[SOLVED] How to set up sendmail to use Exchange server with auth NTLM as smart relay?

lrtward · 03-07-2011, 11:49 AM

I have a CentOS 5 box that is a web server. When it generates emails, all emails should go out through our Exchange mail server.

I believe our Exchange server requires NTLM authentication:

Code:

# telnet exchangeserv 25
Trying 10.102.14.27...
Connected to exchangeserv.domain.edu (10.102.14.27).
Escape character is '^]'.
220 ExchangeServ.domain.edu Microsoft ESMTP MAIL Service ready at Mon, 7 Mar 2011 11:49:31 -0500
ehlo webserv.domain.edu
250-ExchangeServ.domain.edu Hello [10.102.15.191]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW

I set up my /etc/mail/access file as follows:

Code:

Connect:localhost.localdomain           RELAY
Connect:localhost                       RELAY
Connect:127.0.0.1                       RELAY

AuthInfo:ExchangeServ.domain.edu "U:smmsp" "I:domain\first.last" "P:password" "M:NTLM"

Then I ran

Code:

# makemap hash /etc/mail/access.db < /etc/mail/access

Then I restarted sendmail.

I am not getting authenticated though.

The message gets accepted for delivery by localhost but then when it hands the message off to the Exchange server smart relay, I see this in /var/log/maillog:

Code:

Mar  7 12:44:15 webserv sendmail[10129]: STARTTLS=client, relay=exchangeserv.domain.edu., version=TLSv1/SSLv3, verify=FAIL, cipher=AES128-SHA, bits=128/128
Mar  7 12:44:15 webserv sendmail[10129]: AUTH=client, relay=exchangeserv.domain.edu [10.102.14.27], authinfo failed

My Exchange folks told me that the userid should be in the form "domain\first.last" just like I log into our Active Directory domain. I can't find any information on how to test that I've got the correct userid format though. I've spent quite a lot of time doing searches and reading.

lrtward · 04-21-2011, 11:14 AM

Well, as it turns out my Exchange folks were wrong.
Our Exchange server did NOT require authentication, they just needed to set up their server so that my IP was allowed to relay through.

Figured I'd post the solution in case any other poor soul stumbled upon this as a result of a search.

viktor1985 · 06-05-2012, 07:27 PM

Quote:

Originally Posted by lrtward

Well, as it turns out my Exchange folks were wrong.
Our Exchange server did NOT require authentication, they just needed to set up their server so that my IP was allowed to relay through.

Figured I'd post the solution in case any other poor soul stumbled upon this as a result of a search.

Hello

Could you please be more explicit how was your solution.

I have a red hat 4.6 server, running a perl , that in case of failure sends an email through a exchange server (this supports NTLM authentication). How Can I implement this authentication ?

echo "something" | mailx -s "subject" personal@mail.com

mailx: invalid option -- S
Usage: mailx [-BFintv~] [-s subject] [-a attachment] [-c cc-addr] [-b bcc-addr] [-r from-addr] [-h hops] [-R reply-addr] to-addr ...
[- sendmail-options ...]
mailx [-BeHiInNv~] [-T name] -f [name]
mailx [-BeinNv~] [-u user]

But no mail is sent. The guys in charge of email server says that it accepts anonymus connections.

Code:

ndsis01ven:~ # telnet 172.22.95.125 25
Trying 172.22.95.125...
Connected to 172.22.95.125.
Escape character is '^]'.
220 WEXHUB.telcel.com.co Microsoft ESMTP MAIL Service ready at Fri, 1 Jun 2012 14:12:45 -0500
ehlo
250-WEXHUB.telcel.com.co Hello [10.159.229.60]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW

Any clue would be very very appreciated.

Thanks in advance.

lrtward · 06-21-2012, 09:44 AM

What shows up in your /var/log/maillog when you try to send the email?

viktor1985 · 06-21-2012, 11:41 AM

Quote:

Originally Posted by lrtward

What shows up in your /var/log/maillog when you try to send the email?

Hello

Code:

Jun 19 11:08:51 ndsis01ven postfix/smtp[13137]: warning: SASL authentication failure: No worthy mechs found
Jun 19 11:08:51 ndsis01ven postfix/smtp[13137]: 57486208160: to=<someone@something.com>, relay=170.20.80.120[170.20.80.120], delay=330121, status=deferred (Authentication failed: cannot SASL authenticate to server 170.20.80.120[170.20.80.120]: no mechanism available)

The guys of Exchange Server had told me a few days ago, they don't allow anonymous connection and gave me a user and password.

I have already rebuild the new sasl_passwd (sasl_passwd.db) file with the user and pass.

What Am I missing ?

Thanks in advance.