[SOLVED] Configure Postfix to relay to Exchange Server with NTLM authentication

viktor1985 · 06-12-2012, 12:05 AM

Hello

I have a shell script, which should send email, if any error occurred. This script is running in Red Hat Linux 4.6, and want to configure postfix so it can relay to an Exchange Server.

The Authorization method of Exchange server, I guess is: 250-AUTH NTLM. So I have:

Server A ( Red Hat 4.6 10.150.200.60)
Server B ( Exchange Server 172.22.85.125 )

I would like you to help me with the necessary configurations in files of postifx, and if needed, the configurations in Exchange Server. Also, how to use NTLM authentication please.

This is what I have done already

- Postifx is already installed

Code:

root     10194     1  0 May23 ?        00:00:00 /usr/lib/postfix/master
postfix  10253 10194  0 May23 ?        00:00:01 qmgr -l -t fifo -u
postfix  21995 10194  0 17:08 ?        00:00:00 pickup -l -t fifo -u

- Succesful test connection with telnet to Exchange Server.

Code:

sdis09cor:~ # telnet 172.22.85.125 25
Trying 172.22.85.125...
Connected to 172.22.85.125.
Escape character is '^]'.
220 MEXHUB09.movi.com.yy Microsoft ESMTP MAIL Service ready at Fri, 1 Jun 2012 14:12:45 -0500
ehlo
250-MEXHUB09.movi.com.yy Hello [10.150.200.60]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW

Appreciate your help

Thanks in advance !!

Regards

scheidel21 · 06-12-2012, 01:13 AM

Is the email supposed to go to and end user at the domain this exchange server is for? If so there is no need for authentication.

If not do you have any admin control over this exchange server?

viktor1985 · 06-12-2012, 01:21 AM

Quote:

Originally Posted by scheidel21

Is the email supposed to go to and end user at the domain this exchange server is for? If so there is no need for authentication.

If not do you have any admin control over this exchange server?

- the email would go for any user for example: user@gmail.com
- I dont have admin control in this exchange server. (Im on the side of developer/configuration in Linux side)
- The guys in charge of Exchabge server, said, we could use anonymus connections.
- I guess, I have to add "realyhost = 172.22.85.125:25" in main.cf in postfix ?

thanks !

scheidel21 · 06-12-2012, 02:47 AM

Yes, if it supports anonymous relay then that is all you have to do, add the relayhost and then restart postfix (you could reload, but I prefer restart)

viktor1985 · 06-12-2012, 03:33 PM

Quote:

Originally Posted by scheidel21

Yes, if it supports anonymous relay then that is all you have to do, add the relayhost and then restart postfix (you could reload, but I prefer restart)

Hi

Something went wrong with authentication:

Code:

Jun 12 12:14:17 ndsis01ven postfix/qmgr[21736]: 2B09720814E: from=<root@ndsis01ven.mydomaindummie>, size=424, nrcpt=1 (queue active)
Jun 12 12:14:22 ndsis01ven postfix/smtp[21750]: 2B09720814E: to=<me@gmail.com>, relay=172.22.85.125[172.22.85.125], delay=5, status=bounced (host 172.22.85.125[172.22.85.125] said: 530 5.7.1 Client was not authenticated (in reply to MAIL FROM command))

How can I authenticate ?

Thanks for your time !

scheidel21 · 06-12-2012, 09:22 PM

They obviously do not allow anonymous relay if you are receiving that error.

Try looking at the settings in this http://www.fritzmahnke.com/2010/12/2...change-server/ and this http://alasdaircs.wordpress.com/2009...e-server-2007/

viktor1985 · 06-12-2012, 11:04 PM

Quote:

Originally Posted by scheidel21

They obviously do not allow anonymous relay if you are receiving that error.

Try looking at the settings in this http://www.fritzmahnke.com/2010/12/2...change-server/ and this http://alasdaircs.wordpress.com/2009...e-server-2007/

Yes, you are so right. I just told a few hours ago, they don't allow anonymus

Now I have been given a user and password to authenticate to exchange server.

I guess I have to add this user and pass in some configuration file of postfix ? maybe: "sasl_passwd" or something.

What about NTLM authentication, where do I configure that ?

Thank you !

scheidel21 · 06-13-2012, 02:27 AM

The NTLM is just the backend it authenticates against, if the reading I've done is correct. Using the standard sasl2 authentication with the username and password they provided should let you relay. Just configure using the two links I provided as a guideline and see if it works or not. One thing you could do is test the username and password using the standard authentication process that Postfix would use as well.

Just telnet to the exchange server on port 25 and after issuing a EHLO try the AUTH LOGIN see this http://www.dasblinkenlichten.com/?p=190 for instructions on testing the authentication via telnet.

---------- Post added 06-13-12 at 03:28 AM ----------

Don't forget you will likely need the cyrus ntlm package for the sasl2 authentication to work.

viktor1985 · 06-21-2012, 01:27 AM

Quote:

Originally Posted by scheidel21

The NTLM is just the backend it authenticates against, if the reading I've done is correct. Using the standard sasl2 authentication with the username and password they provided should let you relay. Just configure using the two links I provided as a guideline and see if it works or not. One thing you could do is test the username and password using the standard authentication process that Postfix would use as well.

