Open oeric-A2B opened 1 year ago
Hey there this is the correct syntax try this way sasl-xoauth2-tool get-token --client-id=(Application (client) ID from AAD) --tenant=(Directory (tenant) ID from AAD) outlook /var/spool/postfix/etc/tokens/username@domain.onmicrosoft.com
specify tenant Id if your app is created for communication in tenant purpose.
Note: If you have specified client secret value in sas-xoauth2.conf file please don't enter when it prompts for client secret value hope it helps.
You mentioned that you "replaced 'consumers' with my tenant ID" -- can you be more specific about where you did this? Which URL did you modify? And why?
Also yes if you have a tenant ID you should pass it to sasl-xoauth2-tool
on the command line.
Thank you, I managed to generate the initial token. However, I had to manually create the "tokens" folder. I restarted the Postfix service and performed a test sending, but I'm still encountering errors : Jun 19 15:18:39 postfixrelay postfix/smtp[7824]: 572B33010C0: SASL authentication failed; server smtp.office365.com[52.98.207.2] said: 451 4.7.0 Temporary server error. Please try again later. PRX5 [LO4P123CA05763.PROD.OUTLOOK.COM 2023-06-19T15:18:39.723Z 08DB709194] Jun 19 15:18:41 postfixrelay postfix/smtp[7824]: 572B330: SASL authentication failed; server smtp.office365.com[52.97.211.178] said: 451 4.7.0 Temporary server error. Please try again later. PRX5 [LO4P123CA0425.GBRP123.PROD.OUTLOOK.COM 2023-06-19T15:18:41.013Z 08DB707C] Jun 19 15:18:42 postfixrelay postfix/smtp[7824]: 572B33010C0: SASL authentication failed; server smtp.office365.com[40.99.218.82] said: 451 4.7.0 Temporary server error. Please try again later. PRX5 [LO0P123CA0006.GBRP123.PROD.OUTLOOK.COM 2023-06-19T15:18:42.340Z 08DB70657556C723] Jun 19 15:18:43 postfixrelay postfix/smtp[7824]: 572B33010C0: to=nom@domain.fr, relay=smtp.office365.com[40.99.202.82]:587, delay=5.1, delays=0.03/0.2/4.9/0, dsn=4.7.0, status=deferred (SASL authentication failed; server smtp.office365.com[40.99.202.82] said: 451 4.7.0 Temporary server error. Please try again later. PRX5 [LO4P265C7.GBRP265.PROD.OUTLOOK.COM 2023-06-19T15:18:43.423Z 08DB706])
Please make sure you've followed all the steps in the README, especially around Postfix configuration. I don't see any error messages from sasl-xoauth2 in your log snippet, which leads me to believe Postfix isn't trying to use it at all.
Jun 20 12:00:23 postfixrelay smtp: 3FC71300EB1: SASL authentication failed; cannot authenticate to server smtp.office365.com[40.99.151.162]: bad protocol / cancel Jun 20 12:00:23 postfixrelay sasl-xoauth2: auth failed: Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: Client: created Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: Client::DoStep: called with state 0 Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: Client::InitialStep: TriggerAuthNameCallback err=0 Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: Client::InitialStep: TriggerPasswordCallback err=0 Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: TokenStore::Read: file=/etc/tokens/login@domain.com Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: TokenStore::Read: refresh=0.AXMAN5tcMuXKkEa898YhNBXKLN7BgO5H0QtAvTmFQNilQ2lzALQ.AgABAAEAAAD--DLA3VO7QrddgJg7WevrAgDs_wUA9P_28wna85SMZ3AqVOGe2Z7VXIcxb-q26xZ02ui0IOkA7irhrAlqCkCGEgr1xX8u4p7w5xhrVwDWJwTaUd2-HV29hmqfMWFUY04LIGMKffB6ZRqRRUrcd1i_1Ruxf_2FJYoLGTMJEszolEA25cm62klNe1ZPXVSEFikMpSwexj3HoSvuVjiEM8pj7BDo3-OfyOWQBUTv81QatUy9ybQR5z4YEInqXeJqq8a4Z747ShP_qAUpZEYcg48IcNBcNi3xvwRTJd8a-x5wHXC2Pk4E6yPKoMeZNAkuzmSh9NlVvzL0XI8Bul6_wv8_vbymKQyn8bQq81yfUhcr3V0K0Pch34wfcTR9tHPyaBgFhL186Flgn182MjWFct72AZ2JqcIrVmFt_3tfeV12_uYXh_dP0Dd2RAUOQWf_6JnkdwMHmEvnr9LvMrE25aRl_hvhf9Jtzy_ffNFT5aQwSeF83rfjxmpMdf5DH5xijWBuu0URk8-lh954REUePQfIVnYHbHjhl7fEW82hY2xQQmXBGdtUwcvust, access=eyJ0eXAiOiJKV1QiLCJub25jZSI6Il93cFFtbGNWZnFFOUctazhHTWZzVmxjbG14THpmdjBkYUl3ZTNCWlBXQ0UiLCJhbGciOiJSUz Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: TokenStore::GetAccessToken: token expired. refreshing. Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: TokenStore::Refresh: attempt 1 Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: TokenStore::Refresh: token_endpoint: https://login.microsoftonline.com/32xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc/oauth2/v2.0/token Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: TokenStore::Refresh: request: client_id=exxxxxxx-d147-xxxx-bd39-xxxxxxxxxxxxxx9&client_secret=tExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrqbsk&grant_type=refresh_token&refresh_token=0.AXMAN5tcMuXKkEa898YhNBXKLN7BgO5H0QtAvTmFQNilQ2lzALQ.AgABAAEAAAD--DLA3VO7QrddgJg7WevrAgDs_wUA9P_28wna85SMZ3AqVOGe2Z7VXIcxb-q26xZ02ui0IOkA7irhrAlqCkCGEgr1xX8u4p7w5xhrVwDWJwTaUd2-HV29hmqfMWFUY04LIGMKffB6ZRqRRUrcd1i_1Ruxf_2FJYoLGTMJEszolEA25cm62klNe1ZPXVSEFikMpSwexj3HoSvuVjiEM8pj7BDo3-OfyOWQBUTv81QatUy9ybQR5z4YEInqXeJqq8a4Z747ShP_qAUpZEYcg48IcNBcNi3xvwRTJd8a-x5wHXC2Pk4E6yPKoMeZNAkuzmSh9NlVvzL0XI8Bul6_wv8_vbymKQyn8bQq81yfUhcr3V0K0Pch34wfcTR9tHPyaBgFhL186Flgn182MjWFct72AZ2JqcIrVmFt_3tfeV12_uYXh_dP0Dd2RAUOQWf_6JnkdwMHmEvnr9LvMrE25aRl_hvhf9Jtzy_ffNFT5aQwSeF83rfjxmpMdf5DH5xijWBuu0URk8-lh954REUePQfI Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: