Public bug reported: I want to use group-managed service accounts (gMSA) to authenticate to a Microsoft Exchange relay host using SMTP. gMSA acccounts can only authenticate using Kerberos.
I've configured postfix for kerberos authentication as follows: smtp_sasl_auth_enable = yes tp_sasl_mechanism_filter = gssapi smtp_sasl_password_maps = static:empty:empty import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C POSTLOG_SERVICE POSTLOG_HOSTNAME KRB5_TRACE=/trace/krb5 KRB5CCNAME=/private/smtp_ccache header_size_limit = 4096000 Keytab is created as follows: #! /bin/bash PRINC="$(hostname | tr 'a-z' 'A-Z')\[email protected]" OUT="/var/spool/postfix/private/smtp_ccache" kinit -k -t /etc/krb5.keytab \ -c "$OUT.new" \ ${PRINC} && \ mv "$OUT.new" "$OUT" chown postfix.postfix "$OUT" Wireshark shows: 220 exchange.example.org Microsoft ESMTP MAIL Service ready at Fri, 28 Feb 2025 15:48:48 +0100 EHLO postfix.localdomain 250-exchange.kubus-it.de Hello [...] 250-SIZE 37748736 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-AUTH GSSAPI NTLM 250-8BITMIME 250-BINARYMIME 250-CHUNKING 250 SMTPUTF8 AUTH GSSAPI 334 GSSAPI supported QUIT 535 5.7.3 Authentication unsuccessful Mail.log shows with debugging enabled: postfix/smtp[47829]: smtp_stream_setup: maxtime=300 enable_deadline=0 min_data_rate=0 postfix/smtp[47829]: < exchange.example.org[...]:587: 220 exchange.kubus-it.de Microsoft ESMTP MAIL Service ready at Fri, 28 Feb 2025 16:06:15 +0... postfix/smtp[47829]: > exchange.example.org[...]:587: EHLO postfix.localdomain postfix/smtp[47829]: < exchange.example.org[...]:587: 250-exchange.kubus-it.de Hello [....] postfix/smtp[47829]: < exchange.example.org[...]:587: 250-SIZE 37748736 postfix/smtp[47829]: < exchange.example.org[...]:587: 250-PIPELINING postfix/smtp[47829]: < exchange.example.org[...]:587: 250-DSN postfix/smtp[47829]: < exchange.example.org[...]:587: 250-ENHANCEDSTATUSCODES postfix/smtp[47829]: < exchange.example.org[...]:587: 250-STARTTLS postfix/smtp[47829]: < exchange.example.org[...]:587: 250-AUTH GSSAPI NTLM postfix/smtp[47829]: < exchange.example.org[...]:587: 250-8BITMIME postfix/smtp[47829]: < exchange.example.org[...]:587: 250-BINARYMIME postfix/smtp[47829]: < exchange.example.org[...]:587: 250-CHUNKING postfix/smtp[47829]: < exchange.example.org[...]:587: 250 SMTPUTF8 postfix/smtp[47829]: match_string: smtp_sasl_mechanism_filter: gssapi ~? gssapi postfix/smtp[47829]: sasl_mech_filter: keep SASL mechanism: 'GSSAPI' postfix/smtp[47829]: match_string: smtp_sasl_mechanism_filter: ntlm ~? gssapi postfix/smtp[47829]: match_list_match: NTLM: no match postfix/smtp[47829]: sasl_mech_filter: drop SASL mechanism: 'NTLM' postfix/smtp[47829]: server features: 0x20903f size 37748736 postfix/smtp[47829]: Using ESMTP PIPELINING, TCP send buffer size is 87040, PIPELINING buffer size is 4096 postfix/smtp[47829]: maps_find: smtp_sasl_password_maps: static:smtp:exchange.example.org(0,lock|fold_fix|utf8_request): exchange.kubus-it.de = smtp:exchange.kubus-it.de postfix/smtp[47829]: smtp_sasl_passwd_lookup: host `exchange.example.org' user `smtp' pass `exchange.kubus-it.de' postfix/smtp[47829]: starting new SASL client postfix/smtp[47829]: name_mask: noanonymous postfix/smtp[47829]: smtp_sasl_authenticate: exchange.example.org[...]:587: SASL mechanisms GSSAPI postfix/smtp[47829]: SASL authentication debug: GSSAPI client step 1 postfix/smtp[47829]: xsasl_cyrus_client_first: uncoded initial reply: `\202\005\311\006\t*\206H ... ~\324\036r\351yP\023\ postfix/smtp[47829]: > exchange.example.org[...]:587: AUTH GSSAPI postfix/smtp[47829]: < exchange.example.org[...]:587: 