How to configure Postfix when relayhost only offers GSSAPI and NTLM
My new provider offers on port 587 "250-AUTH GSSAPI NTLM" I am trying to configure my postfix using as relayhost this smtp server. Using kmail I am able to simply provide the username, an email address, and a password. However I have a script that has to send an email. I use mailx to do that, which sends the message to postfix and postfix should send it to the server of my provider. My previous provider offered LOGIN an PLAIN, for which it apparently was easy to configure Postfix. I configured both NTLM and GSSAPI as mechanisms in Postfix. In /etc/postfix/ sasl_passwd the username and password are configured. Error messages in /var/log/mail: postfix/smtp[14307]: warning: SASL authentication failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible (No Kerberos credentials available (default cache: KEYRING:persistent:51)) postfix/smtp[14307]: 92C8D101152: to=<xxxxx@yyyyy.nl>, relay=smtp.yyyyy.nl[212.113.64.zz]:587, delay=16453, delays=16453/0.02/0.14/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.delta.nl[212.113.64.82]: generic failure) -- fr.gr. member openSUSE Freek de Kruijf
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2023-03-04 at 00:11 +0100, Freek de Kruijf wrote:
My new provider offers on port 587 "250-AUTH GSSAPI NTLM" I am trying to configure my postfix using as relayhost this smtp server. Using kmail I am able to simply provide the username, an email address, and a password. However I have a script that has to send an email. I use mailx to do that, which sends the message to postfix and postfix should send it to the server of my provider.
My previous provider offered LOGIN an PLAIN, for which it apparently was easy to configure Postfix.
I configured both NTLM and GSSAPI as mechanisms in Postfix. In /etc/postfix/ sasl_passwd the username and password are configured.
Error messages in /var/log/mail: postfix/smtp[14307]: warning: SASL authentication failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible (No Kerberos credentials available (default cache: KEYRING:persistent:51))
postfix/smtp[14307]: 92C8D101152: to=<xxxxx@yyyyy.nl>, relay=smtp.yyyyy.nl[212.113.64.zz]:587, delay=16453, delays=16453/0.02/0.14/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.delta.nl[212.113.64.82]: generic failure)
I am confused about why the need to configure for "NTLM and GSSAPI" as you say. I don't configure for any, I just let postfix figure it out on its own. But I don't seem to have any provider that uses those methods. cer@Telcontar:~> zgrep -i postfix /var/log/mail*z | grep -i "GSSAPI\|NTLM" cer@Telcontar:~> - -- Cheers, Carlos E. R. (from openSUSE 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZAKX1Rwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVkbsAniD6u3frbbfo1UhrbxP+ Dv/NHDB/AJ4mXGsQVNbukqacvn2Qfeb7Pq0Vsg== =Ls8A -----END PGP SIGNATURE-----
Carlos E. R. wrote:
I am confused about why the need to configure for "NTLM and GSSAPI" as you say. I don't configure for any, I just let postfix figure it out on its own.
You must have a very special postfix :-) There is no way postfix is going to automagically figure out how to submit mails on port 587, set up TLS, authenticate etc. -- Per Jessen, Zürich (8.8°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-03-04 12:01, Per Jessen wrote:
Carlos E. R. wrote:
I am confused about why the need to configure for "NTLM and GSSAPI" as you say. I don't configure for any, I just let postfix figure it out on its own.
You must have a very special postfix :-) There is no way postfix is going to automagically figure out how to submit mails on port 587, set up TLS, authenticate etc.