TokenStore::Refresh: http error: error setting certificate file: /etc/ssl/certs/ca-certificates.crt Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: Client::DoStep: new state 0 and err -5 Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: Client: destroyed Jun 20 12:00:23 postfixrelay smtp: 3FC71300EB1: to=rcpt@domain.com, relay=smtp.office365.com[40.100.174.194]:587, delay=1.1, delays=0.04/0.26/0.81/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.office365.com[40.100.174.194]: bad protocol / cancel) Jun 20 12:00:23 postfixrelay sasl-xoauth2: auth failed: Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: Client: created Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: Client::DoStep: called with state 0 Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: Client::InitialStep: TriggerAuthNameCallback err=0 Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: Client::InitialStep: TriggerPasswordCallback err=0 Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: TokenStore::Read: file=/etc/tokens/login@domain.com Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: TokenStore::Read: refresh=0.AXMAN5tcMuXKkEa898YhNBXKLN7BgO5H0QtAvTmFQNilQ2lzALQ.AgABAAEAAAD--DLA3VO7QrddgJg7WevrAgDs_wUA9P_28wna85SMZ3AqVOGe2Z7VXIcxb-q26xZ02ui0IOkA7irhrAlqCkCGEgr1xX8u4p7w5xhrVwDWJwTaUd2-HV29hmqfMWFUY04LIGMKffB6ZRqRRUrcd1i_1Ruxf_2FJYoLGTMJEszolEA25cm62klNe1ZPXVSEFikMpSwexj3HoSvuVjiEM8pj7BDo3-OfyOWQBUTv81QatUy9ybQR5z4YEInqXeJqq8a4Z747ShP_qAUpZEYcg48IcNBcNi3xvwRTJd8a-x5wHXC2Pk4E6yPKoMeZNAkuzmSh9NlVvzL0XI8Bul6_wv8_vbymKQyn8bQq81yfUhcr3V0K0Pch34wfcTR9tHPyaBgFhL186Flgn182MjWFct72AZ2JqcIrVmFt_3tfeV12_uYXh_dP0Dd2RAUOQWf_6JnkdwMHmEvnr9LvMrE25aRl_hvhf9Jtzy_ffNFT5aQwSeF83rfjxmpMdf5DH5xijWBuu0URk8-lh954REUePQfIVnYHbHjhl7fEW82hY2xQQmXBGdtUwcvust, access=eyJ0eXAiOiJKV1QiLCJub25jZSI6Il93cFFtbGNWZnFFOUctazhHTWZzVmxjbG14THpmdjBkYUl3ZTNCWlBXQ0UiLCJhbGciOiJSUz Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: TokenStore::GetAccessToken: token expired. refreshing. Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: TokenStore::Refresh: attempt 1 Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: TokenStore::Refresh: token_endpoint: https://login.microsoftonline.com/32xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc/oauth2/v2.0/token Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: TokenStore::Refresh: request: client_id=exxxxxxx-d147-xxxx-bd39-xxxxxxxxxxxxxx9&client_secret=tExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrqbsk&grant_type=refresh_token&refresh_token=0.AXMAN5tcMuXKkEa898YhNBXKLN7BgO5H0QtAvTmFQNilQ2lzALQ.AgABAAEAAAD--DLA3VO7QrddgJg7WevrAgDs_wUA9P_28wna85SMZ3AqVOGe2Z7VXIcxb-q26xZ02ui0IOkA7irhrAlqCkCGEgr1xX8u4p7w5xhrVwDWJwTaUd2-HV29hmqfMWFUY04LIGMKffB6ZRqRRUrcd1i_1Ruxf_2FJYoLGTMJEszolEA25cm62klNe1ZPXVSEFikMpSwexj3HoSvuVjiEM8pj7BDo3-OfyOWQBUTv81QatUy9ybQR5z4YEInqXeJqq8a4Z747ShP_qAUpZEYcg48IcNBcNi3xvwRTJd8a-x5wHXC2Pk4E6yPKoMeZNAkuzmSh9NlVvzL0XI8Bul6_wv8_vbymKQyn8bQq81yfUhcr3V0K0Pch34wfcTR9tHPyaBgFhL186Flgn182MjWFct72AZ2JqcIrVmFt_3tfeV12_uYXh_dP0Dd2RAUOQWf_6JnkdwMHmEvnr9LvMrE25aRl_hvhf9Jtzy_ffNFT5aQwSeF83rfjxmpMdf5DH5xijWBuu0URk8-lh954REUePQfI Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: TokenStore::Refresh: http error: error setting certificate file: /etc/ssl/certs/ca-certificates.crt Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: Client::DoStep: new state 0 and err -5 Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: Client: destroyed
The relevant error here is:
Jun 20 12:00:23 postfixrelay sasl-xoauth2: 2023-06-20 12:00:23: TokenStore::Refresh: http error: error setting certificate file: /etc/ssl/certs/ca-certificates.crt
Did you follow the steps in the "SSL/TLS Certificates" part of the README?
Hello,
I apologize, but I am still experiencing the issue. I have followed the instructions in the "README.md" file under the "SSL/TLS Certificates" section. I have also verified the permissions on the directories. However, I am still encountering the following error:
