search

tarickb / sasl-xoauth2

SASL plugin for XOAUTH2
Other
72 stars 20 forks source link

XOAUTH2 not used when contacting O365 #87

Closed sstelmasik closed 1 month ago

sstelmasik commented 1 month ago

I've configured postfix as decumented and was able to accuire a valid token that was written to users token file, but postfix itself seems just to ignore xoauth2 sasl mechanism settings

_

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination myhostname = our.hostname alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydomain = our.domain mydestination = $myhostname, em.local, multi.em.local, localhost.em.local, localhost relayhost = [smtp.office365.com]:587 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.177.34.0/24 10.177.35.0/24 10.177.36.0/24 10.177.37.0/24 10.177.38.0/24 10.177.42.0/24 10.177.43.0/24 10.177.44.0/24 10.177.45.0/24 10.177.51.0/24 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all

sender_canonical_maps = hash:/etc/postfix/canonical

message_size_limit = 20480000

block spam receipents

smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/bad_recipients, permit_mynetworks, reject_unauth_destination, permit

smtp_tls_ciphers = high smtpd_tls_ciphers = high smtp_tls_mandatory_ciphers = high smtpd_tls_mandatory_ciphers = high

smtp_tls_security_level = encrypt

smtp_tls_security_level = may

smtpd_tls_security_level = may smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtp_tls_wrappermode = yes

tls policy

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtp_tls_fingerprint_digest = sha256

Disable weak SSLv2 and SSLv3

smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Disable weak ciphers

smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA

Enable forward secrecy (Diffie-Hellman)

smtpd_tls_dh1024_param_file = ${config_directory}/dhparams.pem

smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = smtp_sasl_mechanism_filter = xoauth2

smtp_sender_dependent_authentication = yes

sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay

smtp_generic_maps = hash:/etc/postfix/generic

rewrite server to sender email

smtp_header_checks = regexp:/etc/postfix/header_check sender_canonical_classes = envelope_sender, header_sender sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps

use ipv4 only

inet_protocols = ipv4

SMTP Smuggling prevention

smtpd_data_restrictions = reject_unauth_pipelining smtpd_discard_ehlo_keywords = chunking, silent-discard

compatibility_level = 2

_

I'm also rewriting system mails to be sent via configured email - that's why I have some additional settings, but even w/o them it's still ignored and I get:

Jun 3 17:44:33 multi postfix/qmgr[1302735]: CE3CA4144D: from=<service-reports@euromobil.de>, size=390, nrcpt=1 (queue active) Jun 3 17:44:39 multi postfix/smtp[1302749]: CE3CA4144D: to=<s.stelmasik@itws3.de>, relay=smtp.office365.com[40.101.121.2]:587, delay=5.4, delays=0.02/0.02/0.3/5, dsn=5.7.57, status=bounced (host smtp.office365.com[40.101.121.2] said: 530 5.7.57 Client not authenticated to send mail. [AM4PR05CA0020.eurprd05.prod.outlook.com 2024-06-03T15:44:39.179Z 08DC7AC9EAD8397E] (in reply to MAIL FROM command))

I don't see it even trying to do XAUTH.

I tryied to set up DEBUG logging but it also doesn't work:

{ "client_id": "some id", "client_secret": "some secret", "token_endpoint": "https://login.microsoftonline.com/our tenant/oauth2/v2.0/token", "log_full_trace_on_failure": "yes" }

rising debug logging in postfix itself also doesn't change anything:

smtp inet n - y - - smtpd -D

our postfix version:

mail_version = 3.4.13

Any ideas what I'm missing here?

tarickb commented 1 month ago

Can you try setting smtp_sasl_auth_enable = yes?

sstelmasik commented 1 month ago

oh - I really forgot it :( - I just saw the smtpd_sasl_authenable = yes and forgot to set the value for smtp

Thanks a lot!