2

I'm using postfix to relay mail to Exchange 2010. Here is my config:

relayhost = [smtp.exchange.2010]
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
smtp_sasl_security_options =
#smtp_sasl_mechanism_filter = ntlm

(/etc/postfix/relay_passwd contains login information of some accounts on Exchange) With this configuration I can relay email to Exchange. The problem is: the message send from Postfix has header:

X-MS-Exchange-Organization-AuthAs: Anonymous

and the message is treated like unAuthenicated message on Exchange system (i.e when sending to distribution group require senders are authenicated, I received error: #550 5.7.1 RESOLVER.RST.AuthRequired; authentication required ##rfc822;group@exchange.2010). I using Outlook with the same account as in Postfix and it can send without problem. The different I realized between two case is: Outlook send with NTLM auth mech, Postfix using LOGIN mech. Any idea?

Gk.
  • 728
  • 12
  • 20
  • Maybe it's a bug. Try a trick here: http://social.technet.microsoft.com/forums/en-US/exchangesvradmin/thread/5dd4d463-f307-4f98-8a54-35884cc15d7e/ – Gk. Dec 30 '10 at 08:57

2 Answers2

4

I have the same problem. And it causes problems if the email is sent to a group rather than to an individual. The Exchange server won't send to groups if the message is not AUTH'd. But if postfix has been set to authenticate by logging on, why is the email not AUTH'd? Clue: If you use telnet to send the mail the email will be AUTH'd. the header that the email will have will be X-MS-Exchange-Organization-AuthAs: Internal (in my case). And the email will go to groups!

Here is what I have found (by setting the postfix peer logging level to 4): postfix sends the SMTP command Mail From: ...... AUTH=<>. Leave the AUTH=<> out and all is well. Put it in and Exchange says, .... Anonymous.

I am looking now to find out why postfix lies.

Ah. Found it. Line 1358 of smtp_proto.c in postfix v2.8. Hard coded. Well, now. That's most unfortunate. The code is quite correct from a security point of view, but not correct if you have control of who gets to this SMTP sending code in your postfix SMTP client.

/* postfix: smtp_proto.c 
#ifdef USE_SASL_AUTH                                                     
    if (var_smtp_sasl_enable                                      
    && (session->features & SMTP_FEATURE_AUTH))                     
    vstring_strcat(next_command, " AUTH=<>");                        
#endif

At this point I don't know what to do other than patch smtp_proto.c and build postfix from scratch. Yuck.

sebix
  • 4,313
  • 2
  • 29
  • 47
AlexRobinson
  • 41
  • 2
  • 1
    I "fixed" the issue zero-ing out the string from /usr/lib/postfix/smtp with an hex editor. Ugly, but will do – ptor Apr 02 '12 at 16:15
1

Per AlexRobinson's answer, the problem lies with Postfix. This fixed (by default) in Postfix 2.9 and later: http://www.postfix.org/postconf.5.html#smtp_send_dummy_mail_auth

[Incompat 20111106] To work around broken remote SMTP servers, the
Postfix SMTP client by default no longer appends the "AUTH=<>"
option to the MAIL FROM command.  Specify "smtp_send_dummy_mail_auth
= yes" to restore the old behavior.
lid
  • 265
  • 2
  • 7