Postfix SMTP relay through exchange 2003 with authentication

[mrwin]

I've installed nagios core in Centos 6.5 and configured it to send alerts through our exchange 2003 server using postfix, which is installed in nagios server, as relay agent. Everything worked fine, but recently, as part of securing the network, the exchange admin disabled 'Anonymous' relay. Now, I tried to configure postfix relay authentication, but the mail/sendmail command fails with the following error.

Nov 5 14:06:21 comp-292 postfix/smtp[23210]: 3880A1804CC: to=<[email protected]>, relay=exchange.mydomain.net[10.8.0.25]:25, delay=0.35, delays=0.15/0.03/0.02/0.15, dsn=4.0.0, status=deferred (host exchange.mydomain.net[10.8.0.25] said: 454 5.7.3 Client does not have permission to Send As this sender. (in reply to end of DATA command))

If I give invalid 'From" by editing \etc\postfix\generic I get the following error, which means the above error triggers at least after passing 'From' command successfully,

Nov 5 13:47:16 comp-292 postfix/smtp[22736]: 8EDC2180481: to=<[email protected]>, relay=exchange.mydomain.net[10.8.0.25]:25, delay=42204, delays=42204/0.11/0.01/0, dsn=4.0.0, status=deferred (host exchange.mydomain.net[10.8.0.25] said: 454 5.7.3 Client does not have permission to Send As this sender. (in reply to MAIL FROM command))

Exchange has been configured to allow relay from postfix/nagios server, and from the authenticating user.

Please see the changed sections of postfix config files.

# vi \etc\postfix\mainf.cf

smtp_sasl_auth_enable = yes
#smtp_sasl_mechanism_filter = plain, login
smtp_sasl_mechanism_filter = login !ntlm
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_generic_maps = hash:/etc/postfix/generic
relayhost = [exchange.mydomain.net]

mtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_timeout = 3600s
smtp_tls_CAfile =

broken_sasl_auth_clients = yes
smtp_always_send_ehlo = yes
myhostname = comp-292.mydomain.net
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

#canonical_maps = hash:/etc/postfix/canonical
disable_dns_lookups = yes

# vi /etc/postfix/sasl_passwd
exchange.mydomain.net [email protected]:password

# vi /etc/postfix/generic
@localdomain.local [email protected]
[email protected] [email protected]
[email protected] [email protected]
[email protected] [email protected]

[abrist]

Can you check the exchange logs? We should be able to find more information concerning the exact cause of the issue there.

[mrwin]

Please see the sample log from my exchange server.

2014-11-06 08:16:48 10.8.0.30 Comp1-292.sub.mydomain.net SMTPSVC1 MAIL02 10.8.0.25 0 EHLO - +nestit-292.sub.mydomain.net 250 0 322 33 0 SMTP - - - -
2014-11-06 08:16:48 10.8.0.30 Comp1-292.sub.mydomain.net SMTPSVC1 MAIL02 10.8.0.25 0 MAIL - +FROM:<[email protected]> 250 0 45 49 0 SMTP - - - -
2014-11-06 08:16:48 10.8.0.30 Comp1-292.sub.mydomain.net SMTPSVC1 MAIL02 10.8.0.25 0 RCPT - +TO:<[email protected]> 250 0 33 64 0 SMTP - - - -
2014-11-06 08:16:48 10.8.0.30 Comp1-292.sub.mydomain.net SMTPSVC1 MAIL02 10.8.0.25 0 RCPT - +TO:<[email protected]> 250 0 40 78 0 SMTP - - - -
2014-11-06 08:16:48 10.8.0.30 Comp1-292.sub.mydomain.net SMTPSVC1 MAIL02 10.8.0.25 0 EHLO - +nestit-292.sub.mydomain.net 250 0 322 33 0 SMTP - - - -
2014-11-06 08:16:48 10.8.0.30 Comp1-292.sub.mydomain.net SMTPSVC1 MAIL02 10.8.0.25 0 MAIL - +FROM:<[email protected]> 250 0 45 49 0 SMTP - - - -
2014-11-06 08:16:48 10.8.0.30 Comp1-292.sub.mydomain.net SMTPSVC1 MAIL02 10.8.0.25 0 RCPT - +TO:<[email protected]> 250 0 40 78 0 SMTP - - - -
2014-11-06 08:16:48 10.8.0.30 Comp1-292.sub.mydomain.net SMTPSVC1 MAIL02 10.8.0.25 0 DATA - +<[email protected]> 250 0 113 309 141 SMTP - - - -
2014-11-06 08:16:48 10.8.0.30 Comp1-292.sub.mydomain.net SMTPSVC1 MAIL02 10.8.0.25 0 DATA - +<[email protected]> 250 0 113 338 125 SMTP - - - -
2014-11-06 08:16:48 10.8.0.30 Comp1-292.sub.mydomain.net SMTPSVC1 MAIL02 10.8.0.25 0 QUIT - nestit-292.sub.mydomain.net 240 157 73 4 0 SMTP - - - -
2014-11-06 08:16:48 10.8.0.30 Comp1-292.sub.mydomain.net SMTPSVC1 MAIL02 10.8.0.25 0 QUIT - nestit-292.sub.mydomain.net 240 125 73 4 0 SMTP - - - -

[abrist]

Do you have a log of the header from the email? I am curious if the issue is with the sender's email address and not the sender's ip address/hostname.

[mrwin]

Please see the diagnostice log from exchange smtp service.

014-11-07 05:26:17 10.8.0.30 comp1-292.sub.mydomain.net SMTPSVC1 MAIL02 10.8.0.25 0 EHLO - +comp1-292.sub.mydomain.net 250 0 322 33 0 SMTP - - - -
2014-11-07 05:26:17 10.8.0.30 comp1-292.sub.mydomain.net SMTPSVC1 MAIL02 10.8.0.25 0 MAIL - +FROM:<[email protected]> 250 0 45 49 0 SMTP - - - -
2014-11-07 05:26:17 10.8.0.30 comp1-292.sub.mydomain.net SMTPSVC1 MAIL02 10.8.0.25 0 RCPT - +TO:<[email protected]> 250 0 40 78 15 SMTP - - - -
2014-11-07 05:26:17 10.8.0.30 comp1-292.sub.mydomain.net SMTPSVC1 MAIL02 10.8.0.25 0 DATA - +<[email protected]> 250 0 113 477 125 SMTP - - - -
2014-11-07 05:26:17 10.8.0.30 comp1-292.sub.mydomain.net SMTPSVC1 MAIL02 10.8.0.25 0 QUIT - comp1-292.sub.mydomain.net 240 172 73 4 0 SMTP - - - -

[abrist]

Does the authenticating user (with Exchange) match the sender email address? I recall that these must match for exchange to play nice.

[mrwin]

Thanks for the support!

Whether the Sender address is same as +FROM:<[email protected]>" address? I didn't see any sender address field ie. "+Sender:" in smtp or postfix logfile.

Actually the user account is in a sub domain but the mail address is in parent domain so the logon and email formats are as follows:

user id: nagios@sub_domain.parent_domain.in
password: xxxxxx
Email: nagios@parent_domain.in
postfix server name: comp1.sub_domain.parent_domain.in

-------------------

Relay permission has been given to nagios@sub_domain.parent_domain.in(user) and comp1.sub_domain.parent_domain.in(Server) in exchange.

[abrist]

You may want to use the same email address and authenticating user. Can you set up the email address to be: nagios@sub_domain.parent_domain.in ?