Jun 21 13:03:41 postfix smtp: 93D52C0F31: to=name@domain.fr, relay=smtp.office365.com[52.98.201.82]:587, delay=0.77, delays=0.01/0/0.76/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.office365.com[52.98.201.82]: bad protocol / cancel) Jun 21 13:03:41 postfix sasl-xoauth2: auth failed: Jun 21 13:03:41 postfix sasl-xoauth2: 2023-06-21 15:03:41: Client: created Jun 21 13:03:41 postfix sasl-xoauth2: 2023-06-21 15:03:41: Client::DoStep: called with state 0 Jun 21 13:03:41 postfix sasl-xoauth2: 2023-06-21 15:03:41: Client::InitialStep: TriggerAuthNameCallback err=0 Jun 21 13:03:41 postfix sasl-xoauth2: 2023-06-21 15:03:41: Client::InitialStep: TriggerPasswordCallback err=0 Jun 21 13:03:41 postfix sasl-xoauth2: 2023-06-21 15:03:41: TokenStore::Read: file=/etc/tokens/login@domain.org Jun 21 13:03:41 postfix sasl-xoauth2: 2023-06-21 15:03:41: TokenStore::Read: refresh=0.AXMAN5tcMuXKkEa898YhNBXKLN7BgO5H0QtAvTmFQNilQ2lzALQ.AgABAAEAAAD--DLA3VO7QrddgJg7WevrAgDs_wUA9P9pwQu3tgExmbb03VWhsgQw4EhOPaw7-yedo10I62Dqnv0n-RkohZcbJer7QhYfx7CRyzi3F1R_DAt5Go2H_N-XLIDhh7BXdm8u8X3l5J_2hpAFMJHsF6unwUjxtC7yT4h3JouuaP62jJYmxyc0I0wuKVEbtNl4l6S4IIaT1ZLFIHb7zoYuPEBWI4f_MAo6uBQ_wz2de05eq73jL1lw-Xf1szS7TXK-hAYF5KpI58S6k284xJfZvY95HKotJNE8VfuWj58_LuqGob8OSdn3qYaFFKQ_SXtC8Nn7sWOqYhQ3rYgKDJiVYRnf8sOXYn7VLAB2tThA2dKG8a4fueavfZYeZTi5HX3rQ9wlFj0QLtuU1riuAIjEfor3vFJMhSt7_tmI5mMCcjC0jO4Ig7NWr_73_VRYqOvnWtZKvMbkABKu3COBAc6NqzH0y24IUOS4zrRDJyngkwYyYLPslfxrC4jZtdNUbcG72ckhN40qHWXgUivlxzi6bvRYTBBinOohN7L3aFRrr1UHRnm-sbomrHWGV8l8AA0YvDgmBH3vRNIoQipAeZMgut6xFoBUgdw0h6lSuryX9qYJNQcibozDcGpV7BPgyc-ifnX5VFjzVcmeW9TY2TYRsLC88vG3oG5uIb1qPjOfwDmaZWhn1fxt_CYN4Ob3d31SdgWW9Gapx3yeop4bLcvfE9r5NDVncBDi53FZpRjgQOXPlzWjtMbs0BmJtOJ0JWLHE7eexDXHNdfK1ay3l6HN62ms_kQFlLCQU4k62PEDcaqawGur35FCXMUu, access=eyJ0eXAiOiJKV1QiLCJub25jZSI6ImEtelFJbVpOWHFwbWM2OHMyOXY4UWgwUjYtQXpGVkktaHNLNHRTSmRaUVUiLCJhbGciOiJSUz Jun 21 13:03:41 postfix sasl-xoauth2: 2023-06-21 15:03:41: TokenStore::GetAccessToken: token expired. refreshing. Jun 21 13:03:41 postfix sasl-xoauth2: 2023-06-21 15:03:41: TokenStore::Refresh: attempt 1 Jun 21 13:03:41 postfix sasl-xoauth2: 2023-06-21 15:03:41: TokenStore::Refresh: token_endpoint: https://login.microsoftonline.com/325c9b37-cae5-4690-bcf7-c6213415ca2c/oauth2/v2.0/token Jun 21 13:03:41 postfix sasl-xoauth2: 2023-06-21 15:03:41: TokenStore::Refresh: request: client_id=ee80c1de-d147-400b-bd39-8540d8a54369&client_secret=tER8Q~dr6-iwGykCUAg3zHlNRKcLVO5X3W4rqbsk&grant_type=refresh_token&refresh_token=0.AXMAN5tcMuXKkEa898YhNBXKLN7BgO5H0QtAvTmFQNilQ2lzALQ.AgABAAEAAAD--DLA3VO7QrddgJg7WevrAgDs_wUA9P9pwQu3tgExmbb03VWhsgQw4EhOPaw7-yedo10I62Dqnv0n-RkohZcbJer7QhYfx7CRyzi3F1R_DAt5Go2H_N-XLIDhh7BXdm8u8X3l5J_2hpAFMJHsF6unwUjxtC7yT4h3JouuaP62jJYmxyc0I0wuKVEbtNl4l6S4IIaT1ZLFIHb7zoYuPEBWI4f_MAo6uBQ_wz2de05eq73jL1lw-Xf1szS7TXK-hAYF5KpI58S6k284xJfZvY95HKotJNE8VfuWj58_LuqGob8OSdn3qYaFFKQ_SXtC8Nn7sWOqYhQ3rYgKDJiVYRnf8sOXYn7VLAB2tThA2dKG8a4fueavfZYeZTi5HX3rQ9wlFj0QLtuU1riuAIjEfor3vFJMhSt7_tmI5mMCcjC0jO4Ig7NWr_73_VRYqOvnWtZKvMbkABKu3COBAc6NqzH0y24IUOS4zrRDJyngkwYyYLPslfxrC4jZtdNUbcG72ckhN40qHWXgUivlxzi6bvRYTBBinOohN7L3aFRrr1UHRnm-sbomrHWGV8l8AA0YvDgmBH3vRNIoQipAeZMgut6xFoBUgdw0h6lSuryX9qYJNQcibozDcGpV7BPgyc-ifnX5VFjzVcmeW9TY2TYRsLC88vG3oG5uIb1qPjOfwDmaZWhn1fxt_CYN4Ob3d31SdgWW9Gapx3yeop4bLcvfE9r5NDVncBDi53FZpRjgQOXPlzWjtMbs0BmJtOJ0JWLHE7eexDXHNdfK1ay3l6HN62 Jun 21 13:03:41 postfix sasl-xoauth2: 2023-06-21 15:03:41: TokenStore::Refresh: http error: error setting certificate file: /etc/ssl/certs/ca-certificates.crt Jun 21 13:03:41 postfix sasl-xoauth2: 2023-06-21 15:03:41: Client::DoStep: new state 0 and err -5 Jun 21 13:03:41 postfix sasl-xoauth2: 2023-06-21 15:03:41: Client: destroyed
I have confirmed that the SSL certificate file "/etc/ssl/certs/ca-certificates.crt" exists and has the correct permissions. I have also tried reloading the SSL certificates and restarting the postfix service, but the issue persists.
Could you please provide further assistance in resolving this problem? I would greatly appreciate any guidance or suggestions you can provide.
Thank you.
Best regards,
Can you tell me a little more about your environment? What distribution are you running? Do you have chroot enabled for Postfix? If you do, you'll actually want to have the certificate file in /var/spool/postfix/etc/ssl/certs/ca-certificates.crt
instead.
Thank you for your response and assistance. I have provided the requested information below:
Distribution: Ubuntu 22.04.2 LTS
CHROOT enabled: service type private unpriv chroot wakeup maxproc command + args smtp inet n - y - - smtpd smtp unix - - y - - smtp
Certificate Presence: admin@postfix:~$ ls /var/spool/postfix/etc/ssl/certs/ 3c9a4d3b.0 a94d09e5.0 ca-certificates.crt
Thank you for your continued support.
Might ca-certificates.crt
be a symlink? Can you provide the output of ls -l /var/spool/postfix/etc/ssl/certs/ca-certificates.crt
?
ls -l /var/spool/postfix/etc/ssl/certs/ca-certificates.crt -rw-r--r-- 1 root root 208567 juin 21 16:26 /var/spool/postfix/etc/ssl/certs/ca-certificates.crt
Can you verify that curl is able to use that certificate bundle?
curl --cacert /var/spool/postfix/etc/ssl/certs/ca-certificates.crt https://google.com/
" curl --cacert /var/spool/postfix/etc/ssl/certs/ca-certificates.crt https://google.com/
Just to be clear, are your Postfix logs still showing the same error? Or is it something else now? Given all this I'm not sure why else you'd still be seeing TokenStore::Refresh: http error: error setting certificate file
or similar messages.
