Exchange 2007 gives 535 5.7.3 Authentication unsuccessful

[fleon]

Hello, i am using Debian 7.3 with postfix, and am trying to send email
through our Exchange 2007 server. I have read tons of posts but i have been
unable to get it to work

I am using the postfix package that comes with Debian, and also installed
libsasl2-modules

On mail.cf i tried the following:

relayhost= exchangeserver.ourdomain.com
smtp_sasl_security_options=
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps=hash:/etc/postfix/sasl/sasl_passwd

I get 5.3.5 5.7.3 Authentication unsuccessful , so i also tried using telnet
to port 25

i am using command AUTH NTLM , which returns 334, but so far i have tried
unsuccessfully to enter the login as follows:

myu...@mydomain.com
domain\myuser
exchangeserver\myuser

Using wireshark i did see my outlook client on my windows box tried to login
to exchange with:

AUTH3: call_id: 2, Fragment: Single, NTLMSSP_AUTH, User:
exchangeserver\myuser

on auth.log i get (2 times):
NTLM client step 1
NTLM client step 2
server flags: ff810205
server domain: DOMAIN
calculating NT response

on /etc/postfix/sasl/sasl_passwd i have:
exchangeserver.ourdomain.com myu...@ourdomain.com:password

I did run postmap hash:/etc/postfix/sasl/sasl_passwd and
/etc/postfix/main.cf as well

I do have a workaround if i cannot get this to work, which is to user a
virtual smtp server that is on our windows webserver, which doesn't ask for
authentication and i have already tested it and it works. But i would like
to learn how to do this properly.

Thanks in advance





--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful

[fleon]

I added the debug command you requested so you can see the whole error. I
don't seem to have dns issues so i haven't felt the need for the brackets. I
do seem to have the NTLM module

I am aware of base64, so my tests with telnet i did use base64 to enter the
username but as soon as i pressed enter i got the errors i posted. I wanted
to find out the proper username syntax so i could edit the sasl password
file properly.

My tests are being done with the sendmail command.

I don't know how to configure the linux box properly, so users by default
try to use the sendmail command as "u...@mydomain.com" instead of
"u...@helpdesk.mydomain.com". This box is being configured as a helpdesk
therefore it has a "helpdesk" hostname.

syslog.txt   



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65074.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful

[fleon]

Well, i tried with [] in both files, also tried changing the sasl password
file to use domain\user instead of u...@domain.com and still i get the same
errors.

I wonder if exchange is rejecting anything without TLS. Our exchange has a
self signed certificate and i know if i want to try TLS i will need to add
it.

I am trying to do all of this to integrate the helpdesk request tracker with
exchange, but i guess i will stick with the virtual smtp server. It is
insecure since it doesn't do authentication, but that server does not face
the internet directly, and our webserver already uses it to send email from
webapps, so we were already at risk anyway.

Now, to handle incoming mail, which i guess will be handled by fetchmail.



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65079.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful

[fleon]

i disabled NTLM with sasl_mechanism_filter = !ntlm but of course now i get an
error that the server  offered no compatible authentication mechanism

When i telnet to my exchange server i only get:

STARTTLS
X-ANONYMOUS TLS
AUTH NTLM
X-EXPS GSSAPI NTLM

Like i said, if i cannot get this to work, i will rely on the virtual smtp
server that is located on my webserver, which is what we already use for our
website.







--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65095.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful

[fleon]

Hello, can you please put your relevant main.cf, /etc/postfix/generic,
etc/postfix/sasl/sasl_passwd (or the file you set up in main.cf),
/etc/aliases and maybe a syslog entry after doing a test with
/usr/sbin/sendmail?

Please mangle your username, domain and password hashes.

Your server seems quite similar to mine, but if you don't have NTLM
installed, i think you may be using TLS to connect, and probably would need
the syslog entry to confirm.

My exchange server is "exchangeserver.ourdomain.com" and it's the 2007
version.
Our windows "long" domain name is "ourdomain.com"
Our windows "short" domain name is "SEGCAT"

I tried using EXCHANGESERVER\myuser, myu...@ourdomain.com and SEGCAT\myuser
in the sasl hash file and didn't work.

I am using debian 7.3, with apt-get install postfix libsasl2-modules 





--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65097.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful

[fleon]

I tried to connect with this command:

openssl s_client -starttls  -smtp -crlf -connect
exchangeserver.ourdomain.com:25

It connects, though it says it can't validate certificate (which is
expected, our exchange certificate is self signed)

After EHLO i now get:
AUTH NTLM LOGIN

So i tried with login and it requested my username and password in base64.

After typing then manually encoded, i got a RENEGOTIATING and finally a
handshake failure. Don't know if it's because i typed the username in wrong
format or if just it didn't like the certificate.



