Re: Postfix as a Smart Host for Exchange 2010 with TLS
Am 09.01.2012 18:16, schrieb Noel Jones: On 1/9/2012 10:19 AM, Ben Curtis wrote: Hi all, I've been scouring the internet trying to find someone who's done this before, and am at a loss. I've got Postfix set up as a Smart Host for sending SMTP email from Exchange 2010 (Small Business Server 2011). My problem is that I can't get TLS to work. The error message I get back in Exchange is: [451 4.4.0 Primary target IP address responded with: 454 4.7.5 Certificate validation failure. Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.] Test postfix TLS with openssl to make sure postfix is working correctly. For port 25 (or 587) with STARTTLS # openssl s_client -connect example.com:25 -starttls smtp Or if you've enabled master.cf port 465 TLS wrappermode (sometimes mistakenly referred to as SSL in mail client software): # openssl s_client -connect example.com:465 Openssl will print a couple pages of garbage-looking handshake info that ends with postfix's 250 greeting. At that point you should be able to type in EHLO myname and get a response from postfix. If you get that far, postfix TLS is working correctly. If postfix checks out OK, the problem is with the Exchange configuration. Maybe Exchange needs to import the private root CA you used to generate your certificates? Maybe Exchange is trying to use wrappermode on a port configured for STARTTLS (or vice versa)? Below are key areas of main.cf: If you need more help with postfix, show postconf -n output and relevant log entries. -- Noel Jones Hi, Ben you might read this http://smtpport25.wordpress.com/2010/07/11/exchange-2010-connectors/ and/or http://technet.microsoft.com/en-us/library/aa997285.aspx http://technet.microsoft.com/en-us/library/aa998662%28EXCHG.140%29.aspx -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: Postfix as a Smart Host for Exchange 2010 with TLS
Am 09.01.2012 21:48, schrieb Noel Jones: On 1/9/2012 2:24 PM, Ben Curtis wrote: First off, thanks for the help everyone! Test postfix TLS with openssl to make sure postfix is working correctly. For port 25 (or 587) with STARTTLS # openssl s_client -connect example.com:25 -starttls smtp I'm using 587, and this seemed to functioned just fine from a remote host: -- [root@server ~]# openssl s_client -connect mail.MYDOMAIN.com:587 -starttls smtp CONNECTED(0003) ... 250 DSN quit 221 2.0.0 Bye closed OK, postfix TLS is working correctly. Below is the output of postconf, and under that is a log level 7 TLS negotiation. tls log levels above 1 are generally useless unless you are an expert in openssl (which I'm not sufficiently). Likewise with verbose logging in postfix; the vast majority of postfix config problems can be debugged with normal logging. postconf -n no glaring errors in postconf. -- maillog with log level 7 (I just noticed the QUIT message below, but not sure how to interpret it) everything reasonably normal up to here. Jan 9 20:12:18 postfix/smtpd[11743]: Read 6 chars: QUIT?? Remote site (Exchange) didn't like something and issued QUIT. No reason for the QUIT is given nor expected in the postfix logs. Jan 9 20:12:18 postfix/smtpd[11743]: disconnect from **[***] remote site disconnected. FWIW, it appears the TLS negotiation between postfix and exchange worked since Exchange was able to send the QUIT over the encrypted link, but Exchange didn't like something about the connection and so disconnected. Since Exchange logs the message about an untrusted certificate, there's no reason at this point to not believe that message is accurate. Sorry, can't help any more. You might google around how to import a certificate in Exchange, or how to mark a particular client as trusted. -- Noel Jones by the way did you checked existing firewalls between the two servers i had problems with some firewalls tls using exchange relay postfix, sorry i dont know how they were fixed by the firewall people involved -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Postfix as a Smart Host for Exchange 2010 with TLS
Hi all, I've been scouring the internet trying to find someone who's done this before, and am at a loss. I've got Postfix set up as a Smart Host for sending SMTP email from Exchange 2010 (Small Business Server 2011). My problem is that I can't get TLS to work. The error message I get back in Exchange is: [451 4.4.0 Primary target IP address responded with: 454 4.7.5 Certificate validation failure. Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.] Postfix doesn't seem to be reporting any errors. I am using self-signed certs on both the Exchange server and the Postfix server, and have added both signed-cert.crt and ca.crt to the trusted certificate store in Exchange. Below are key areas of main.cf: # SASL smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = no smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = # TLS parameters smtp_tls_security_level = may smtpd_tls_security_level = may smtp_tls_note_starttls_offer = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_tls_cert_file = /etc/postfix/certs/signed-cert.crt smtpd_tls_key_file = /etc/postfix/certs/cert.key smtp_tls_CAfile = /etc/postfix/certs/ca.crt Any thoughts? Anything else I can post to aid in debug? Thanks, Ben