Just telnet to the exchange server on port 25 and after issuing a EHLO try the AUTH LOGIN see this http://www.dasblinkenlichten.com/?p=190 for instructions on testing the authentication via telnet.

---------- Post added 06-13-12 at 03:28 AM ----------

Don't forget you will likely need the cyrus ntlm package for the sasl2 authentication to work.

Thanks.

It has been hard to find the correct version of cyrus-sasl-ntlm. The Linux server (Suse) has cyrus-sasl 2.1.18 installed.
I could only find 2.1.19, 2.1.20 or higher and all these versions needed its corresponding version of cyrus-sasl.

Anyway, I have decided to compile a version of cyrus-sasl, which includes the lib I need (libntlm). I'll wait for my support engineer on site (I work remotely and send the scripts/configuration to him) to do the task (compile cyrus-sasl) and make some more test.

Just to see what happens, we make test sending an email with mailx and this is what appears in log.

Code:

SASL authentication failure: No worthy mechs found

I think, sasl cannot find the library (libntlm) in /usr/lib/sasl2/

I hope when finish installation of cyrus-sasl, it finally works

Thanks.

viktor1985 · 06-25-2012, 03:15 AM

Quote:

Originally Posted by viktor1985

Thanks.

It has been hard to find the correct version of cyrus-sasl-ntlm. The Linux server (Suse) has cyrus-sasl 2.1.18 installed.
I could only find 2.1.19, 2.1.20 or higher and all these versions needed its corresponding version of cyrus-sasl.

Anyway, I have decided to compile a version of cyrus-sasl, which includes the lib I need (libntlm). I'll wait for my support engineer on site (I work remotely and send the scripts/configuration to him) to do the task (compile cyrus-sasl) and make some more test.

Just to see what happens, we make test sending an email with mailx and this is what appears in log.

Code:

SASL authentication failure: No worthy mechs found

I think, sasl cannot find the library (libntlm) in /usr/lib/sasl2/

I hope when finish installation of cyrus-sasl, it finally works

Thanks.

This is the configuration I have:

Postfix 2.1.1 as client.

Cyrus-SASL installed (without NTLM plugin):

Code:

linux:/usr/local/sbin # rpm -q cyrus-sasl
cyrus-sasl-2.1.18-33.1

In main.cf

relayhost=172.168.240.129
smtp_sasl_security_options=
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd

cat /etc/postfix/sasl_passwd

172.168.240.129 myuser:mypass

As this version of cyrus-sasl 2.1.18 did not have the cyrus-sasl-ntlm plugin, I had to download the cyrus-sasl-2.1.25 and compile with --enable-ntlm option.

So I got installed ntlm plugin in /usr/local/lib/sasl2/

Code:

rwxr-xr-x  1 root root  89921 Jun 24 22:55 libntlm.so.2.0.25
lrwxrwxrwx  1 root root     17 Jun 24 22:55 libntlm.so.2 -> libntlm.so.2.0.25
lrwxrwxrwx  1 root root     17 Jun 24 22:55 libntlm.so -> libntlm.so.2.0.25

But in test this error shows in maillog

warning: SASL authentication failure: No worthy mechs found
send attr reason = delivery via 172.168.240.129[172.168.240.129]: Authentication failed: cannot SASL authenticate to server 172.168.240.129[172.168.240.129]: no mechanism available

Any ideas, suggestions to this would be very appreciated. (I've been dealing with this issue many days)

Thanks in advance !!

Victor

scheidel21 · 06-25-2012, 07:54 PM

You might need to add this postfix option

smtp_sasl_mechanism_filter = login

scheidel21 · 06-25-2012, 07:59 PM

You might also need to copy or symlink the libntlm files into /usr/lib

viktor1985 · 06-26-2012, 06:09 PM

Quote:

Originally Posted by scheidel21

You might also need to copy or symlink the libntlm files into /usr/lib

Hi:

I finally got it. Here are the steps:

Postfix 2.1.1
Cyrus 2.1.25

1. install libtool2.4

Code:

./configure
make 
make install

2. install openssl-1.0.1c

Code:

./config shared
make
make test
make install

3.

Code:

echo /usr/local/ssl/lib > /etc/ld.so.conf.d/openssl.conf
ldconfig

echo /usr/local/lib/sasl2 >> /etc/ld.so.conf
ldconfig

4.

Code:

gzip –d cyrus-sasl-2.1.25.tar.gz
tar –xvf cyrus-sasl-2.1.25.tar
cd cyrus-sasl-2.1.25

export CPPFLAGS=-I/usr/local/ssl/include
export LDFLAGS=-L/usr/local/ssl/lib   

./configure --with-plugindir=/usr/local/lib/sasl2 --with-saslauthd=/var/run/saslauthd --disable-gssapi --disable-cram --disable-anon --disable-otp --disable-krb4 --disable-digest --disable-scram --enable-plain --enable-login --enable-ntlm
make 
make install

5.

Code:

cp /usr/local/lib/sasl2/libntlm.la /usr/lib/sasl2/
cp /usr/local/lib/sasl2/libntlm.so.2.0.25 /usr/lib/sasl2/

cd /usr/lib/sasl2/

ln -s libntlm.so.2.0.25 libtnlm.so
ln -s libntlm.so.2.0.25 libtnlm.so.2

Thanks for your suggestions.

Victor

scheidel21 · 06-28-2012, 08:17 PM

Awesome glad you finally got it configured and working.