0

First I successfully configure a working Postfix configuration to use the SendGrid SMTP to send mails.

Now I modify the configuration to use the Exchange 2013 SMTP server to send mail.

I have looked from many forum and I can't find what is not working. Everytime I try to send a mail I have in the mail.log : SASL Authentication failed; server XXX.XXX.XXX.XXX[XXX.XXX.XXX.XXX] said: 535 5.7.3 Authentication unsuccessful

Here is the main.cfg :

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific: Specifying a file name will cause the first 
# line of that file to be used as the name. The Debian default 
# is /etc/mailname. 
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) 
biff = no

# appending .domain is the MUA's job. 
append_dot_mydomain = no

# Uncomment the next line to generate “delayed mail” warnings 
#delay_warning_time = 4h

readme_directory = no

# TLS parameters 
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem 
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key 
smtpd_use_tls=yes 
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache 
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for 
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination 
myhostname = MYNAME 
alias_maps = hash:/etc/aliases 
alias_database = hash:/etc/aliases 
mydestination = MYNAME, localhost.localdomain, localhost 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 
mailbox_command = procmail -a “$EXTENSION” 
mailbox_size_limit = 51200000 
recipient_delimiter = + 
inet_interfaces = loopback-only 
default_transport = smtp 
relay_transport = smtp 
inet_protocols = ipv4 
myorigin = /etc/mailname 
# enable SASL authentication

smtp_sasl_auth_enable = yes 
smtp_sasl_password_maps = static:Domain\email@domain.fr:password 
smtp_sasl_security_options = noanonymous 
smtp_tls_security_level = encrypt 
header_size_limit = 4096000 
relayhost = XXX.XXX.XXX.XXX:587 
#smtp_tls_security_level=none

1 Answers1

1

your configuration:

smtp_sasl_password_maps = static:Domain\email@domain.fr:password

is wrong.

The documentation is: http://www.postfix.org/postconf.5.html#smtp_sasl_password_maps

smtp_sasl_password_maps (default: empty)

Optional Postfix SMTP client lookup tables with one username:password entry per sender, remote hostname or next-hop domain. Per-sender lookup is done only when sender-dependent authentication is enabled. If no username:password entry is found, then the Postfix SMTP client will not attempt to authenticate to the remote host.

The Postfix SMTP client opens the lookup table before going to chroot jail, so you can leave the password file in /etc/postfix.

Specify zero or more "type:name" lookup tables, separated by whitespace or comma. Tables will be searched in the specified order until a match is found.

To find out about lookup tables, take a look at postfix documenation on tables

So you will probably need to create a file with your exchange server credentials, postmap it to build the hash database and point the smtp_sasl_password_maps directive to that file.

  • create a file /etc/postfix/sasl_password with this content (modify the obvious bits):

[your.exchange.server]:587 username@domain.tld:password

The [] indicate you do not want to perform mx lookups on the host, and 587 is the submission port. Modify to meet your requirements.

This file contains credentials, protect it, at the very least it should not be world readable. Ideally only root should read/write it.

  • postmap the sasl_password file:

    # postmap hash:/etc/postfix/sasl_password [enter]
    

    This will create a hash db file /etc/postfix/sasl_password.db which postfix will use.

Modify your main.cf:

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

restart the postfix service (depends on you OS, if you do not know how to do that, reboot the server). Test to see if it works.

natxo asenjo
  • 5,641
  • 2
  • 25
  • 27
  • Ok to sum up I tried what you said : I create a file sasl_password and wrote in it : [XXX.XXX.XXX.XXX]:587 Domain\email@password – Pierre Bressand Jul 18 '16 at 12:15
  • Then run the command to populate the DB : postmap hash:/etc/postfix/sasl_password – Pierre Bressand Jul 18 '16 at 12:19
  • And modify the main.cf replacing : smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd But I still get the same error – Pierre Bressand Jul 18 '16 at 12:20
  • Are you sure its "@" between the email and password not ":" ? And its [] around the IP of the server ? – Pierre Bressand Jul 18 '16 at 12:21
  • no, if you enter a windows domain user like domain\user, then do not enter it like domein\email. Plus the separator between the user and the password field is ':' like I already pointed in my answer and it is specified in the documentation link I posted – natxo asenjo Jul 18 '16 at 13:27
  • Ok I use to separator ':' now. To connect to my webclient for exchange in : https://serv-exch-2k13.domain.fr/owa/, I used the following user/password : Domain\firstname.lastname@domain.fr/password. So it is not the same for postfix ? It's more like : Domain\firstname.lastname/password ? Sorry if it is a stupid question I try to understand – Pierre Bressand Jul 18 '16 at 13:53
  • exchange is obviously not liking the user syntax you use now. Try using the upn instead of domain\user – natxo asenjo Jul 18 '16 at 14:21
  • Now it is working thanks ;) I used the following syntaxe in postfix for Exchange : if your adresse is like : firstname.lastname@domain.com in sasl_passwd file set : XXX.XXX.XXX.XXX:587 firstname.lastname:password – Pierre Bressand Jul 26 '16 at 10:10
  • Then I get the following error : "Client does not have permissions to send as this sender". To solve this I follow the top answer of this post : http://serverfault.com/questions/147921/forcing-the-from-address-when-postfix-relays-over-smtp. I hope it will help anyone :) – Pierre Bressand Jul 26 '16 at 10:15
  • By the way only the static: works for me not the hash: even if I postmap the sasl_passwd file. I don't know why. Thank for the help natxo ! – Pierre Bressand Jul 26 '16 at 10:19
  • nice! glad to have helped. – natxo asenjo Jul 26 '16 at 10:51