Re: Postfix as a Smart Host for Exchange 2010 with TLS
Am 09.01.2012 17:19, schrieb Ben Curtis: Hi all, I've been scouring the internet trying to find someone who's done this before, and am at a loss. I've got Postfix set up as a Smart Host for sending SMTP email from Exchange 2010 (Small Business Server 2011). My problem is that I can't get TLS to work. The error message I get back in Exchange is: [451 4.4.0 Primary target IP address responded with: 454 4.7.5 Certificate validation failure. Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.] Postfix doesn't seem to be reporting any errors. I am using self-signed certs on both the Exchange server and the Postfix server, and have added both signed-cert.crt and ca.crt to the trusted certificate store in Exchange. Below are key areas of main.cf: # SASL smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = no smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = # TLS parameters smtp_tls_security_level = may smtpd_tls_security_level = may smtp_tls_note_starttls_offer = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_tls_cert_file = /etc/postfix/certs/signed-cert.crt smtpd_tls_key_file = /etc/postfix/certs/cert.key smtp_tls_CAfile = /etc/postfix/certs/ca.crt Any thoughts? Anything else I can post to aid in debug? Thanks, Ben Hi Ben, all i can say that i have Exchange 2003 Servers that using submission port with tls for relay at postfix, so if it is no microsoft magic feature or bug my bet would go to some exchange config problem, i see no postfix problem on your config by fast overflow, so consult technet/ exchange logs etc for find more hm perhaps take the default for smtp_tls_note_starttls_offer (default: no) but i guess this isnt the problem anyway perhaps post the whole postfix config and/or existing log entries ( if exist ) -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: Postfix as a Smart Host for Exchange 2010 with TLS
On 1/9/2012 10:19 AM, Ben Curtis wrote: Hi all, I've been scouring the internet trying to find someone who's done this before, and am at a loss. I've got Postfix set up as a Smart Host for sending SMTP email from Exchange 2010 (Small Business Server 2011). My problem is that I can't get TLS to work. The error message I get back in Exchange is: [451 4.4.0 Primary target IP address responded with: 454 4.7.5 Certificate validation failure. Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.] Test postfix TLS with openssl to make sure postfix is working correctly. For port 25 (or 587) with STARTTLS # openssl s_client -connect example.com:25 -starttls smtp Or if you've enabled master.cf port 465 TLS wrappermode (sometimes mistakenly referred to as SSL in mail client software): # openssl s_client -connect example.com:465 Openssl will print a couple pages of garbage-looking handshake info that ends with postfix's 250 greeting. At that point you should be able to type in EHLO myname and get a response from postfix. If you get that far, postfix TLS is working correctly. If postfix checks out OK, the problem is with the Exchange configuration. Maybe Exchange needs to import the private root CA you used to generate your certificates? Maybe Exchange is trying to use wrappermode on a port configured for STARTTLS (or vice versa)? Below are key areas of main.cf: If you need more help with postfix, show postconf -n output and relevant log entries. -- Noel Jones
Re: Postfix as a Smart Host for Exchange 2010 with TLS
First off, thanks for the help everyone! Test postfix TLS with openssl to make sure postfix is working correctly. For port 25 (or 587) with STARTTLS # openssl s_client -connect example.com:25 -starttls smtp I'm using 587, and this seemed to functioned just fine from a remote host: -- [root@server ~]# openssl s_client -connect mail.MYDOMAIN.com:587 -starttls smtp CONNECTED(0003) depth=0 C = US, ST = North Carolina, L = Apex, O = MYDOMAIN, CN = mail.MYDOMAIN.com verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = North Carolina, L = Apex, O = MYDOMAIN, CN = mail.MYDOMAIN.com verify return:1 --- Certificate chain 0 s:/C=US/ST=North Carolina/L=Apex/O=MYDOMAIN/CN=mail.MYDOMAIN.com i:/C=US/ST=North Carolina/L=Apex/O=MYDOMAIN/CN=mail.MYDOMAIN.com --- Server certificate -BEGIN CERTIFICATE- * -END