I restarted the Postfix service and attempted to send an email. I encountered different errors this time, and the certificate error is no longer present. Here are the relevant log entries: Jun 21 17:02:10 postfix systemd[1]: postfix.service: Deactivated successfully. Jun 21 17:02:10 postfix systemd[1]: Stopped Postfix Mail Transport Agent. Jun 21 17:02:10 postfix systemd[1]: Stopping Postfix Mail Transport Agent... Jun 21 17:02:10 postfix systemd[1]: Stopping Postfix Mail Transport Agent (instance -)... Jun 21 17:02:10 postfix postfix/postfix-script[1319]: stopping the Postfix mail system Jun 21 17:02:10 postfix postfix/master[976]: terminating on signal 15 Jun 21 17:02:10 postfix systemd[1]: postfix@-.service: Deactivated successfully. Jun 21 17:02:10 postfix systemd[1]: Stopped Postfix Mail Transport Agent (instance -). Jun 21 17:02:10 postfix systemd[1]: postfix@-.service: Consumed 4.792s CPU time. Jun 21 17:02:10 postfix systemd[1]: Starting Postfix Mail Transport Agent (instance -)... Jun 21 17:02:10 postfix postfix/postfix-script[1452]: warning: not owned by root: /var/spool/postfix/etc/tokens Jun 21 17:02:10 postfix postfix/postfix-script[1453]: warning: not owned by root: /var/spool/postfix/etc/tokens/rcpt@domain.com Jun 21 17:02:10 postfix postfix/postfix-script[1461]: warning: /var/spool/postfix/etc/tokens/rcpt@domain.com and /etc/tokens/rcpt@domain.com differ Jun 21 17:02:10 postfix postfix/postfix-script[1482]: starting the Postfix mail system Jun 21 17:02:10 postfix postfix/master[1484]: daemon started -- version 3.6.4, configuration /etc/postfix Jun 21 17:02:10 postfix systemd[1]: Started Postfix Mail Transport Agent (instance -). Jun 21 17:02:11 postfix systemd[1]: Starting Postfix Mail Transport Agent... Jun 21 17:02:11 postfix systemd[1]: Finished Postfix Mail Transport Agent. Jun 21 17:02:21 postfix postfix/pickup[1485]: DF823C0F1E: uid=1000 from=rcpt@domain.com Jun 21 17:02:21 postfix postfix/cleanup[1493]: DF823C0F1E: message-id=20230621150221.DF823C0F1E@postfix.domain.org Jun 21 17:02:21 postfix postfix/qmgr[1486]: DF823C0F1E: from=rcpt@domain.com, size=351, nrcpt=1 (queue active) Jun 21 17:02:23 postfix postfix/smtp[1495]: DF823C0F1E: SASL authentication failed; server smtp.office365.com[52.97.212.82] said: 451 4.7.0 Temporary server error. Please try again later. PRX5 [LO4P123CA0285.GBRP123.PROD.OUTLOOK.COM 2023-06-21T15:02:23.423Z 08DB71E34D01A053] Jun 21 17:02:24 postfix postfix/smtp[1495]: DF823C0F1E: SASL authentication failed; server smtp.office365.com[40.99.214.130] said: 451 4.7.0 Temporary server error. Please try again later. PRX5 [LO4P265CA0243.GBRP265.PROD.OUTLOOK.COM 2023-06-21T15:02:24.700Z 08DB722DC8BB9EE6] Jun 21 17:02:26 postfix postfix/smtp[1495]: DF823C0F1E: SASL authentication failed; server smtp.office365.com[40.99.201.226] said: 451 4.7.0 Temporary server error. Please try again later. PRX5 [LO4P265CA0178.GBRP265.PROD.OUTLOOK.COM 2023-06-21T15:02:26.047Z 08DB704BFA3D3220] Jun 21 17:02:27 postfix postfix/smtp[1495]: DF823C0F1E: to=name@domain.com, relay=smtp.office365.com[52.97.129.66]:587, delay=5.4, delays=0.04/0.25/5.1/0, dsn=4.7.0, status=deferred (SASL authentication failed; server smtp.office365.com[52.97.129.66] said: 451 4.7.0 Temporary server error. Please try again later. PRX5 [LO2P265CA0249.GBRP265.PROD.OUTLOOK.COM 2023-06-21T15:02:27.237Z 08DB71FECE4FF1B3])
I don't see any errors from sasl-xoauth2 in that set of log entries -- do you still have the plug-in enabled?
compatibility_level = 3.6 relayhost = [smtp.office365.com]:587
smtp_use_tls = yes smtp_tls_CApath=/etc/ssl/certs smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_security_level=encrypt smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_mechanism_filter = xoauth2
sender_canonical_classes = envelope_sender, header_sender sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps smtp_header_checks = regexp:/etc/postfix/header_check
I'm not sure what to make of the "451 4.7.0 Temporary server error" messages you're seeing. Maybe sasl-xoauth2 is working fine and there really is just a temporary server error on Microsoft's end? What does your /etc/sasl-xoauth2.conf
look like?
{ "client_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "token_endpoint": "https://login.microsoftonline.com/32xxxx-xxxx-xxxx-bcf7-c6213415xxxx/oauth2/v2.0/token", "log_full_trace_on_failure": "yes", "log_to_syslog_on_failure": "yes" }
I found this information on the Internet. Could this be the cause of my issue? (link: https://serverfault.com/questions/907219/office365-relay-postfix-authentication-unsuccessful)
In our case it was the "Azure Security defaults" in https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties:
Security Defaults enabled:
SASL authentication failed; server smtp.office365.com[x.y.z.a] said: 535 5.7.3 Authentication unsuccessful
Security Defaults disabled (20min later):
relay=smtp.office365.com[x.y.z.a]:587, delay=17, delays=0.03/0.03/17/0.37, dsn=2.0.0, status=sent (250 2.0.0 OK
We are looking into the security setting exactly preventing SASL Auth.
EDIT: Without "Azure AD Premium" it is only possible to enable/disable AD security Defaults. With default settings, SMTP_Auth is legazy and not supported anymore. I still do not understand why SMTP_Auth is considered legacy
Some Background Information: https://practical365.com/azure-ad/what-are-azure-ad-security-defaults-and-should-you-use-them/
I don't believe so, no. I'd expect a different error message in that case. Are you still seeing this issue? Was the "Temporary server error" indeed temporary?
Thank you for your response. I'm still experiencing the same issue, and the error message remains unchanged. Here's the error message I'm receiving: Jun 26 09:09:10 postfix postfix/smtp[19387]: D24CB1A0EDA: SASL authentication failed; server smtp.office365.com[52.98.227.98] said: 451 4.7.0 Temporary server error. Please try again later. PRX5 [LO3P265CA0027.GBRP265.PROD.OUTLOOK.COM 2023-06-26T07:09:10.026Z 08DB756F8EC19505]
Regarding your question about whether the error is indeed temporary, I haven't observed any changes in the error message or the ability to send emails successfully.
Additionally, I noticed that the library "libsasl-xoauth2.so" is located in "/usr/lib/x86_64-linux-gnu/sasl2/libsasl-xoauth2.so." I attempted the following command to check for the presence of "sasl-xoauth2.conf," but it didn't make any difference: strings /usr/lib/x86_64-linux-gnu/sasl2/libsasl-xoauth2.so | grep sasl-xoauth2.conf /etc/sasl-xoauth2.conf I appreciate your continued assistance in resolving this issue.
Do you see any error messages from sasl-xoauth2 itself in your logs?