Kind of. I configured it once years ago, a decade ago at least, but I never had to worry about what protocols it does. It negotiates what to use with the other end, AFAIK. But my mail providers do not seem to require kerberos. ############################################################ # SASL stuff ############################################################ #-- Passwords: client smtp_sasl_auth_enable = yes smtp_sender_dependent_authentication = yes smtp_sasl_security_options = noanonymous smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd smtp_sasl_mechanism_filter = cram-md5, login #-- Passwords: server smtpd_sasl_auth_enable = no # cyrus : smtpd_sasl_type = cyrus # smtpd_sasl_path = smtpd # dovecot : smtpd_sasl_type = dovecot # smtpd_sasl_path = private/auth smtpd_sasl_type = cyrus smtpd_sasl_path = smtpd ############################################################ # TLS stuff ############################################################ #tls_append_default_CA = no relay_clientcerts = #tls_random_source = dev:/dev/urandom smtp_tls_security_level = may smtp_use_tls = no smtp_tls_loglevel = 1 smtp_enforce_tls = no smtpd_use_tls = no smtpd_tls_loglevel = 0 smtpd_tls_CAfile = smtpd_tls_CApath = smtpd_tls_cert_file = smtpd_tls_key_file = smtpd_tls_ask_ccert = no smtpd_tls_exclude_ciphers = RC4 smtpd_tls_received_header = no smtpd_tls_session_cache_database = lmdb:${data_directory}/smtpd_scache Most of that is either default openSUSE configs, or come from /usr/share/doc/packages/postfix-doc/README_FILES/SASL_README. That file mentions GSSAPI and NTLM. I see now that it is different. For port 587, what I use is this: /etc/postfix/sender_relayhost robin.listas@gmx.es [mail.gmx.es]:submission robin.listas@telefonica.net [smtp.telefonica.net] -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 3/4/23 06:37, Carlos E. R. wrote:
On 2023-03-04 12:01, Per Jessen wrote:
Carlos E. R. wrote:
I am confused about why the need to configure for "NTLM and GSSAPI" as you say. I don't configure for any, I just let postfix figure it out on its own.
You must have a very special postfix :-) There is no way postfix is going to automagically figure out how to submit mails on port 587, set up TLS, authenticate etc.
Kind of. I configured it once years ago, a decade ago at least, but I never had to worry about what protocols it does. It negotiates what to use with the other end, AFAIK.
But my mail providers do not seem to require kerberos.
For port 587 and TLS, you need to tweak /etc/postfix/master.cf and enable -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -- David C. Rankin, J.D.,P.E.
On 2023-03-05 08:49, David C. Rankin wrote:
On 3/4/23 06:37, Carlos E. R. wrote:
On 2023-03-04 12:01, Per Jessen wrote:
Carlos E. R. wrote:
I am confused about why the need to configure for "NTLM and GSSAPI" as you say. I don't configure for any, I just let postfix figure it out on its own.
You must have a very special postfix :-) There is no way postfix is going to automagically figure out how to submit mails on port 587, set up TLS, authenticate etc.
Kind of. I configured it once years ago, a decade ago at least, but I never had to worry about what protocols it does. It negotiates what to use with the other end, AFAIK.
But my mail providers do not seem to require kerberos.
For port 587 and TLS, you need to tweak /etc/postfix/master.cf and enable
-o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes
Yes, but we are using postfix as a client, not server. In fact, master.rpmnew had this conflict: #submission inet n - n - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o content_filter=smtp:[127.0.0.1]:10024 # -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #submissions inet n - n - - smtpd # -o syslog_name=postfix/submissions # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 04.03.2023 02:11, Freek de Kruijf wrote:
My new provider offers on port 587 "250-AUTH GSSAPI NTLM" I am trying to configure my postfix using as relayhost this smtp server. Using kmail I am able to simply provide the username, an email address, and a password. However I have a script that has to send an email. I use mailx to do that, which sends the message to postfix and postfix should send it to the server of my provider.
My previous provider offered LOGIN an PLAIN, for which it apparently was easy to configure Postfix.
I configured both NTLM and GSSAPI as mechanisms in Postfix. In /etc/postfix/ sasl_passwd the username and password are configured.
You do not show your configuration so any answer will be just a wild guess. Nor do you tell what SASL implementation you are using. But ...
