1

I am trying to reconfigure a (currently working) debian 10 postfix configuration because we have moved to Office365 as SMTP server. The postfix mail configuration is only used for sending out mails that the server itself generates (logcheck mails etc).

The only change I thought I had to make was changing the relayhost setting
from: relayhost = some.mail.provider:465
to: relayhost = smtp.office365.com:587

Problem:

However, that doesn't work. In /var/log/syslog I get

Sep 21 15:03:30 pasteur postfix/smtp[16877]: SSL_connect error to smtp.office365.com[40.101.137.34]:587: -1
Sep 21 15:03:30 pasteur postfix/smtp[16877]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
Sep 21 15:03:30 pasteur postfix/smtp[16877]: EC2809EF92: Cannot start TLS: handshake failure

Question: Anybody knows a solution?

I played around with various postfix settings in /etc/postfix/main.cf but that doesn't work. For example, changing smtp_tls_security_level = encrypt to ... = may results in syslog entries such as smtp_tls_wrappermode requires "smtp_tls_security_level = encrypt" (or stronger)

My postfix settings in /etc/postfix/main.cf are:

# Ansible managed

smtpd_banner = $myhostname ESMTP $mail_name
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html
# default to 2 on fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# Enable SASL authentication
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = static:<someuser>:************
smtp_sasl_security_options = noanonymous
smtp_tls_wrappermode = yes
smtp_use_tls = yes
smtp_tls_security_level = encrypt

# General
myhostname = pasteur.<ourdomain>.com
myorigin = /etc/mailname
mydestination = $myhostname localhost.$mydomain localhost pasteur
mynetworks = "127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128"
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
relayhost = smtp.office365.com:587
Improve this question
0

2 Answers 2

Reset to default
0

I've - for now - circumvented the issue by using the "direct send" approach outlined by Microsoft at https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365

This means I had to change the relayhost setting (url and port) and a couple of tls settings

Improve this answer
0

The encryption layer is different from port 465 and 587:

  • Port 465 expects communication using SSL
  • Port 587 expects initial communication in clear text with a STARTTLS command very early in the session

I believe the fix is to change

smtp_tls_security_level = may
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.