I have noticed something. When I reboot the postfix server, I lose the certificate and I receive the following logs:
Jun 26 09:43:46 postfix sasl-xoauth2: 2023-06-26 09:43:46: TokenStore::GetAccessToken: token expired. refreshing. Jun 26 09:43:46 postfix sasl-xoauth2: 2023-06-26 09:43:46: TokenStore::Refresh: attempt 1 Jun 26 09:43:46 postfix sasl-xoauth2: 2023-06-26 09:43:46: TokenStore::Refresh: token_endpoint: https://login.microsoftonline.com/325c9b37-cae5-4690-bcf7-c6213415ca2c/oauth2/v2.0/token Jun 26 09:43:46 postfix sasl-xoauth2: 2023-06-26 09:43:46: TokenStore::Refresh: request: client_id=ee80c1de-d147-400b-bd39-8540d8a54369&client_secret=tER8Q~dr6-iwGykCUAg3zHlNRKcLVO5X3W4rqbsk&grant_type=refresh_token&refresh_token=0.AXMAN5tcMuXKkEa898YhNBXKLN7BgO5H0QtAvTmFQNilQ2lzALQ.AgABAAEAAAD--DLA3VO7QrddgJg7WevrAgDs_wUA9P84M6DDq3mo2bm5mLUlqIBt-rQJrUVNeSdJaLCehaI3GOzgt-hbsXrAJfppT12yK7-12mpS-0vgGKAdo5PTrMVoSZNsIpF7p50hh--zM_MgcG2Q6kjst9kCTuQ-fAColrB2IjtULJgwsjb_Y0Xx4Ez1y7WF5NVmHxKFhK7waAeMQX_lklhLgczOw8jfxo9BLoMDeYjMze-oKJx1P9x_JofbQepZAOSwoXiaKmsVs4DZxRpVhOR6eVCrMCTq7PmAaWbyThpeVEi0Tkpu61PMGbQBc6rQ1M7-LEAUM65VDtaPD7j-Vz1z5Yl-0vCB6FX5wj5EZpP-EywtF7k9EMOobAYPe_op5HcQTuFEs_nF16mkXsVs7C2glVTfJuz85XcT2jES7v3CgfyBQpY7b8od9wEWknXj1NIxvvb3deFrA8u9ZeKVQnF0gDGbhVkJHIK9zZPtG1Mv5fWxZKkUgWqZfs1oCCRgwVS9uYR-1v98XaID5TAacsPxgrmrR7jvlJjneWFy0cRIrhu_y_rF6wmsHme8prAZjJpcOW_9fhklm2WPQJxOuQ1XqtvvfLDbwfrU6eFCavN-jNqq167PpOwVaFUK8Ta5DkUXRli6xmGORSeU4dLL1UXq8vpvTZSsmBVyi5ITURqfqlPYllTEG0ag0PpV9jgrmEvXAMsaLs5bM0WEGkP4LloE4Jy2ivmrLPn5u9CiqrnZHTlnL39N7SLrcacORfGA34d0Oy7ufUdT50easXBnXOYHfB Jun 26 09:43:46 postfix sasl-xoauth2: 2023-06-26 09:43:46: TokenStore::Refresh: http error: error setting certificate file: /etc/ssl/certs/ca-certificates.crt Jun 26 09:43:46 postfix sasl-xoauth2: 2023-06-26 09:43:46: Client::DoStep: new state 0 and err -5 Jun 26 09:43:46 postfix sasl-xoauth2: 2023-06-26 09:43:46: Client: destroyed Jun 26 09:43:46 postfix smtp: 619631A01FB: to=recu@domain.com, relay=smtp.office365.com[40.99.151.130]:587, delay=2170, delays=2168/0.42/0.7/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.office365.com[40.99.151.130]: bad protocol / cancel) Jun 26 09:43:46 postfix sasl-xoauth2: auth failed: Jun 26 09:43:46 postfix sasl-xoauth2: 2023-06-26 09:43:46: Client: created Jun 26 09:43:46 postfix sasl-xoauth2: 2023-06-26 09:43:46: Client::DoStep: called with state 0 Jun 26 09:43:46 postfix sasl-xoauth2: 2023-06-26 09:43:46: Client::InitialStep: TriggerAuthNameCallback err=0 Jun 26 09:43:46 postfix sasl-xoauth2: 2023-06-26 09:43:46: Client::InitialStep: TriggerPasswordCallback err=0 Jun 26 09:43:46 postfix sasl-xoauth2: 2023-06-26 09:43:46: TokenStore::Read: file=/etc/tokens/envoi@domain.com Jun 26 09:43:46 postfix sasl-xoauth2: 2023-06-26 09:43:46: TokenStore::Read: refresh=0.AXMAN5tcMuXKkEa898YhNBXKLN7BgO5H0QtAvTmFQNilQ2lzALQ.AgABAAEAAAD--DLA3VO7QrddgJg7WevrAgDs_wUA9P84M6DDq3mo2bm5mLUlqIBt-rQJrUVNeSdJaLCehaI3GOzgt-hbsXrAJfppT12yK7-12mpS-0vgGKAdo5PTrMVoSZNsIpF7p50hh--zM_MgcG2Q6kjst9kCTuQ-fAColrB2IjtULJgwsjb_Y0Xx4Ez1y7WF5NVmHxKFhK7waAeMQX_lklhLgczOw8jfxo9BLoMDeYjMze-oKJx1P9x_JofbQepZAOSwoXiaKmsVs4DZxRpVhOR6eVCrMCTq7PmAaWbyThpeVEi0Tkpu61PMGbQBc6rQ1M7-LEAUM65VDtaPD7j-Vz1z5Yl-0vCB6FX5wj5EZpP-EywtF7k9EMOobAYPe_op5HcQTuFEs_nF16mkXsVs7C2glVTfJuz85XcT2jES7v3CgfyBQpY7b8od9wEWknXj1NIxvvb3deFrA8u9ZeKVQnF0gDGbhVkJHIK9zZPtG1Mv5fWxZKkUgWqZfs1oCCRgwVS9uYR-1v98XaID5TAacsPxgrmrR7jvlJjneWFy0cRIrhu_y_rF6wmsHme8prAZjJpcOW_9fhklm2WPQJxOuQ1XqtvvfLDbwfrU6eFCavN-jNqq167PpOwVaFUK8Ta5DkUXRli6xmGORSeU4dLL1UXq8vpvTZSsmBVyi5ITURqfqlPYllTEG0ag0PpV9jgrmEvXAMsaLs5bM0WEGkP4LloE4Jy2ivmrLPn5u9CiqrnZHTlnL39N7SLrcacORfGA34d0Oy7ufUdT50easXBnXOYHfBLwfONc_yLcgBNzTqyaZd7qDqwWyQWgleJMAM6iwBBMDQuopv7rqWa-BMg3Tb5UMrgEaOI6hrhh3I1t66hBfbUmkvDGaZnGH-DT89aCGd7XfK0IedfFhqmjLvK5h8-3zDoarbLjKjisWgycVbq
It seems that the issue persists even after copying the : sudo cp /etc/ssl/certs/ca-certificates.crt /var/spool/postfix/etc/ssl/certs/ca-certificates.crt
: Jun 26 09:48:13 postfix postfix/pickup[1480]: E3BDB1A105C: uid=1000 from=envoi@domain.com Jun 26 09:48:13 postfix postfix/cleanup[1702]: E3BDB1A105C: message-id=20230626074813.E3BDB1A105C@postfix.domain.com Jun 26 09:48:13 postfix postfix/qmgr[1481]: E3BDB1A105C: from=envoi@domain.com, size=363, nrcpt=1 (queue active) Jun 26 09:48:13 postfix postfix/error[1704]: E3BDB1A105C: to=recu@domain.com, relay=none, delay=0.06, delays=0.03/0.01/0/0.01, dsn=4.7.0, status=deferred (delivery temporarily suspended: SASL authentication failed; cannot authenticate to server smtp.office365.com[40.99.151.130]: bad protocol / cancel)
I wouldn't say "the issue persists" -- unless you see messages from sasl-xoauth2 in the logs, it's a different issue. The easiest way to ensure that sasl-xoauth2 is able to refresh tokens is to verify with the helper tool:
$ sasl-xoauth2-tool test-token-refresh /var/spool/postfix/etc/tokens/foo@foo.com
Config check passed.
Token refresh succeeded.
Make sure that you've restarted Postfix after updating the CA file (or making any other changes to the sasl-xoauth2 config).