Error messages in /var/log/mail: postfix/smtp[14307]: warning: SASL authentication failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible (No Kerberos credentials available (default cache: KEYRING:persistent:51))
Assuming you are using cyrus-sasl, GSSAPI really means Kerberos and requires additional libraries and configuration of these libraries. Passwords configured in Postfix are not applicable in this case. So you either need to actually configure Kerberos with your provider or disable GSSAPI in postifx so it can select different mechanism.
postfix/smtp[14307]: 92C8D101152: to=<xxxxx@yyyyy.nl>, relay=smtp.yyyyy.nl[212.113.64.zz]:587, delay=16453, delays=16453/0.02/0.14/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.delta.nl[212.113.64.82]: generic failure)
Freek de Kruijf wrote:
My new provider offers on port 587 "250-AUTH GSSAPI NTLM" I am trying to configure my postfix using as relayhost this smtp server. Using kmail I am able to simply provide the username, an email address, and a password. However I have a script that has to send an email. I use mailx to do that, which sends the message to postfix and postfix should send it to the server of my provider.
My previous provider offered LOGIN an PLAIN, for which it apparently was easy to configure Postfix.
I configured both NTLM and GSSAPI as mechanisms in Postfix. In /etc/postfix/ sasl_passwd the username and password are configured.
Just in case - I think it might be possible that the server announces LOGIN support only _after_ TLS has been established. Otherwise, NTLM _should_ work with postfix, I'm sure I have seen examples "out there", but I have never had reason to do it myself. -- Per Jessen, Zürich (9.4°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 3/3/2023 6:11 PM, Freek de Kruijf wrote:
My new provider offers on port 587 "250-AUTH GSSAPI NTLM" I am trying to configure my postfix using as relayhost this smtp server. Using kmail I am able to simply provide the username, an email address, and a password. However I have a script that has to send an email. I use mailx to do that, which sends the message to postfix and postfix should send it to the server of my provider.
My previous provider offered LOGIN an PLAIN, for which it apparently was easy to configure Postfix.
I configured both NTLM and GSSAPI as mechanisms in Postfix. In /etc/postfix/ sasl_passwd the username and password are configured.
Error messages in /var/log/mail: postfix/smtp[14307]: warning: SASL authentication failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible (No Kerberos credentials available (default cache: KEYRING:persistent:51))
postfix/smtp[14307]: 92C8D101152: to=<xxxxx@yyyyy.nl>, relay=smtp.yyyyy.nl[212.113.64.zz]:587, delay=16453, delays=16453/0.02/0.14/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.delta.nl[212.113.64.82]: generic failure)
There is a postfix specific user list "postfix-users@postfix.org". One may subscribe by means specified at "http://www.postfix.org/lists.html"
Op zaterdag 4 maart 2023 23:32:34 CET schreef joe a:
On 3/3/2023 6:11 PM, Freek de Kruijf wrote:
My new provider offers on port 587 "250-AUTH GSSAPI NTLM" I am trying to configure my postfix using as relayhost this smtp server. Using kmail I am able to simply provide the username, an email address, and a password. However I have a script that has to send an email. I use mailx to do that, which sends the message to postfix and postfix should send it to the server of my provider.
My previous provider offered LOGIN an PLAIN, for which it apparently was easy to configure Postfix.
I configured both NTLM and GSSAPI as mechanisms in Postfix. In /etc/postfix/ sasl_passwd the username and password are configured.
Error messages in /var/log/mail: postfix/smtp[14307]: warning: SASL authentication failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible (No Kerberos credentials available (default cache: KEYRING:persistent:51))
postfix/smtp[14307]: 92C8D101152: to=<xxxxx@yyyyy.nl>, relay=smtp.yyyyy.nl[212.113.64.zz]:587, delay=16453, delays=16453/0.02/0.14/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.delta.nl[212.113.64.82]: generic failure)
There is a postfix specific user list "postfix-users@postfix.org". One may subscribe by means specified at "http://www.postfix.org/lists.html"
I found the following page https://www.unix.com/shell-programming-and-scripting/191309-configure-cyrus-... describing how to use NTLM. I found out I did have the configuration right: the sasl plugin for ntlm was present and works and the required smtp_* parameters in main.cf present. However I used the wrong server name of my provider. So the problem was authentication; that server did not know my credentials. After changing the server name I have it working. -- fr.gr. member openSUSE Freek de Kruijf
participants (6)
-
Andrei Borzenkov -
Carlos E. R. -
David C. Rankin -
Freek de Kruijf -
joe a -
Per Jessen