Does this include an NTLM plugin?
Perhaps you mean:

relayhost = [exchangeserver.ourdomain.com]

which is better when MX record lookups are not intended.
Which mechanism does Postfix attempt to use? (add the destination to
debug_peer_list and examine the verbose logs).
Is that what Postfix uses? 334 just means continue, which means that
NTLM authentication requires a multi round-trip handshake.
The data should probably be base64 encoded, ... interactive debugging
is unlikely to be useful.
If you put "[]" around the relayhost setting, do likewise around
the password table lookup key.

This may not be the right username format. Perhaps you need:
DOMAIN\myuser. However, if your server supports GSSAPI, you might
have more luck with that. You just need a working credential cache
in KRB5CCNAME. An hourly cron job can run "kinit" to refresh the
ccache, while KRB5CCNAME can be added to the Postfix SMTP client
by setting "import_environment" to include all the default values
plus "KRB5CCNAME=FILE:/some/path".

I added the debug command you requested so you can see the whole error. I
don't seem to have dns issues so i haven't felt the need for the brackets. I
do seem to have the NTLM module

I am aware of base64, so my tests with telnet i did use base64 to enter the
username but as soon as i pressed enter i got the errors i posted. I wanted
to find out the proper username syntax so i could edit the sasl password
file properly.

My tests are being done with the sendmail command.

I don't know how to configure the linux box properly, so users by default
try to use the sendmail command as "***@mydomain.com" instead of
"***@helpdesk.mydomain.com". This box is being configured as a helpdesk
therefore it has a "helpdesk" hostname.

syslog.txt <http://postfix.1071664.n5.nabble.com/file/n65074/syslog.txt>



--
View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65074.html
Sent from the Postfix Users mailing list archive at Nabble.com.

You need to add the "[]" not because you may or may not have DNS issues,
but because they are required to express the fact that you're designating
a destination host, not an MX domain (unless you're relying on MX records).
I've not delved into NTLM in detail, but I would expect Windows style
This is not important.
You've almost certainly disclosed the password in (the base64
content of) these logs, change it as soon as you get a chance.

-- Viktor.

Well, i tried with [] in both files, also tried changing the sasl password
file to use domain\user instead of ***@domain.com and still i get the same
errors.

I wonder if exchange is rejecting anything without TLS. Our exchange has a
self signed certificate and i know if i want to try TLS i will need to add
it.

I am trying to do all of this to integrate the helpdesk request tracker with
exchange, but i guess i will stick with the virtual smtp server. It is
insecure since it doesn't do authentication, but that server does not face
the internet directly, and our webserver already uses it to send email from
webapps, so we were already at risk anyway.

Now, to handle incoming mail, which i guess will be handled by fetchmail.



--
View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65079.html
Sent from the Postfix Users mailing list archive at Nabble.com.

uninstall the NTLM module

on my Fedora machines i had the same until "yum remove cyrus-sasl-ntlm"
after uninstall it falls back to MD5 auth over TLS in case TLS is
available on both sides

Uninstalling is a crude solution that is not always easy (the module
may not be delivered separately) and impact other application that
need NTLM.

Postfix has "smtp_sasl_mechanism_filter" to deal with unwanted
mechanisms.

i disabled NTLM with sasl_mechanism_filter = !ntlm but of course now i get an
error that the server offered no compatible authentication mechanism

When i telnet to my exchange server i only get:

STARTTLS
X-ANONYMOUS TLS
AUTH NTLM
X-EXPS GSSAPI NTLM

Like i said, if i cannot get this to work, i will rely on the virtual smtp
server that is located on my webserver, which is what we already use for our
website.







--
View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65095.html
Sent from the Postfix Users mailing list archive at Nabble.com.

* we relay to a customer with Microsoft ESMTP MAIL Service
because we don't host their email but webservices sending
messages with their sender domain as envelope
* the exchange machine pretends the same as yours
* but SASL auth works for sure

250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING
____________________________

on our postfix relay these packages are installed

* no ntlm
* no gssapi

cyrus-sasl-2.1.26-10.fc19.x86_64
cyrus-sasl-md5-2.1.26-10.fc19.x86_64
cyrus-sasl-lib-2.1.26-10.fc19.x86_64
cyrus-sasl-plain-2.1.26-10.fc19.x86_64

Hello, can you please put your relevant main.cf, /etc/postfix/generic,
etc/postfix/sasl/sasl_passwd (or the file you set up in main.cf),
/etc/aliases and maybe a syslog entry after doing a test with
/usr/sbin/sendmail?