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65116.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful

[fleon]

I have this in my main.cf (note: i didn't set this up, my guess is that
debian itself did, or maybe when i installed libsasl2-modules, but i don't
think so)

smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

This is the rest of the relevant content in main.cf
myhostname = helpdesk.ourdomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = helpdesk.ourdomain.com

relayhost = [exchangeserver.ourdomain.com]
smtp_sasl_security_options =
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
broken_sasl_auth_clients = yes
smtp_always_send_ehlo = yes

I tried then:

smtp_sasl_tls_security_options
smtp_sasl_mechanism_filter = login

But if i do the last line, then it says NTLM isn't allowed.

What am i missing to enable TLS properly and then be able to use AUTH LOGIN?




--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65121.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful

[fleon]

FINALLY it worked, but not before i disabled NTLM in the config, because
otherwise it would try it.

So, i had to enable client side TLS and disabling NTLM. It says untrusted
connection in the logs, and i tried modifying the mynetworks variable below
but couldn't fix it. It may be untrusted because of the invalid exchange
certificate.

For reference, here is the the main.cf i used. I am aware of the obsolete
and unneeded entries.

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = helpdesk.seguroscatatumbo.com
relayhost = [mar-exch01.seguroscatatumbo.com]
smtp_sasl_tls_security_options =
smtp_sasl_mechanism_filter = login !ntlm
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_timeout = 3600s
smtp_tls_CAfile =
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
broken_sasl_auth_clients = yes
smtp_always_send_ehlo = yes
###
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 192.168.100.0/24

/etc/aliases contains one modification:
root: myuser

/etc/postfix/generic has one line:
r...@helpdesk.ourdomain.com myu...@ourdomain.com

/etc/postfix/sasl/sasl_passwd has one line:
[exchangeserver.ourdomain.com] DOMAIN\myuser:mypass

Now, a final question that isn't exactly relevant to postfix. Can i make
emails sent to come as "myu...@ourdomain.com" instead of the default
"myu...@helpdesk.ourdomain.com"

I am aware that my linux box is called "helpdesk" and that /etc/hosts says:

127.0.0.1 helpdesk
127.0.0.1 helpdesk.ourdomain.com helpdesk

I tried setting the mydestination in main.cf to ourdomain.com but then
postfix didn't try relay to exchange which i guess it's the right behaviour.
I am aware that when i configure the helpdesk i may try just impersonating
the account as helpd...@ourdomain.com without touching anything else.




--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65126.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful

[fleon]

I am fine with the end result. The untrusted message is rather cosmetic, i
would like to know how to import the certificate or rather trust the server
(as i thought the mynetwork variable would do), but it's no biggie.

The server is inside our lan and the relay will only be used for our
helpdesk, which will be internal.

Some would argue that using the virtual smtp server (that asks for no
password) is better, since with the current setup i have to make sure the
user that will send the mail (which should be static, as they will be
automatically sent by the helpdesk) has a password that either doesn't
change or keep the password updated in the hash.



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65129.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Cannot start TLS: handshake failure when relaying through Exchange 2007

[fleon]

After two years of successful emails sent by postfix through our exchange
2007 server i have started having problems. I did update debian 7  to debian
8, so i don't know what postfix/openssl version i had back then.

Postfix itself gives out these errors:

Sep 14 11:52:52 mar-zabbix postfix/pickup[3886]: 0891F5006D1: uid=33
from=
Sep 14 11:52:52 mar-zabbix postfix/cleanup[10371]: 0891F5006D1:
message-id=
Sep 14 11:52:52 mar-zabbix postfix/qmgr[1454]: 0891F5006D1:
from=, size=2779, nrcpt=1 (queue active)
Sep 14 11:52:53 mar-zabbix postfix/pickup[10376]: 32D975004EE: uid=33
from=
Sep 14 11:52:53 mar-zabbix postfix/cleanup[10371]: 32D975004EE:
message-id=
Sep 14 11:52:53 mar-zabbix postfix/qmgr[1454]: 32D975004EE:
from=, size=3019549, nrcpt=1 (queue
active)
Sep 14 11:52:53 mar-zabbix postfix/pickup[10376]: A4DA150056C: uid=33
from=
Sep 14 11:52:53 mar-zabbix postfix/cleanup[10371]: A4DA150056C:
message-id=
Sep 14 11:52:54 mar-zabbix postfix/qmgr[1454]: A4DA150056C:
from=, size=3017969, nrcpt=1 (queue
active)
Sep 14 11:52:54 mar-zabbix postfix/smtp[10382]: SSL_connect error to
mar-exch01.mydomain.com[192.168.100.223]:25: lost connection
Sep 14 11:52:54 mar-zabbix postfix/smtp[10382]: 32D975004EE: Cannot start
TLS: handshake failure
Sep 14 11:52:54 mar-zabbix postfix/smtp[10375]: SSL_connect error to
mar-exch01.mydomain.com[192.168.100.223]:25: lost connection
Sep 14 11:52:54 mar-zabbix postfix/smtp[10375]: 0891F5006D1: Cannot start
TLS: handshake failure
Sep 14 11:52:54 mar-zabbix postfix/smtp[10382]: SSL_connect error to
mar-exch01.mydomain.com[192.168.100.222]:25: lost connection
Sep 14 11:52:54 mar-zabbix postfix/smtp[10375]: SSL_connect error to
mar-exch01.mydomain.com[192.168.100.222]:25: lost connection
Sep 14 11:52:54 mar-zabbix postfix/smtp[10383]: SSL_connect error to
mar-exch01.mydomain.com[192.168.100.222]:25: lost connection
Sep 14 11:52:54 mar-zabbix postfix/smtp[10383]: A4DA150056C: Cannot start
TLS: handshake failure
Sep 14 11:52:54 mar-zabbix postfix/smtp[10383]: SSL_connect error to
mar-exch01.mydomain.com[192.168.100.223]:25: lost connection
Sep 14 11:52:54 mar-zabbix postfix/smtp[10375]: 0891F5006D1:
to=, relay=mar-exch01.mydomain.com[192.168.100.222]:25,
delay=2.5, delays=0.9/1.3/0.31/0, dsn=4.7.5, status=deferred (Cannot start
TLS: handshake failure)
Sep 14 11:52:54 mar-zabbix postfix/smtp[10383]: A4DA150056C:
to=, relay=mar-exch01.mydomain.com[192.168.100.223]:25,
delay=0.94, delays=0.83/0.05/0.05/0, dsn=4.7.5, status=deferred (Cannot
start TLS: handshake failure)
Sep 14 11:52:54 mar-zabbix postfix/smtp[10382]: 32D975004EE:
to=, relay=mar-exch01.mydomain.com[192.168.100.222]:25,
delay=2.2, delays=1.7/0.23/0.26/0, dsn=4.7.5, status=deferred (Cannot start
TLS: handshake failure)

