LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Configure Postfix to relay to Exchange Server with NTLM authentication (http://www.linuxquestions.org/questions/linux-newbie-8/configure-postfix-to-relay-to-exchange-server-with-ntlm-authentication-4175410961/)

viktor1985 06-12-2012 12:05 AM

Configure Postfix to relay to Exchange Server with NTLM authentication
 
Hello

I have a shell script, which should send email, if any error occurred. This script is running in Red Hat Linux 4.6, and want to configure postfix so it can relay to an Exchange Server.

The Authorization method of Exchange server, I guess is: 250-AUTH NTLM. So I have:

Server A ( Red Hat 4.6 10.150.200.60)
Server B ( Exchange Server 172.22.85.125 )

I would like you to help me with the necessary configurations in files of postifx, and if needed, the configurations in Exchange Server. Also, how to use NTLM authentication please.


This is what I have done already

- Postifx is already installed

Code:

root    10194    1  0 May23 ?        00:00:00 /usr/lib/postfix/master
postfix  10253 10194  0 May23 ?        00:00:01 qmgr -l -t fifo -u
postfix  21995 10194  0 17:08 ?        00:00:00 pickup -l -t fifo -u

- Succesful test connection with telnet to Exchange Server.

Code:

sdis09cor:~ # telnet 172.22.85.125 25
Trying 172.22.85.125...
Connected to 172.22.85.125.
Escape character is '^]'.
220 MEXHUB09.movi.com.yy Microsoft ESMTP MAIL Service ready at Fri, 1 Jun 2012 14:12:45 -0500
ehlo
250-MEXHUB09.movi.com.yy Hello [10.150.200.60]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW

Appreciate your help

Thanks in advance !!

Regards

scheidel21 06-12-2012 01:13 AM

Is the email supposed to go to and end user at the domain this exchange server is for? If so there is no need for authentication.

If not do you have any admin control over this exchange server?

viktor1985 06-12-2012 01:21 AM

Quote:

Originally Posted by scheidel21 (Post 4701164)
Is the email supposed to go to and end user at the domain this exchange server is for? If so there is no need for authentication.

If not do you have any admin control over this exchange server?

- the email would go for any user for example: user@gmail.com
- I dont have admin control in this exchange server. (Im on the side of developer/configuration in Linux side)
- The guys in charge of Exchabge server, said, we could use anonymus connections.
- I guess, I have to add "realyhost = 172.22.85.125:25" in main.cf in postfix ?

thanks !

scheidel21 06-12-2012 02:47 AM

Yes, if it supports anonymous relay then that is all you have to do, add the relayhost and then restart postfix (you could reload, but I prefer restart)

viktor1985 06-12-2012 03:33 PM

Quote:

Originally Posted by scheidel21 (Post 4701220)
Yes, if it supports anonymous relay then that is all you have to do, add the relayhost and then restart postfix (you could reload, but I prefer restart)

Hi

Something went wrong with authentication:


Code:

Jun 12 12:14:17 ndsis01ven postfix/qmgr[21736]: 2B09720814E: from=<root@ndsis01ven.mydomaindummie>, size=424, nrcpt=1 (queue active)
Jun 12 12:14:22 ndsis01ven postfix/smtp[21750]: 2B09720814E: to=<me@gmail.com>, relay=172.22.85.125[172.22.85.125], delay=5, status=bounced (host 172.22.85.125[172.22.85.125] said: 530 5.7.1 Client was not authenticated (in reply to MAIL FROM command))

How can I authenticate ?

Thanks for your time !

scheidel21 06-12-2012 09:22 PM

They obviously do not allow anonymous relay if you are receiving that error.

Try looking at the settings in this http://www.fritzmahnke.com/2010/12/2...change-server/ and this http://alasdaircs.wordpress.com/2009...e-server-2007/

viktor1985 06-12-2012 11:04 PM

Quote:

Originally Posted by scheidel21 (Post 4701878)
They obviously do not allow anonymous relay if you are receiving that error.

Try looking at the settings in this http://www.fritzmahnke.com/2010/12/2...change-server/ and this http://alasdaircs.wordpress.com/2009...e-server-2007/

Yes, you are so right. I just told a few hours ago, they don't allow anonymus :doh:

Now I have been given a user and password to authenticate to exchange server.

I guess I have to add this user and pass in some configuration file of postfix ? maybe: "sasl_passwd" or something.

What about NTLM authentication, where do I configure that ?

Thank you !

scheidel21 06-13-2012 02:27 AM

The NTLM is just the backend it authenticates against, if the reading I've done is correct. Using the standard sasl2 authentication with the username and password they provided should let you relay. Just configure using the two links I provided as a guideline and see if it works or not. One thing you could do is test the username and password using the standard authentication process that Postfix would use as well.

Just telnet to the exchange server on port 25 and after issuing a EHLO try the AUTH LOGIN see this http://www.dasblinkenlichten.com/?p=190 for instructions on testing the authentication via telnet.

---------- Post added 06-13-12 at 03:28 AM ----------

Don't forget you will likely need the cyrus ntlm package for the sasl2 authentication to work.

viktor1985 06-21-2012 01:27 AM

Quote:

Originally Posted by scheidel21 (Post 4702004)
The NTLM is just the backend it authenticates against, if the reading I've done is correct. Using the standard sasl2 authentication with the username and password they provided should let you relay. Just configure using the two links I provided as a guideline and see if it works or not. One thing you could do is test the username and password using the standard authentication process that Postfix would use as well.

