> On Apr 1, 2016, at 12:31 PM, /dev/rob0 <[email protected]> wrote:
>
>> Apr 1 17:12:19 elrng-backup postfix/smtp[10780]: warning:
>> SASL authentication failure: No worthy mechs found
>
> This very warning is mentioned in SASL_README:
>
> http://www.postfix.org/SASL_README.html#client_sasl_enable
>
> Note the "Trouble solving tips" section, first bullet point.
>
>> smtpd_sasl_security_options = noanonymous
Specifically, the above is the wrong setting, the right setting is:
# Leave cleartext SASL options at default, but allow plaintext over TLS
# smtp_sasl_security_options = noplaintext, noanonymous
#
smtp_sasl_tls_security_options = noanonymous
Also consider using authenticated mandatory TLS to reach the relay:
indexed = ${default_database_type}:${config_directory}/
smtp_tls_policy_maps = ${indexed}tls-policy
# Not needed for Postfix >= 2.11
smtp_tls_CAfile = /some/file/with/CAs/trusted/for/microsoft.pem
tls-policy:
# Postfix 2.11 or later supports per-destination trust-anchors
[smtp.office365.com]:587 secure match=nexthop
tafile=/some/file/with/CAs/trusted/for/microsoft.pem
# Older versions
# [smtp.office365.com]:587 secure match=nexthop
--
Viktor.
