postfix relaying all mail through office365 problems

postfix email-bounces microsoft-office-365
11,856

I think you need to take a step back :)

If you are logged into plaything as bravo, do you really need all mail sent from plaything to be sent as [email protected]? If not, simply send all mail as [email protected], see Postfix on hosts without a real Internet hostname.

If you cannot apply this, then you will need Sender dependent SASL maps. It will add some complexity to your setup, so I'd really try hard to avoid this.

Last but not least, if plaything would send mails as [email protected], you'd need to adjust myhostname and/or myorigin as well as get rid of the relayhost setting. In this case, plaything would deliver all mail directly, with all the pros and cons like mail server reputation and so on.

Share:
11,856

Related videos on Youtube

amrith
Author by

amrith

Founder and CTO, Tesora Database and Distributed Systems nut Link to LinkedIn Profile Contact me at amrith (at) tesora (dot) com

Updated on September 18, 2022

Comments

  • amrith
    amrith over 1 year

    This is a rather long question with a long list of things tried and travails so please bear with me. The summary is this.

    1. I am able to relay email from ubuntu through office365 using postfix; the configuration works.
    2. It only works as one of the users; more specifically the user who authenticates against office365 is the only valid "from"

    More details follow. I have a machine in Amazon's cloud on which I run a bunch of jobs and would like to have statuses mailed over to me. I use office365 at work so I want to relay mail through office365. I'm most familiar with postfix so I used that as the MTA.

    Configuration is ubuntu 12.04LTS; I've installed postfix and mail-utils.

    For this example, let me say my company is "company.com" and the machine in question (through an elastic IP and a DNS entry) is called "plaything.company.com". hostname is set to "plaything.company.com", so is /etc/mailname

    On plaything, I have the following users registered alpha, bravo, and charlie.

    I have the following configuration files.

    alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
mydestination = plaything.company.com, localhost.company.com, , localhost
myhostname = plaything.company.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = [smtp.office365.com]:587
sender_canonical_maps = hash:/etc/postfix/sender_canonical
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

    As the machine is called plaything.company.com I went through the exercise of registering all the appropriate DNS entries to make office365 recognize that I owned plaything.company.com and allowed me to create a user called [email protected] in office365.

    In office365, I setup [email protected] as having another email address of [email protected].

    Then, I made the following sender_canonical

    [email protected] [email protected]

    I created a sasl_passwd file that reads:

    smtp.office365.com [email protected]:123456password123456

    let's just say that the password for [email protected] is 1234...456

    With all this setup, login as alpha and 

    mail [email protected]
Cc:
Subject: test
test

    and the whole thing works wonderfully. email gets sent off by postfix, TLS works like a champ, authenticates as daemon@... and [email protected] in Office365 gets an email message.

    The issue comes up when logged in as bravo to the machine.

    sender is [email protected] and office365 says:

    status=bounced (host smtp.office365.com[132.245.12.25] said: 
550 5.7.1 Client does not have permissions to send as 
this sender (in reply to end of DATA command))

    this is because I'm trying to send mail as bravo@... and authenticating with office365 as daemon@.... The reason it works with alpha@... is because in office365, I setup [email protected] as having another email address of [email protected].

    In Postfix Relay to Office365, Miles Erickson answers the question thusly:

    1. Don't send mail to Office365 as a user from your Office365-hosted e-mail domain. Use a subdomain instead, e.g. [email protected] instead of [email protected]. It wouldn't hurt to set up an SPF record for services.mydomain.com or whatever you decide to use.

    2. Don't authenticate against mail.messaging.microsoft.com as an Office365 user. Just connect on port 25 and deliver the mail to your domain as any foreign SMTP agent would do.

    OK, I've done #1, I have those records on DNS but for the most part they are not relevant once Office365 recognizes that I own the domain.

    Here are those records:

    CNAME records: - msoid.plaything.company.com - autodiscover.plaything.company.com

    MX record: - plaything.company.com (plaything-company-com.mail.protection.outlook.com)

    TXT record: - plaything.company.com (v=spf1 include:spf.protection.outlook.com -all)

    I've tried #2 but no matter what I do, office365 just blows away the connection with "not authenticated". I can try even a simple telnet to port 25 and attempt to send and it doesn't work.

    250 BY2PR01CA007.outlook.office365.com Hello [54.221.245.236] 
530 5.7.1 Client was not authenticated 
Connection closed by foreign host.

    Is there someone out there who has this kind of a configuration working where multiple users on a linux machine are able to relay mail using postfix through office365? There has to be someone out there doing this who can tell me what is wrong with my setup ...

    • joeqwerty
      joeqwerty over 10 years
      If you're sending email from postfix TO a user IN your Office365 hosted domain then you are not relaying. You are simply sending an email to an Office365 hosted email domain/user just as I would if I sent an email to your Office365 hosted email address. Relaying occurs when you want to send an email from postfix to a non-Office365 hosted domain THROUGH Office365. So which one are you trying to accomplish?
    • amrith
      amrith over 10 years
      @joeqwerty I am attempting to send email to multiple users, some would be in my office365 domain and some would be not in my office365 domain. I illustrated above with users in the office365 domain because as best as I can tell, there is no difference in behavior of office365 in that regard; it objects to the sending of an email message with a <from> address that IT cannot map to the authenticating user. In this example, the fact that [email protected], [email protected] and [email protected] are the same thing is what makes it work in one case but fail with bravo@...
    • kralyk
      kralyk over 10 years
      @amrith - I don't know Postfix, but I do have anon relay working through our O365 account in Windows. If you want details that should be applicable to Postfix, let me know. Otherwise, I'll let the Postfix experts answer.
  • amrith
    amrith over 10 years
    your first comment is an interesting one. (if logged in as bravo can email just go as daemon?). it would be great if I could get wildcards in sender_canonical to work. enumerating each user is a pain.<br /> Sender dependent SASL maps seems to be the perfect solution; I will try it. I was hoping someone could tell me how to make relaying without authentication work with office365. After all, remote MTA's have to deliver mail to office365 and they don't authenticate. It may be more of an Amazon SES setup issue, maybe?
  • Stefan Förster
    Stefan Förster over 10 years
    See the first link, the last entry within smtp_generic_maps will get all mail to a single sender. And the last paragraph in my answer is exactly why other mailservers can deliver to Office365 - provided they don't use a sender address that belongs to Office365.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How configure Zimbra to bounce mails over a given size limit?
Office 365 Relay access denied (in reply to RCPT TO command)
Postfix with relayhost - relay access denied for bounces
Remote host said: 550 5.7.1 message content rejected
451 5.7.3 STARTTLS is required to send mail Exchange 2013 Hybrid
Office365 relay-POSTFIX-Authentication unsuccessful
Postfix mails bouncing for no reason
Postfix: bouncing mail (reverse DNS issue)
How to configure postfix on Ubuntu to relay emails through Office 365 (SMTP) with TLS
451 #4.1.8 Domain of sender address does not resolve