Just telnet to the exchange server on port 25 and after issuing a EHLO try the AUTH LOGIN see this http://www.dasblinkenlichten.com/?p=190 for instructions on testing the authentication via telnet.

---------- Post added 06-13-12 at 03:28 AM ----------

Don't forget you will likely need the cyrus ntlm package for the sasl2 authentication to work.

Thanks.

It has been hard to find the correct version of cyrus-sasl-ntlm. The Linux server (Suse) has cyrus-sasl 2.1.18 installed.
I could only find 2.1.19, 2.1.20 or higher and all these versions needed its corresponding version of cyrus-sasl.

Anyway, I have decided to compile a version of cyrus-sasl, which includes the lib I need (libntlm). I'll wait for my support engineer on site (I work remotely and send the scripts/configuration to him) to do the task (compile cyrus-sasl) and make some more test.

Just to see what happens, we make test sending an email with mailx and this is what appears in log.

Code:

SASL authentication failure: No worthy mechs found
I think, sasl cannot find the library (libntlm) in /usr/lib/sasl2/

I hope when finish installation of cyrus-sasl, it finally works :)

Thanks.

viktor1985 06-25-2012 03:15 AM

Quote:

Originally Posted by viktor1985 (Post 4708268)
Thanks.

It has been hard to find the correct version of cyrus-sasl-ntlm. The Linux server (Suse) has cyrus-sasl 2.1.18 installed.
I could only find 2.1.19, 2.1.20 or higher and all these versions needed its corresponding version of cyrus-sasl.

Anyway, I have decided to compile a version of cyrus-sasl, which includes the lib I need (libntlm). I'll wait for my support engineer on site (I work remotely and send the scripts/configuration to him) to do the task (compile cyrus-sasl) and make some more test.

Just to see what happens, we make test sending an email with mailx and this is what appears in log.

Code:

SASL authentication failure: No worthy mechs found
I think, sasl cannot find the library (libntlm) in /usr/lib/sasl2/

I hope when finish installation of cyrus-sasl, it finally works :)

Thanks.


This is the configuration I have:

Postfix 2.1.1 as client.

Cyrus-SASL installed (without NTLM plugin):

Code:

linux:/usr/local/sbin # rpm -q cyrus-sasl
cyrus-sasl-2.1.18-33.1

In main.cf

relayhost=172.168.240.129
smtp_sasl_security_options=
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd

cat /etc/postfix/sasl_passwd

172.168.240.129 myuser:mypass


As this version of cyrus-sasl 2.1.18 did not have the cyrus-sasl-ntlm plugin, I had to download the cyrus-sasl-2.1.25 and compile with --enable-ntlm option.

So I got installed ntlm plugin in /usr/local/lib/sasl2/

Code:

rwxr-xr-x  1 root root  89921 Jun 24 22:55 libntlm.so.2.0.25
lrwxrwxrwx  1 root root    17 Jun 24 22:55 libntlm.so.2 -> libntlm.so.2.0.25
lrwxrwxrwx  1 root root    17 Jun 24 22:55 libntlm.so -> libntlm.so.2.0.25

But in test this error shows in maillog

warning: SASL authentication failure: No worthy mechs found
send attr reason = delivery via 172.168.240.129[172.168.240.129]: Authentication failed: cannot SASL authenticate to server 172.168.240.129[172.168.240.129]: no mechanism available


Any ideas, suggestions to this would be very appreciated. (I've been dealing with this issue many days)


Thanks in advance !!

Victor

scheidel21 06-25-2012 07:54 PM

You might need to add this postfix option

smtp_sasl_mechanism_filter = login

scheidel21 06-25-2012 07:59 PM

You might also need to copy or symlink the libntlm files into /usr/lib

viktor1985 06-26-2012 06:09 PM

1 Attachment(s)
Quote:

Originally Posted by scheidel21 (Post 4711813)
You might also need to copy or symlink the libntlm files into /usr/lib

Hi:

I finally got it. Here are the steps:

Postfix 2.1.1
Cyrus 2.1.25



1. install libtool2.4
Code:

./configure
make
make install

2. install openssl-1.0.1c
Code:

./config shared
make
make test
make install

3.
Code:

echo /usr/local/ssl/lib > /etc/ld.so.conf.d/openssl.conf
ldconfig

echo /usr/local/lib/sasl2 >> /etc/ld.so.conf
ldconfig

4.

Code:

gzip d cyrus-sasl-2.1.25.tar.gz
tar xvf cyrus-sasl-2.1.25.tar
cd cyrus-sasl-2.1.25

export CPPFLAGS=-I/usr/local/ssl/include
export LDFLAGS=-L/usr/local/ssl/lib 

./configure --with-plugindir=/usr/local/lib/sasl2 --with-saslauthd=/var/run/saslauthd --disable-gssapi --disable-cram --disable-anon --disable-otp --disable-krb4 --disable-digest --disable-scram --enable-plain --enable-login --enable-ntlm
make
make install

5.

Code:

cp /usr/local/lib/sasl2/libntlm.la /usr/lib/sasl2/
cp /usr/local/lib/sasl2/libntlm.so.2.0.25 /usr/lib/sasl2/

cd /usr/lib/sasl2/

ln -s libntlm.so.2.0.25 libtnlm.so
ln -s libntlm.so.2.0.25 libtnlm.so.2


Thanks for your suggestions.

Victor

scheidel21 06-28-2012 08:17 PM

Awesome glad you finally got it configured and working.


All times are GMT -5. The time now is 09:41 AM.