I try to connect through openssl and i get the following (never mind our
self signed certificate):

openssl s_client -starttls smtp -crlf -connect mar-exch01.mydomain.com:25
CONNECTED(0003)
depth=0 CN = mar-exch01.mydomain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = mar-exch01.mydomain.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = mar-exch01.mydomain.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=mar-exch01.mydomain.com
   i:/DC=com/DC=mydomain/CN=seguros
---
Server certificate
-BEGIN CERTIFICATE-
[OMITTED]
-END CERTIFICATE-
subject=/CN=mar-exch01.mydomain.com
issuer=/DC=com/DC=mydomain/CN=seguros
---
No client certificate CA names sent
---
SSL handshake has read 2073 bytes and written 506 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: RC4-MD5
Session-ID:
88047C4AC8A71A35AB320EBEADAFF6A58AE184D2A17B675A2B42254E03E9
Session-ID-ctx:
Master-Key:
8FF1A6884F0E831516914A94CB678BAF011CA2E2078472E9286713404C078484967AAF3CB66607058D4218EBCC26EE0E
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1473881827
Timeout   : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
250 XRDST
EHLO
250-mar-exch01.mydomain.com Hello [192.168.3.11]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH NTLM LOGIN
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XRDST
AUTH LOGIN [user in base64]
334 UGFzc3dvcmQ6
[password in base 64]
RENEGOTIATING
3073844924:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:637:

Postfix is 2.11.3 and openssl 1.0.1t. Is this an openssl bug?

Here's the postfix configuration that used to work:
main.cf:

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cer

Re: Cannot start TLS: handshake failure when relaying through Exchange 2007

[fleon]

For additional clarification, i was able to telnet to our exhange server and
authenticate to it just fine:

telnet mar-exch01 25
Connected to mar-exch01.mydomain.com.
Escape character is '^]'.
220 mar-exch01.mydomain.com Microsoft ESMTP MAIL Service ready at Thu, 15
Sep 2016 08:21:03 -0400
EHLO
250-mar-exch01.mydomain.com Hello [192.168.3.11]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM LOGIN
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XRDST
AUTH LOGIN
334 Username:
[base64 username]
334 Password:
[base64 password]
235 2.7.0 Authentication successful
mail from:u...@mydomain.com
250 2.1.0 Sender OK
rcpt to:otheru...@mydomain.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with .
test
.
250 2.6.0 <5cea5ff8-146e-417a-8749-28ba35015...@mar-exch01.mydomain.com>
Queued mail for delivery.

I want the helpdesk software to use postfix to send emails to users in our
domain through exchange; at the same time i want exchange to send emails to
postfix users when the domain is linuxhost.mydomain.com, which i did through
exchange's smtp connector feature.

The helpdesk software has a special alias that forwards email from the
specified destination account to a perl script that creates/updates a ticket



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Cannot-start-TLS-handshake-failure-when-relaying-through-Exchange-2007-tp86243p86245.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Cannot start TLS: handshake failure when relaying through Exchange 2007

[fleon]

Thank you Viktor, with your configuration changes now it works again!
Indeed, Exchange is running on Windows Server 2003 R2 and an upgrade is
overdue. After two years of delay, finally it will get upgraded in two
months.



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Cannot-start-TLS-handshake-failure-when-relaying-through-Exchange-2007-tp86243p86258.html
Sent from the Postfix Users mailing list archive at Nabble.com.