Please mangle your username, domain and password hashes.

Your server seems quite similar to mine, but if you don't have NTLM
installed, i think you may be using TLS to connect, and probably would need
the syslog entry to confirm.

My exchange server is "exchangeserver.ourdomain.com" and it's the 2007
version.
Our windows "long" domain name is "ourdomain.com"
Our windows "short" domain name is "SEGCAT"

I tried using EXCHANGESERVER\myuser, ***@ourdomain.com and SEGCAT\myuser
in the sasl hash file and didn't work.

I am using debian 7.3, with apt-get install postfix libsasl2-modules





--
View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65097.html
Sent from the Postfix Users mailing list archive at Nabble.com.

all database configuration
for sure it uses TLS because we use *everywhere* encryption if it is possible
maybe that is the reason why it just works and falls back to PLAIN which
you don't see in the outgoing postfix log

Trusted TLS connection established to exchange.xx.xx[xx.xx.xx.xx]:25: TLSv1 with cipher AES128-SHA (128/128 bits)

you posted your server says "STARTTLS"
well, then configure it on the postfix client

smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtp_tls_exclude_ciphers = DES-CBC3-SHA, DES-CBC3-MD5, ADH-DES-CBC3-SHA, ADH-DES-CBC3-MD5, EDH-RSA-DES-CBC3-SHA,
EDH-RSA-DES-CBC3-MD5, DES, DES+MD5
there is no valid reason to guess usernames
just use the same credentials as you enter in a ordinary MUA

I tried to connect with this command:

openssl s_client -starttls -smtp -crlf -connect
exchangeserver.ourdomain.com:25

It connects, though it says it can't validate certificate (which is
expected, our exchange certificate is self signed)

After EHLO i now get:
AUTH NTLM LOGIN

So i tried with login and it requested my username and password in base64.

After typing then manually encoded, i got a RENEGOTIATING and finally a
handshake failure. Don't know if it's because i typed the username in wrong
format or if just it didn't like the certificate.



--
View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65116.html
Sent from the Postfix Users mailing list archive at Nabble.com.

...
Openssl s_client will "renegotiate" when you type "R". Try using
lowercase characters only.

Wietse

openssl s_client is testing tool, not a netcat replacement. It
processes "R" at the beginning of a line as an SSL re-negotiate
request.

If you enable TLS in Postfix, it should be able to use "LOGIN",
and you'll be all set. The username will likely work without any
domain, but you can try a few formats if a bare username does not
work.

I have this in my main.cf (note: i didn't set this up, my guess is that
debian itself did, or maybe when i installed libsasl2-modules, but i don't
think so)

smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

This is the rest of the relevant content in main.cf
myhostname = helpdesk.ourdomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = helpdesk.ourdomain.com

relayhost = [exchangeserver.ourdomain.com]
smtp_sasl_security_options =
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
broken_sasl_auth_clients = yes
smtp_always_send_ehlo = yes

I tried then:

smtp_sasl_tls_security_options
smtp_sasl_mechanism_filter = login

But if i do the last line, then it says NTLM isn't allowed.

What am i missing to enable TLS properly and then be able to use AUTH LOGIN?




--
View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65121.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Server-side TLS enabled. Use "smtpd_tls_security_level = may"
instead of the obsolete "smtpd_use_tls = yes".
Client-side TLS is not enabled. Enable client-side TLS:

smtp_tls_security_level = may
See above.

to say it clear: anything with smtpd_ as prefix has
nothing to do with send a message to another server
and that is why i hours ago posted the *client* configuration
of the machine happily sends authenticated mail over TLS to
exchange

smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtp_tls_exclude_ciphers = DES-CBC3-SHA, DES-CBC3-MD5, ADH-DES-CBC3-SHA, ADH-DES-CBC3-MD5, EDH-RSA-DES-CBC3-SHA,
EDH-RSA-DES-CBC3-MD5, DES, DES+MD5

Obsolete.
Leaving it blank is better. The browser CA bundle has no relevance
to SMTP.
Correct.
Pointless, since the security level is "may".
Better to use ${data_directory} instead of explicit /var/lib/postfix.
If one wants to exclude 3DES and DES, it is far easier to set:

smtp_tls_exclude_ciphers = 3DES DES

which covers all the above much more concisely. I imagine this is
intended to avoid CBC problems with Microsoft Exchange 2003.

