This is a rather long question with a long list of things tried and travails so please bear with me. The summary is this.
- I am able to relay email from ubuntu through office365 using postfix; the configuration works.
- It only works as one of the users; more specifically the user who authenticates against office365 is the only valid "from"
More details follow. I have a machine in Amazon's cloud on which I run a bunch of jobs and would like to have statuses mailed over to me. I use office365 at work so I want to relay mail through office365. I'm most familiar with postfix so I used that as the MTA.
Configuration is ubuntu 12.04LTS; I've installed postfix and mail-utils.
For this example, let me say my company is "company.com" and the machine in question (through an elastic IP and a DNS entry) is called "plaything.company.com". hostname is set to "plaything.company.com", so is /etc/mailname
On plaything, I have the following users registered alpha, bravo, and charlie.
I have the following configuration files.
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
mydestination = plaything.company.com, localhost.company.com, , localhost
myhostname = plaything.company.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = [smtp.office365.com]:587
sender_canonical_maps = hash:/etc/postfix/sender_canonical
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
As the machine is called plaything.company.com I went through the exercise of registering all the appropriate DNS entries to make office365 recognize that I owned plaything.company.com and allowed me to create a user called daemon@plaything.company.com in office365.
In office365, I setup daemon@plaything.company.com as having another email address of alpha@company.com.
Then, I made the following sender_canonical
alpha@plaything.company.com alpha@company.com
I created a sasl_passwd file that reads:
smtp.office365.com daemon@plaything.company.com:123456password123456
let's just say that the password for daemon@plaything.company.com is 1234...456
With all this setup, login as alpha and
mail bravo@company.com Cc: Subject: test test
and the whole thing works wonderfully. email gets sent off by postfix, TLS works like a champ, authenticates as daemon@... and bravo@company.com in Office365 gets an email message.
The issue comes up when logged in as bravo to the machine.
sender is bravo@plaything.company.com and office365 says:
status=bounced (host smtp.office365.com[132.245.12.25] said: 550 5.7.1 Client does not have permissions to send as this sender (in reply to end of DATA command))
this is because I'm trying to send mail as bravo@... and authenticating with office365 as daemon@.... The reason it works with alpha@... is because in office365, I setup daemon@plaything.company.com as having another email address of alpha@company.com.
In Postfix Relay to Office365, Miles Erickson answers the question thusly:
-
Don't send mail to Office365 as a user from your Office365-hosted e-mail domain. Use a subdomain instead, e.g. address@services.mydomain.com instead of address@mydomain.com. It wouldn't hurt to set up an SPF record for services.mydomain.com or whatever you decide to use.
-
Don't authenticate against mail.messaging.microsoft.com as an Office365 user. Just connect on port 25 and deliver the mail to your domain as any foreign SMTP agent would do.
OK, I've done #1, I have those records on DNS but for the most part they are not relevant once Office365 recognizes that I own the domain.
Here are those records:
CNAME records:
– msoid.plaything.company.com
– autodiscover.plaything.company.com
MX record:
– plaything.company.com (plaything-company-com.mail.protection.outlook.com)
TXT record:
– plaything.company.com (v=spf1 include:spf.protection.outlook.com -all)
I've tried #2 but no matter what I do, office365 just blows away the connection with "not authenticated". I can try even a simple telnet to port 25 and attempt to send and it doesn't work.
250 BY2PR01CA007.outlook.office365.com Hello [54.221.245.236]
530 5.7.1 Client was not authenticated
Connection closed by foreign host.
Is there someone out there who has this kind of a configuration working where multiple users on a linux machine are able to relay mail using postfix through office365? There has to be someone out there doing this who can tell me what is wrong with my setup …
Best Answer
I think you need to take a step back :)
If you are logged into
playthingasbravo, do you really need all mail sent from plaything to be sent asbravo@company.com? If not, simply send all mail asdaemon@company.com, see Postfix on hosts without a real Internet hostname.If you cannot apply this, then you will need Sender dependent SASL maps. It will add some complexity to your setup, so I'd really try hard to avoid this.
Last but not least, if
playthingwould send mails asuser@service.company.com, you'd need to adjustmyhostnameand/ormyoriginas well as get rid of therelayhostsetting. In this case,playthingwould deliver all mail directly, with all the pros and cons like mail server reputation and so on.