I have just performed the test, and it was successful: Config check passed. Token refresh succeeded. I really don't understand where the problem could be coming from. I'm ready to reinstall everything. Is there a Linux distribution that is better recommended than Ubuntu?
Ubuntu is probably your best bet because that's what I'm using to develop and test the plugin, although I do also test on Fedora once in a while.
Before doing that though -- can you provide the full contents of /etc/postfix/main.cf
, /etc/postfix/sasl_passwd
, and /etc/sasl-xoauth2.conf
? Please also provide the output of these commands:
grep ^smtp /etc/postfix/master.cf
find /var/spool/postfix/etc -type f -ls
(Please be sure to redact any tokens, passwords, or email addresses!)
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_CApath=/etc/ssl/certs
#SASL parameters
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_sasl_mechanism_filter = xoauth2
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = postfix.domain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
[smtp.office365.com]:587 send@domain.com:/etc/tokens/send@domain.com
{
"client_id": "exxxxxde-d147-400b-bd39-xxxxx8axxxxx",
"client_secret": "xxxxx~dr6-xxxxxCUAxxxxxNRKcLVO5X3Wxxxxx",
"token_endpoint": "https://login.microsoftonline.com/3xxxxx37-cae5-4690-bcf7-xxxxx4xxxxx/oauth2/v2.0/token",
"log_to_syslog_on_failure": "yes",
"log_full_trace_on_failure": "yes"
}
[sudo] password for administrateur:
smtp inet n - y - - smtpd
smtp unix - - y - - smtp
1704361 4 -rw-r--r-- 1 root root 222 juin 26 09:23 /var/spool/postfix/etc/hosts
1704345 4 -rw-r--r-- 1 root root 930 juin 26 09:23 /var/spool/postfix/etc/resolv.conf
1707532 4 -rw-r--r-- 1 root root 1582 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem
1707678 4 -rw-r--r-- 1 root root 948 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/USERTrust_ECC_Certification_Authority.pem
1707679 4 -rw-r--r-- 1 root root 2090 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Trustwave_Global_Certification_Authority.pem
1707752 4 -rw-r--r-- 1 root root 1935 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/CA_Disig_Root_R2.pem
1707753 4 -rw-r--r-- 1 root root 1257 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/SZAFIR_ROOT_CA2.pem
1707848 4 -rw-r--r-- 1 root root 2049 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Actalis_Authentication_Root_CA.pem
1707849 4 -rw-r--r-- 1 root root 940 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/COMODO_ECC_Certification_Authority.pem
1707851 4 -rw-r--r-- 1 root root 1367 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Go_Daddy_Root_Certificate_Authority_-_G2.pem
1707852 4 -rw-r--r-- 1 root root 1911 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/GTS_Root_R1.pem
1707854 4 -rw-r--r-- 1 root root 765 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/GTS_Root_R3.pem
1707856 4 -rw-r--r-- 1 root root 1460 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Microsec_e-Szigno_Root_CA_2009.pem
1707857 4 -rw-r--r-- 1 root root 1870 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/TeliaSonera_Root_CA_v1.pem
1707859 4 -rw-r--r-- 1 root root 867 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/HARICA_TLS_ECC_Root_CA_2021.pem
1707861 4 -rw-r--r-- 1 root root 2118 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/ANF_Secure_Server_Root_CA.pem
1707862 4 -rw-r--r-- 1 root root 765 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/GTS_Root_R4.pem
1707864 4 -rw-r--r-- 1 root root 1448 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Go_Daddy_Class_2_CA.pem
1707866 4 -rw-r--r-- 1 root root 1537 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/D-TRUST_Root_Class_3_CA_2_EV_2009.pem
1707867 4 -rw-r--r-- 1 root root 1176 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/certSIGN_ROOT_CA.pem
1707869 4 -rw-r--r-- 1 root root 1424 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Starfield_Services_Root_Certificate_Authority_-_G2.pem
1707871 4 -rw-r--r-- 1 root root 1915 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Buypass_Class_2_Root_CA.pem
1707872 4 -rw-r--r-- 1 root root 2167 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068_2.pem
1707874 4 -rw-r--r-- 1 root root 1931 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/IdenTrust_Public_Sector_Root_CA_1.pem
1707876 4 -rw-r--r-- 1 root root 1915 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Buypass_Class_3_Root_CA.pem
1707877 4 -rw-r--r-- 1 root root 1350 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/SecureTrust_CA.pem
1707879 4 -rw-r--r-- 1 root root 1984 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/CFCA_EV_ROOT.pem
1707881 4 -rw-r--r-- 1 root root 2037 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/TunTrust_Root_CA.pem
1707882 4 -rw-r--r-- 1 root root 2155 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem
1707884 4 -rw-r--r-- 1 root root 1257 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/emSign_Root_CA_-_C1.pem
1707886 4 -rw-r--r-- 1 root root 1188 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Amazon_Root_CA_1.pem
1707887 4 -rw-r--r-- 1 root root 1891 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Certainly_Root_R1.pem
1707892 4 -rw-r--r-- 1 root root 1883 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/TWCA_Global_Root_CA.pem
1707893 4 -rw-r--r-- 1 root root 895 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/OISTE_WISeKey_Global_Root_GC_CA.pem
1707895 4 -rw-r--r-- 1 root root 969 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Trustwave_Global_ECC_P384_Certification_Authority.pem
1707896 4 -rw-r--r-- 1 root root 1050 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/D-TRUST_BR_Root_CA_1_2020.pem
1707901 4 -rw-r--r-- 1 root root 1354 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Certum_Trusted_Network_CA.pem
1707903 4 -rw-r--r-- 1 root root 2772 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/ACCVRAIZ1.pem
1707904 4 -rw-r--r-- 1 root root 977 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/E-Tugra_Global_Root_CA_ECC_v3.pem
1707906 4 -rw-r--r-- 1 root root 1505 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Entrust.net_Premium_2048_Secure_Server_CA.pem
1707908 4 -rw-r--r-- 1 root root 1354 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Secure_Global_CA.pem
1707909 4 -rw-r--r-- 1 root root 1891 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/certSIGN_Root_CA_G2.pem
1707913 4 -rw-r--r-- 1 root root 1915 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/GlobalSign_Root_R46.pem
1707915 4 -rw-r--r-- 1 root root 1224 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Security_Communication_Root_CA.pem
1707916 4 -rw-r--r-- 1 root root 2167 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
1707921 4 -rw-r--r-- 1 root root 1952 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Telia_Root_CA_v2.pem
1707923 4 -rw-r--r-- 1 root root 1306 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/DigiCert_Assured_ID_Root_G2.pem
1707924 4 -rw-r--r-- 1 root root 753 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/AffirmTrust_Premium_ECC.pem
1707929 4 -rw-r--r-- 1 root root 891 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Certum_EC-384_CA.pem
1707931 4 -rw-r--r-- 1 root root 1350 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/DigiCert_Assured_ID_Root_CA.pem
