Getting trixbox 2.6.2.2 Postfix to relay through Exchange Server 2007

The scenario here is a trixbox server in a predominantly Microsoft shop, and specifically where emails are to be relayed through the local Exchanger Server 2007.

If you just try to relay doing the obvious it wont work:

http://trixbox1/maint/index.php?generalsettings

The reason is not obvious:

  1. Even if you leave the Auth Name and Password blank, Postfix will still attempt authentication
  2. There appears to be a bug in the trixbox GUI where it fails to run Postmap after setting the credentials (see below)
  3. The default trixbox doesn’t have any authentication methods installed which are compatible with Exchange Server 2007
  4. Setting up Relaying on Exchange Server 2007 is 10 times harder than it was in 2000/2003.

There are some articles which explain how to configure Postfix to attempt an anonymous send. This is OK if all target user email addresses are on domains for which the relay server is authoritative, but not good if you want to relay through Exchange Serve 2007, unless you want to build custom receive connectors in Exchange 2007.

It is much better (more secure, less likely to accidently create an open relay) to get Postfix to authenticate against Exchange and the grant it the appropriate permissions to relay. Here’s how.

  1. Set the credentials as show above. That’s the easy part.
  2. Rebuild the saslpasswd database file:
    at the trixbox command line:
    postmap hash:/etc/postfix/saslpasswd
  3. Add appropriate authentication mechanisms to Postfix:
    1. Enable the CentOS Base Package in http://trixbox1/maint/index.php?repo
      Note – I’ve just looked again and I think they may have put the required sasl packages into the trixbox repository, obviating the need for this step.
    2. If you’re happy with the command line, use something like:
      yum install cyrus-sasl-ntlm
      yum install cyrus-sasl-gssapi

      (not tested)

      - Otherwise –

    3. If you haven’t already made the Package Manager fix, do so now:
      vi /etc/php.ini
      Change:

      max_execution_time = 300
      memory_limit = 256M

      Restart apache:

      service httpd restart

    4. Go to the package manager at http://trixbox1/maint/index.php?packages
      - it will take a while to load

      Select to install the following and click the install button:

      cyrus-sasl-ntlm
      cyrus-sasl-gssapi

    5. Restart Postfix:

      service postfix restart

  4. In the Windows world:
    1. If you haven’t already done so, create the user account in active directory. Make sure the password matches what you entered in the very first step in this article.
    2. If you try to send mail now, it might work. Specifically, it depends on the way the “MAIL FROM:” address correlates with the list of domains for which this server is authoritative. If you get mails bouncing with the dreaded message:

      5.7.1 Client does not have permissions to send as this sender

      Or, if you simply aren’t seeing any mails at all, move on to the next step

    3. Open the Exchange Management Shell, because the incantation we’re about to do has no GUI equivalent.
    4. You will normally have two Receive Connectors called “Default XXX” and “Client XXX”. Get their names as follows:

      Get-ReceiveConnector

    5. Use the name of your “Default XXX” connector and your chosen user name (mine is “voip”) to grant that user full relay rights:

      add-adpermission -identity "Default XXX" -user "voip" -ExtendedRights ms-Exch-SMTP-Accept-Any-Recipient
      add-adpermission -identity "Default XXX" -user "voip" -ExtendedRights ms-Exch-SMTP-Accept-Any-Sender

    6. There are some constraints on the settings of the “Default XXX” Receive connector, but I think the defaults are fine. Let me know if you have problems.
  5. Done & Dusted!

It reality, stuff seldom works out first time. The tools I found helpful were:

PuTTY – don’t even start working with trixbox unless you have this

webmin installed on the asterisk box:

    See http://www.webmin.com/rpm.html
    cd /etc/yum.repos.d
    vi webmin.repo
        a
        Paste this (with right mouse button)
[Webmin]
name=Webmin Distribution Neutral
baseurl=
http://download.webmin.com/download/yum
enabled=1
        <esc>
        :wq
    rpm –import
http://www.webmin.com/jcameron-key.asc
    yum install webmin
    Check it out by browsing to https://trixbox1:10000

webmin has the ability to edit Postfix settings in a nice environment and to look into Postfix mail queues, logs and even mailboxes to see what’s going wrong.

Microsoft Network Monitor 3.2 – great for watching the SMTP conversation

About these ads
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to Getting trixbox 2.6.2.2 Postfix to relay through Exchange Server 2007

  1. Pingback: Configure Postfix to relay to Exchange Server with NTLM authentication

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s