCP > send buffer size is 4096 > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: maps_find: > smtp_sasl_passwd: hash:/etc/postfix/sasl_passwd(0,lock|fold_fix): > east.my.exchange.provider.net = supp...@mycompany.com:#e > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: smtp_sasl_passwd_lookup: > host `east.my.exchange.provider.net' user `supp...@mycompany.com' pass > `mypass' > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: connect to subsystem > private/defer > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: send attr nrequest = 0 > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: send attr flags = 0 > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: send attr queue_id = > 5C881213B3 > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: send attr > original_recipient = matt.vanma...@mycompany.com > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: send attr recipient = > matt.vanma...@mycompany.com > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: send attr offset = 562 > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: send attr dsn_orig_rcpt = > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: send attr notify_flags = 0 > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: send attr status = 4.7.0 > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: send attr diag_type = > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: send attr diag_text = > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: send attr mta_type = > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: send attr mta_mname = > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: send attr action = delayed > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: send attr reason = SASL > authentication failed: server east.my.exchange.provider.net[5.6.7.8] > offered no compatible authentication mechanisms for this type of connection > security > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: private/defer socket: > wanted attribute: status > Jun 20 07:36:30 WebPortal postfix/smtp[2931]: input attribute name: status > > >