1707932 4 -rw-r--r-- 1 root root 1050 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/D-TRUST_EV_Root_CA_1_2020.pem
1707937 4 -rw-r--r-- 1 root root 1911 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/GTS_Root_R2.pem
1707940 4 -rw-r--r-- 1 root root 1883 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Amazon_Root_CA_2.pem
1707945 4 -rw-r--r-- 1 root root 1302 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/emSign_Root_CA_-_G1.pem
1707947 4 -rw-r--r-- 1 root root 944 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/SSL.com_Root_Certification_Authority_ECC.pem
1707948 4 -rw-r--r-- 1 root root 1204 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/AffirmTrust_Networking.pem
1707953 4 -rw-r--r-- 1 root root 1476 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/NetLock_Arany_=Class_Gold=_F\305\221tan\303\272s\303\255tv\303\241ny.pem
1707955 4 -rw-r--r-- 1 root root 1923 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/QuoVadis_Root_CA_3_G3.pem
1707956 4 -rw-r--r-- 1 root root 814 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/emSign_ECC_Root_CA_-_C3.pem
1707961 4 -rw-r--r-- 1 root root 790 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/DigiCert_TLS_ECC_P384_Root_G5.pem
1707964 4 -rw-r--r-- 1 root root 1261 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Atos_TrustedRoot_2011.pem
1707969 4 -rw-r--r-- 1 root root 1923 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/IdenTrust_Commercial_Root_CA_1.pem
1707971 4 -rw-r--r-- 1 root root 741 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Certainly_Root_E1.pem
1707972 4 -rw-r--r-- 1 root root 2094 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem
1707977 4 -rw-r--r-- 1 root root 2114 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/SSL.com_EV_Root_Certification_Authority_RSA_R2.pem
1707979 4 -rw-r--r-- 1 root root 1891 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/UCA_Global_G2_Root.pem
1707980 4 -rw-r--r-- 1 root root 2049 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/SwissSign_Silver_CA_-_G2.pem
1707985 4 -rw-r--r-- 1 root root 1915 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/UCA_Extended_Validation_Root.pem
1707987 4 -rw-r--r-- 1 root root 1338 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/DigiCert_Global_Root_CA.pem
1707988 4 -rw-r--r-- 1 root root 830 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Security_Communication_ECC_RootCA1.pem
1707990 4 -rw-r--r-- 1 root root 2078 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Certum_Trusted_Network_CA_2.pem
1707992 4 -rw-r--r-- 1 root root 875 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Microsoft_ECC_Root_Certificate_Authority_2017.pem
1707993 4 -rw-r--r-- 1 root root 1082 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/ssl-cert-snakeoil.pem
1707995 4 -rw-r--r-- 1 root root 1643 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Entrust_Root_Certification_Authority.pem
1707997 4 -rw-r--r-- 1 root root 1367 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_3.pem
1707998 4 -rw-r--r-- 1 root root 1939 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/HiPKI_Root_CA_-_G1.pem
1708002 4 -rw-r--r-- 1 root root 1517 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Comodo_AAA_Services_root.pem
1708004 4 -rw-r--r-- 1 root root 1367 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem
1708005 4 -rw-r--r-- 1 root root 883 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Trustwave_Global_ECC_P256_Certification_Authority.pem
1708007 4 -rw-r--r-- 1 root root 2033 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/ePKI_Root_Certification_Authority.pem
1708009 4 -rw-r--r-- 1 root root 1330 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Certigna.pem
1708010 4 -rw-r--r-- 1 root root 1399 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Starfield_Root_Certificate_Authority_-_G2.pem
1708012 4 -rw-r--r-- 1 root root 1972 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem
1708014 4 -rw-r--r-- 1 root root 1533 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Entrust_Root_Certification_Authority_-_G2.pem
1708015 4 -rw-r--r-- 1 root root 1923 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/QuoVadis_Root_CA_1_G3.pem
1708019 4 -rw-r--r-- 1 root root 2244 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/E-Tugra_Certification_Authority.pem
1708021 4 -rw-r--r-- 1 root root 2122 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Izenpe.com.pem
1708022 4 -rw-r--r-- 1 root root 2053 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Certum_Trusted_Root_CA.pem
1708024 4 -rw-r--r-- 1 root root 1261 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/GlobalSign_Root_CA.pem
1708026 4 -rw-r--r-- 1 root root 1517 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/D-TRUST_Root_Class_3_CA_2_2009.pem
1708027 4 -rw-r--r-- 1 root root 2017 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/HARICA_TLS_RSA_Root_CA_2021.pem
1708029 4 -rw-r--r-- 1 root root 1939 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/ISRG_Root_X1.pem
1708031 4 -rw-r--r-- 1 root root 2021 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Microsoft_RSA_Root_Certificate_Authority_2017.pem
1708032 4 -rw-r--r-- 1 root root 2094 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/SSL.com_Root_Certification_Authority_RSA.pem
1708034 4 -rw-r--r-- 1 root root 1261 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Security_Communication_RootCA2.pem
1708036 4 -rw-r--r-- 1 root root 904 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
1707780 204 -rw-r--r-- 1 root root 208567 juin 26 09:48 /var/spool/postfix/etc/ssl/certs/ca-certificates.crt
1708037 4 -rw-r--r-- 1 root root 1017 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem
1708039 4 -rw-r--r-- 1 root root 1261 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
1708041 4 -rw-r--r-- 1 root root 2013 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/NAVER_Global_Root_Certification_Authority.pem
1708042 4 -rw-r--r-- 1 root root 656 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Amazon_Root_CA_3.pem
1708045 4 -rw-r--r-- 1 root root 1911 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/vTrus_Root_CA.pem
1708047 4 -rw-r--r-- 1 root root 1980 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/GDCA_TrustAUTH_R5_ROOT.pem
1708048 4 -rw-r--r-- 1 root root 1229 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem
1708050 4 -rw-r--r-- 1 root root 1168 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Hongkong_Post_Root_CA_1.pem
1708052 4 -rw-r--r-- 1 root root 1988 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/DigiCert_Trusted_Root_G4.pem
1708053 4 -rw-r--r-- 1 root root 956 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/SSL.com_EV_Root_Certification_Authority_ECC.pem
1708058 4 -rw-r--r-- 1 root root 1468 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Starfield_Class_2_CA.pem
1708060 4 -rw-r--r-- 1 root root 1489 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/COMODO_Certification_Authority.pem
1708061 4 -rw-r--r-- 1 root root 1513 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/XRamp_Global_CA_Root.pem
1708063 4 -rw-r--r-- 1 root root 2086 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/COMODO_RSA_Certification_Authority.pem