CERTIFICATE- subject=/C=US/ST=North Carolina/L=Apex/O=MYDOMAIN/CN=mail.MYDOMAIN.com issuer=/C=US/ST=North Carolina/L=Apex/O=MYDOMAIN/CN=mail.MYDOMAIN.com --- No client certificate CA names sent --- SSL handshake has read 1871 bytes and written 346 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: Session-ID-ctx: Master-Key: *** Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket: ** Compression: 1 (zlib compression) Start Time: 1326139550 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 250 DSN ehlo MYDOMAIN 250-mail.MYDOMAIN.com 250-PIPELINING 250-SIZE 1024 250-ETRN 250-AUTH PLAIN DIGEST-MD5 LOGIN CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye closed -- Or if you've enabled master.cf port 465 TLS wrappermode (sometimes mistakenly referred to as SSL in mail client software): # openssl s_client -connect example.com:465 I'm not using 465, so this doesn't seem to be it. If postfix checks out OK, the problem is with the Exchange configuration. Maybe Exchange needs to import the private root CA you used to generate your certificates? Maybe Exchange is trying to use wrappermode on a port configured for STARTTLS (or vice versa)? I completely agree this is probably something specific to Exchange 2010, but I'm not even sure how I would figure this out from the Exchange side. Exchange doesn't exactly have a lot of settings like Postfix does. I can either turn TLS on or off, but there doesn't appear to be any other related configuration. What I've tried to find out in Exchange forums has been useless, unfortunately. If you need more help with postfix, show postconf -n output and relevant log entries. Below is the output of postconf, and under that is a log level 7 TLS negotiation. postconf -n -- alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases append_at_myorigin = no broken_sasl_auth_clients = no command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 delay_warning_time = 48h disable_vrfy_command = yes html_directory = no inet_interfaces = all inet_protocols = all local_recipient_maps = mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man masquerade_domains = ** ** ** masquerade_exceptions = root maximal_backoff_time = 8000s maximal_queue_lifetime = 16d minimal_backoff_time = 1000s mydestination = $myhostname, localhost.$mydomain, localhost myhostname = mail.**.com mynetworks_style = host myorigin = *.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relay_domains = proxy:mysql:$config_directory/mysql_relay_domains_maps.cf relay_recipient_maps = proxy:mysql:$config_directory/mysql_relay_recipient_maps.cf relayhost = sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_helo_timeout = 60s smtp_tls_CAfile = /etc/postfix/certs/ca.crt smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may smtpd_banner = $myhostname ESMTP smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_hard_error_limit = 12 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname,
Re: Postfix as a Smart Host for Exchange 2010 with TLS
On 1/9/2012 2:24 PM, Ben Curtis wrote: First off, thanks for the help everyone! Test postfix TLS with openssl to make sure postfix is working correctly. For port 25 (or 587) with STARTTLS # openssl s_client -connect example.com:25 -starttls smtp I'm using 587, and this seemed to functioned just fine from a remote host: -- [root@server ~]# openssl s_client -connect mail.MYDOMAIN.com:587 -starttls smtp CONNECTED(0003) ... 250 DSN quit 221 2.0.0 Bye closed OK, postfix TLS is working correctly. Below is the output of postconf, and under that is a log level 7 TLS negotiation. tls log levels above 1 are generally useless unless you are an expert in openssl (which I'm not sufficiently). Likewise with verbose logging in postfix; the vast majority of postfix config problems can be debugged with normal logging. postconf -n no glaring errors in postconf. -- maillog with log level 7 (I just noticed the QUIT message below, but not sure how to interpret it) everything reasonably normal up to here. Jan 9 20:12:18 postfix/smtpd[11743]: Read 6 chars: QUIT?? Remote site (Exchange) didn't like something and issued QUIT. No reason for the QUIT is given nor expected in the postfix logs. Jan 9 20:12:18 postfix/smtpd[11743]: disconnect from **[***] remote site disconnected. FWIW, it appears the TLS negotiation between postfix and exchange worked since Exchange was able to send the QUIT over the encrypted link, but Exchange didn't like something about the connection and so disconnected. Since Exchange logs the message about an untrusted certificate, there's no reason at this point to not believe that message is accurate. Sorry, can't help any more. You might google around how to import a certificate in Exchange, or how to mark a particular client as trusted. -- Noel Jones
