3

I have a postfix mail server that should relay all outgoing mail to an Exchange 2010 server (the Exchange box is my smarthost). I have administrator access to the Exchange 2010 system, but I'm not very familiar with it. How should I set up authentication on the Exchange 2010 system?

I guess I could add a standard user with a mailbox on the Exchange box, then configure my postfix box to log in to port 587 to relay mail. That option doesn't feel right -- it seems like there should be way to do server to server authentication, not just client to server authentication. Is there? If so, how would I set it up?

Edit:

  • the postfix mail server is at a remote site with a dynamic IP address, so authenticating by IP address won't work
  • I would like the email traffic between the two to be encrypted
  • I would like mutual authentication (the Postfix box knows it's talking to the Exchange box and not a man in the middle; Exchange knows that it is talking to the Postfix box)
  • setting up an IPsec tunnel seems overly complicated for what should be a trivial Exchange configuration
  • Exchange must allow the Postfix box to send messages to any destination
  • the messages submitted by the Postfix box must not be rejected as spam even if they look like spam
Richard Hansen
  • 3,640
  • 1
  • 18
  • 17
  • I see your edits. You can turn on encryption... SSL or TLS. You didn't initially say that the server was offsite. Ideally, you have an IP range you can limit to. If not, use authentication. The menus in my answer are the same, without the IP and Anonymous relay portions. – ewwhite Sep 10 '12 at 20:45
  • @ewwhite: Apologies for forgetting to mention that the server was off-site. If I choose 'Basic Authentication', what do I use as the username and password? What 'Permission Groups' should I use? Can I somehow extend the existing client receive connector so that I can still use the standard message submission port (587)? – Richard Hansen Sep 10 '12 at 21:17

2 Answers2

2

I usually don't have my Linux and internal servers authenticate to the Exchange server if they're on the same network. Same for other devices that may need to relay (copiers, monitoring systems, etc.). I still may need the smarthost funcationality, though.

The approach I take to enable a dumb server/device-to-server relay like what you're looking for is to enable the smarthost on the Postfix or Sendmail system. It seems as though you know that part. For Sendmail, it's a matter of uncommenting the "dnl" line related to the SMARTHOST entry in /etc/mail/sendmail.mc, and defining an address. For Postfix, it's defining relayhost in /etc/postfix/main.cf. (restart both daemons after the change)

On the Exchange 2010 side, you need to create a new Receive Connector:

Exchange System Manager -> Server Configuration -> Hub Transport -> Receive Connector

Add a new one by right-clicking the frame and selecting "New Receive Connector".

Name it something descriptive, like the FQDN of the Linux server you wish to send from (e.g. postfix.abc.com).

enter image description here

Specify the address/mask of the relaying server; 172.16.2.30/32 in this example.

enter image description here

Continue through the prompts and add the receive connector.

Open the Exchange Management Shell command line window.

You'll want to grant your new receive connector Anonymous privileges.

Execute:

Get-ReceiveConnector RelayConnector | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

...where "RelayConnector" is postfix.abc.com in my example.

Immediately select the newly-created entry in the Management GUI and select "Properties".

In the "Authentication" tab, deselect all entries. In the "Permission Groups" tab, ensure "Anonymous users" is checked. That's all!

enter image description here enter image description here

ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • what happens if we don't add the ADPermission and just do it from the console? – fmysky Sep 09 '12 at 22:46
  • @fmysky It won't work the way you'd want. It's a matter of treating the relaying source as [trusted versus untrusted](http://exchangepedia.com/2007/01/exchange-server-2007-how-to-allow-relaying.html). Try it and see. – ewwhite Sep 09 '12 at 22:49
  • just the matter of granular permissions to be set. Thanks for the link. – fmysky Sep 09 '12 at 23:04
  • Thanks for the answer. Unfortunately, the Postfix box has a dynamic IP address (see updated question), so authenticating by IP address won't work for me. Is there a way to authenticate by username and password instead? – Richard Hansen Sep 10 '12 at 20:43
1

I believe there are 2 components to the solution:

You can control email relay in exchange by IP, by permission, by using IPSec or mTLS. For an internal unix postfix box, the easiest would be to restrict by IP. You need to create a Send Connector and limit the IP-scope, as detailed in the guide above.

You may need to look-up specific smarthost forwarding guides for postfix.

Configuring Server-Server Authentication between postfix and exchange: Exchange 2010 uses mTLS for externally secured mail relay. Here's a guide on how to set this up from Exchange end. http://technet.microsoft.com/en-us/library/bb123543.aspx

Postfix also supports TLS authentication, but I am not sure how to configure the postfix side of the solution. http://www.postfix.org/TLS_README.html

Sunny Chakraborty
  • 390
  • 1
  • 6