How to configure Postfix client relay to Exchange 2010 server

Question

I'm getting

(delivery temporarily suspended: SASL authentication failed; server myserver.com[xxx.xxx.xxx.x] said: 535 5.7.3 Authentication unsuccessful)

when I try to relay mail from Postfix 2.5.5-1.1 on Debian Lenny box to Exchange 2010.

I think I tried all possible combinations but I'm definitely missing something. Here is relevant part of main.cf:

broken_sasl_auth_clients = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_pix_workarounds =
smtp_sasl_type = cyrus
smtp_always_send_ehlo = yes
relayhost = myserver.com

And I got libsasl2-modules installed. Anybody managed to successfully relay mail between Postfix and Exchange? Oh, and I already double-checked if password is right.

score 1 · Answer 1 · answered Oct 07 '10 at 09:13

1

The Exchange Server will offer GSSAPI (Kerberos) but it seems that Cyrus SASL providing authentication service to Postfix was not configured to handle GSSAPI.

man 5 postconf | less +/^smtp_sasl_mechanism_filter

this will tell you what you need to set smtp_sasl_mechanism_filter to in order to get this to authenticate properly.

answered Oct 07 '10 at 09:13

Khushil

553
3
11

So if I'm right i should have smtp_sasl_mechanism_filter = gssapi but then i'm getting postfix/smtp[3196]: warning: myserver.com[xxx.xxx.xxx.x]:25 offered no supported AUTH mechanisms: 'NTLM' – helcim Oct 08 '10 at 13:46
that would sugggest that the MS Exchange Server is setup with other auth mech - can you please check which auth is turned on with MS Exchange server or follow the guide at http://support.microsoft.com/kb/239869 to setup NTLM(GSSAPI) with MS Exchange server. – Khushil Oct 08 '10 at 16:41
you could also try smtp_sasl_mechanism_filter = !gssapi, !ntlm, static:rest – Khushil Oct 08 '10 at 18:54

score 1 · Answer 2 · edited Feb 23 '11 at 15:43

It seems, that they've broken their AUTH LOGIN implementation. I've been put to this unfortunate situation as well. There's what I've found:

in smtp conversation, when postfix tries to do the login auth:

250 OK
AUTH LOGIN
334 VXNlcm5hbWU6

there's a \0 (binary zero) at the end of the Username: string which I suppose shouldn't be there, anyway by adding \0 (binary zero) to the end of username & password before base64-ing them and sending to exchange, I was able to login successfully, however how to tell postfix to append \0 at the end of the login & password I do not know.

# echo -e 'username\0' | base64
abcdefg
# echo -e 'password\0' | base64
hijklmno

250 OK
AUTH LOGIN
334 VXNlcm5hbWU6
abcdefg
334 UGFzc3dvcmQ6
hijklmno
235 2.7.0 Authentication successful.

That's extraordinary news! Anybody else can confirm that? – helcim Feb 24 '11 at 07:56 — helcim, Feb 24 '11 at 07:56

How to configure Postfix client relay to Exchange 2010 server

2 Answers2

Linked