FINALLY it worked, but not before i disabled NTLM in the config, because
otherwise it would try it.

So, i had to enable client side TLS and disabling NTLM. It says untrusted
connection in the logs, and i tried modifying the mynetworks variable below
but couldn't fix it. It may be untrusted because of the invalid exchange
certificate.

For reference, here is the the main.cf i used. I am aware of the obsolete
and unneeded entries.

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = helpdesk.seguroscatatumbo.com
relayhost = [mar-exch01.seguroscatatumbo.com]
smtp_sasl_tls_security_options =
smtp_sasl_mechanism_filter = login !ntlm
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_timeout = 3600s
smtp_tls_CAfile =
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
broken_sasl_auth_clients = yes
smtp_always_send_ehlo = yes
###
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.100.0/24

/etc/aliases contains one modification:
root: myuser

/etc/postfix/generic has one line:
***@helpdesk.ourdomain.com ***@ourdomain.com

/etc/postfix/sasl/sasl_passwd has one line:
[exchangeserver.ourdomain.com] DOMAIN\myuser:mypass

Now, a final question that isn't exactly relevant to postfix. Can i make
emails sent to come as "***@ourdomain.com" instead of the default
"***@helpdesk.ourdomain.com"

I am aware that my linux box is called "helpdesk" and that /etc/hosts says:

127.0.0.1 helpdesk
127.0.0.1 helpdesk.ourdomain.com helpdesk

I tried setting the mydestination in main.cf to ourdomain.com but then
postfix didn't try relay to exchange which i guess it's the right behaviour.
I am aware that when i configure the helpdesk i may try just impersonating
the account as ***@ourdomain.com without touching anything else.




--
View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65126.html
Sent from the Postfix Users mailing list archive at Nabble.com.

as said in my first reply "uninstall the NTLM module"

as long you have no damned good reason to install it
in case of the distributions i work with it is a own
sub-apckage with no frther dependencies and so you
don't have to bother about configurations

i never faced any positive effect in install and configure
the NTLM crap except troubles over troubles, be it mail
delivery or stupid Apple clients perfer it in their config
while from time to time fail to handle NTLM correct
it says untrusted because the certificate on the remote side is
not from a trusted CA or postfix doe snot know the CA

and that is why i have
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

connections to Google as example are trusted with and Untrusted without
http://www.postfix.org/postconf.5.html#smtp_tls_CAfile
it has no relevance in case of oppotunistic TLS but it makes a difference

Which is just fine in the majority of cases.
Too many CAs to claim meanigful trust, too few CAs to authenticate
everyone. In particular, for the OP the Exchange server's certificate
is internally provisioned, and the CA in question is not in the
browser ca bundle.

The OP may choose the specify the actualy issue for his server cert
in CAfile, and to use the policy table or a dedicated transport to
make TLS mandatory (perhaps smtp_tls_security_level = "secure")
for the destination in question.

Maybe you're looking for
http://www.postfix.org/postconf.5.html#masquerade_domains

# main.cf
masquerade_domains = ourdomain.com

Alternately, this can be done with smtp_generic_maps
http://www.postfix.org/postconf.5.html#smtp_generic_maps


See the docs for more details.
http://www.postfix.org/ADDRESS_REWRITING_README.html
http://www.postfix.org/STANDARD_CONFIGURATION_README.html




-- Noel Jones

I am fine with the end result. The untrusted message is rather cosmetic, i
would like to know how to import the certificate or rather trust the server
(as i thought the mynetwork variable would do), but it's no biggie.

The server is inside our lan and the relay will only be used for our
helpdesk, which will be internal.

Some would argue that using the virtual smtp server (that asks for no
password) is better, since with the current setup i have to make sure the
user that will send the mail (which should be static, as they will be
automatically sent by the helpdesk) has a password that either doesn't
change or keep the password updated in the hash.



--
View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65129.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Key management is a bear. Since by day I'm in the Kerberos
infrastructure game, I tend to use Kerberos credentials, with a
bunch of tooling around automated provisioning of Kerberos tickets
and service keytabs. Without a key management infrastructure,
you're basically stuck hand managing passwords, or more complicated
things are functionally equivalent to passwords.

So long as an unuathenticated entry point exists and provides
similar performance, there is indeed not much point in using
the authenticated entry point, except for educational value.
You may not have the choice at some time in the future.