334 GSSAPI supported postfix/smtp[47829]: connect to subsystem private/defer postfix/smtp[47829]: private/defer socket: wanted attribute: protocol postfix/smtp[47829]: input attribute name: protocol postfix/smtp[47829]: input attribute value: delivery_status_protocol postfix/smtp[47829]: private/defer socket: wanted attribute: (list terminator) postfix/smtp[47829]: input attribute name: (end) postfix/smtp[47829]: send attr nrequest = 0 postfix/smtp[47829]: send attr flags = 0 postfix/smtp[47829]: send attr queue_id = CDEB2356005F postfix/smtp[47829]: send attr original_recipient = [email protected] postfix/smtp[47829]: send attr recipient = [email protected] postfix/smtp[47829]: send attr offset = 746 postfix/smtp[47829]: send attr dsn_orig_rcpt = rfc822;[email protected] postfix/smtp[47829]: send attr notify_flags = 0 postfix/smtp[47829]: send attr status = 4.7.0 postfix/smtp[47829]: send attr diag_type = x-sasl postfix/smtp[47829]: send attr diag_text = protocol error postfix/smtp[47829]: send attr mta_type = postfix/smtp[47829]: send attr mta_mname = postfix/smtp[47829]: send attr action = delayed postfix/smtp[47829]: send attr reason = SASL authentication failed; non-empty initial GSSAPI challenge from server exchange.example.org[...]: YIIFy ... wppuQS postfix/smtp[47829]: private/defer socket: wanted attribute: status postfix/smtp[47829]: input attribute name: status postfix/smtp[47829]: input attribute value: 0 postfix/smtp[47829]: private/defer socket: wanted attribute: (list terminator) postfix/smtp[47829]: input attribute name: (end) postfix/smtp[47829]: CDEB2356005F: to=<[email protected]>, relay=exchange.kubus-it.de[...]:587, delay=281, delays=280/0.01/0.95/0, dsn=4.7.0, status=deferred (SASL authentication failed; non-empty initial GSSAPI challenge from server exchange.kubus-it.de[...]: YIIFy ... rJcxR postfix/smtp[47829]: flush_add: site example.org id CDEB2356005F postfix/smtp[47829]: match_list_match: example.org: no match postfix/smtp[47829]: flush_add: site example.org id CDEB2356005F status 4 postfix/smtp[47829]: smtp_stream_setup: maxtime=300 enable_deadline=0 min_data_rate=0 postfix/smtp[47829]: > exchange.example.org[...]:587: QUIT postfix/smtp[47829]: name_mask: resource postfix/smtp[47829]: name_mask: software postfix/smtp[47829]: disposing SASL state information So exchange answers "334 GSSAPI supported" where postfix expected something more like "334" (nothing on the line). The attached patch fixes the issue for me. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: postfix 3.6.4-1ubuntu1.3 ProcVersionSignature: Ubuntu 5.15.0-131.141-generic 5.15.168 Uname: Linux 5.15.0-131-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.6 Architecture: amd64 CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config Date: Fri Feb 28 19:22:50 2025 InstallationDate: Installed on 2022-11-21 (830 days ago) InstallationMedia: Ubuntu-Server 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220421) ProcEnviron: TERM=screen.xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: postfix UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: postfix (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug jammy uec-images ** Patch added: "fix-sasl-with-exchange.patch" https://bugs.launchpad.net/bugs/2100628/+attachment/5861243/+files/fix-sasl-with-exchange.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2100628 Title: Use postfix smtp client with Kerberos (GSSAPI) Authentication with Microsoft Exchange To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/2100628/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