1708065 4 -rw-r--r-- 1 root root 769 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/GlobalSign_Root_E46.pem
1708066 4 -rw-r--r-- 1 root root 2244 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Entrust_Root_Certification_Authority_-_G4.pem
1708072 4 -rw-r--r-- 1 root root 1968 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Security_Communication_RootCA3.pem
1708081 4 -rw-r--r-- 1 root root 1972 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/GlobalSign_Root_CA_-_R6.pem
1708082 4 -rw-r--r-- 1 root root 774 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/vTrus_ECC_Root_CA.pem
1708093 4 -rw-r--r-- 1 root root 859 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/emSign_ECC_Root_CA_-_G3.pem
1708095 4 -rw-r--r-- 1 root root 704 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/GlobalSign_ECC_Root_CA_-_R4.pem
1708098 4 -rw-r--r-- 1 root root 2074 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Hongkong_Post_Root_CA_3.pem
1708100 4 -rw-r--r-- 1 root root 790 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/ISRG_Root_X2.pem
1708101 4 -rw-r--r-- 1 root root 794 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/GlobalSign_ECC_Root_CA_-_R5.pem
1708106 4 -rw-r--r-- 1 root root 1972 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/GLOBALTRUST_2020.pem
1708108 4 -rw-r--r-- 1 root root 1269 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/TWCA_Root_Certification_Authority.pem
1708109 4 -rw-r--r-- 1 root root 1923 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/QuoVadis_Root_CA_2_G3.pem
1708113 4 -rw-r--r-- 1 root root 1294 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/DigiCert_Global_Root_G2.pem
1708115 4 -rw-r--r-- 1 root root 1367 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2.pem
1708116 4 -rw-r--r-- 1 root root 843 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/e-Szigno_Root_CA_2017.pem
1708177 4 -rw-r--r-- 1 root root 839 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/DigiCert_Global_Root_G3.pem
1708186 4 -rw-r--r-- 1 root root 1891 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/AffirmTrust_Premium.pem
1708228 4 -rw-r--r-- 1 root root 1249 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/SecureSign_RootCA11.pem
1708245 4 -rw-r--r-- 1 root root 2354 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/QuoVadis_Root_CA_3.pem
1708250 4 -rw-r--r-- 1 root root 737 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Amazon_Root_CA_4.pem
1708256 4 -rw-r--r-- 1 root root 1090 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Entrust_Root_Certification_Authority_-_EC1.pem
1708386 4 -rw-r--r-- 1 root root 2041 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/QuoVadis_Root_CA_2.pem
1708648 4 -rw-r--r-- 1 root root 2045 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/SwissSign_Gold_CA_-_G2.pem
1708650 4 -rw-r--r-- 1 root root 2264 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/Certigna_Root_CA.pem
1708651 4 -rw-r--r-- 1 root root 1346 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/OISTE_WISeKey_Global_Root_GB_CA.pem
1708653 4 -rw-r--r-- 1 root root 1204 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/AffirmTrust_Commercial.pem
1708655 4 -rw-r--r-- 1 root root 851 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/DigiCert_Assured_ID_Root_G3.pem
1708656 4 -rw-r--r-- 1 root root 2122 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/E-Tugra_Global_Root_CA_RSA_v3.pem
1708663 4 -rw-r--r-- 1 root root 1931 juin 26 09:23 /var/spool/postfix/etc/ssl/certs/DigiCert_TLS_RSA4096_Root_G5.pem
1705851 8 -rw------- 1 postfix postfix 5342 juin 27 07:28 /var/spool/postfix/etc/tokens/send@domain.com
1704234 16 -rw-r--r-- 1 root root 12813 juin 26 09:23 /var/spool/postfix/etc/services
1704630 4 -rw-r--r-- 1 root root 510 juin 26 09:23 /var/spool/postfix/etc/nsswitch.conf
1704362 4 -rw-r--r-- 1 root root 92 juin 26 09:23 /var/spool/postfix/etc/host.conf
1704217 4 -rw-r--r-- 1 root root 2962 juin 26 09:23 /var/spool/postfix/etc/localtime"
It appears that you don't have a relay configured? sasl-xoauth2 is designed for cases where your mail server is always relaying mail through Gmail or Outlook's SMTP servers. You'll want to add this line to main.cf
:
relayhost = [smtp.office365.com]:587
Did setting relayhost
work? Can I close this issue?
Hello,
First of all, thank you for your excellent work. I apologize for my English as I am using Google Translate.
I have followed the instructions to install the plugin and I am now trying to generate the initial token for integration with Outlook. However, I am encountering an issue during the generation of the initial token. I used the following command: sasl-xoauth2-tool get-token outlook --client-id=eexxxxxx-xxxx-xxxx-xxxx-xxxxxxa54369.
The result of this command is a redirection URL to the Microsoft login site. I have successfully opened this URL in my browser and logged in. I replaced "consumers" with my tenant ID. Below is what I am getting: sasl-xoauth2-tool get-token outlook --client-id=eexxxxxx-xxxx-xxxx-xxxx-xxxxxxa54369 Please enter OAuth2 client secret (not always required; Azure docs are unclear): tExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Please visit the following link in a web browser, then paste the resulting URL:
https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=eexxxxxx-xxxx-xxxx-xxxx-xxxxxxa54369&response_type=code&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient&response_mode=query&scope=openid+offline_access+https%3A%2F%2Foutlook.office.com%2FSMTP.Send
Resulting URL: https://login.microsoftonline.com/325xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxa2c/oauth2/nativeclient?code=0.AXMAN5tcMuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxx--DLA3VO7QrddgJg7WevrAgDs_wUA9P8ykQerNYse69AuUeMxTk54jgt8qpv1OBQvd-v1M05qswCZJtq-xn2sSwI5a3A_2CUY1w9-FPNZ1XNLsZEMPPov-yRWkMW0E4yzGTl39Gn7KVB9uROci_o5VOMSJ6lfdCHYoHOXlyX8iLQ_eXMaYeOWo-ttR3jxefXXjWgOpSuESUKT6AZik7TezgVFhn4Rk4XTMLOmwcSw2X90VMEFiUXF21KM9TBpkiqpuroeaInTlPdk3x-FSpaDKaDw96w3zdah_0yZcpElAXeHRYyWQ_q2BktijSPrU5d_NyTKhdqhjdS7VYkdlmT77U2NpafD0eReoSNYl9pAIwKQ7OoSNg0_a2xOxgIPNQXyTisA-klxvH7kJl9l51r3ShQZDgQOfv6XHzXDDXyqy2jMQ3dEZFIWxo1yceXjsd4nYhncK3DzHq6z8hovoqfBssHnqW1bk0lFx_ABOkPXHcSsqejy0lrXarnrHabFV5-vFGZUu5btWwQRQ5wL2_aLN3nI7Q6M0MiTvyz24xr43gLHDXhaA7vNDS1iXIRDYAR-0xwGX4dKpJ7hrnWRjFQPca6yeM6hrizOiQNt3G4r1eyXaspgfBNNCjRkKnXR_r90j8ZXWwlLmaRyDkbDeL91wAJ69l27DhUfx-xxxxxxxxxxxxxxxxxxx_9Enle5UpIJXtA9BFf6MLzsaNuQgTuco9MHwJuWb5Kv2REZuLo45MTuDCdYMBCaVO_5IcjaPJpmmNmBA4-dapNGn6unxijQiZePWSR-fbTDqy2r_WZl23vrgw9UZAnf8BcFuXCZ8orExm_rtdcVm8BYy9yb21oBHc0yJvVxpNZbRTP6q-b1joTnwjQXsg4D0g8nLNr7LWQL&session_state=f399xxxx-xxxx-xxxx-xxxx-xxxxxxcd0432 Traceback (most recent call last): File "/usr/bin/sasl-xoauth2-tool", line 311, in
main()
File "/usr/bin/sasl-xoauth2-tool", line 304, in main
args.func(args)
File "/usr/bin/sasl-xoauth2-tool", line 204, in subcommand_get_token
get_token_outlook(
File "/usr/bin/sasl-xoauth2-tool", line 183, in get_token_outlook
code = outlook_get_authorization_code(client_id, tenant)
File "/usr/bin/sasl-xoauth2-tool", line 146, in outlook_get_authorization_code
raise Exception(f"Resulting URL does not contain expected prefix: {OUTLOOK_REDIRECT_URI}")
Exception: Resulting URL does not contain expected prefix: https://login.microsoftonline.com/common/oauth2/nativeclient
Thank you for your assistance.