Postfix / Outlook Authentication problem

RegProctor used Ask the Experts™
I have postfix authenticating just fine with several email clients including Thunderbird, The Bat and so on.

However, even with the latest outlook from Office 2010 (beta) I cannot get Outlook to authenticate with the postfix server. I can see what is happening, I just can't seem to find a workaround with the criteria.

The components are: Cyrus-SASL 2.1.23, Postfix 2.6.1, OpenSuSE 11.2

The main criteria is allowing STARTTLS authentication only. A setup the works just fine in Thunderbird is as follows:

Use name a password=checked
User secure authentication=checked
Connection security=STARTTLS

The problem is that Outlook does not send an FQDN with EHLO and then the server rejects the connection. For example, with debugging on this is what a good client does (the bat this case):

input attribute name: (end)
postfix/smtpd[6070]: > unknown[]: 220 ESMTP Postfix
postfix/smtpd[6070]: < unknown[]: EHLO []
postfix/smtpd[6070]: > unknown[]:
postfix/smtpd[6070]: > unknown[]: 250-PIPELINING
postfix/smtpd[6070]: > unknown[]: 250-SIZE 10240000
postfix/smtpd[6070]: > unknown[]: 250-VRFY
postfix/smtpd[6070]: > unknown[]: 250-ETRN

And this is what Outlook does:

postfix/smtpd[5981]: < unknown[]: EHLO LT1
postfix/smtpd[5981]: > unknown[]:
postfix/smtpd[5981]: > unknown[]: 250-PIPELINING
postfix/smtpd[5981]: > unknown[]: 250-SIZE 10240000
postfix/smtpd[5981]: > unknown[]: 250-VRFY
postfix/smtpd[5981]: > unknown[]: 250-ETRN

LT1 is just the Windows name of my Laptop.

Both programs are from the same computer.

The error generated is:
postfix/smtpd[5981]: warning: SASL authentication failure: realm changed: authentication aborted
postfix/smtpd[5981]: warning: unknown[]: SASL DIGEST-MD5 authentication failed: authentication failure
postfix/smtpd[5981]: > unknown[]: 535 5.7.8 Error: authentication failed: authentication failure

I have no problem excluding some older Outlook clients having read all over how they don't handle the protocols properly, but I would like to get the latest versions working.

Below are my configuration details for postfix. You will notice I have port 25 open. This was only to see if it helped with Outlook, which it didn't, normally I will only have port 587 open.

Help greatly appreciated!

PS: I'm just about to go to sleep so I won't be able to reply to comments for a few hours but I will as soon as I have rested (this thing has kept me up way too long).
From: postconf -n

alias_maps = hash:/etc/aliases, mysql:/etc/postfix/
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 3
home_mailbox = Maildir/
html_directory = /usr/share/doc/packages/postfix24/html
inet_protocols = ipv4,ipv6
local_destination_concurrency_limit = 5
local_destination_recipient_limit = 300
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain =
myhostname =
mynetworks = 
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix24/README_FILES
sample_directory = /usr/share/doc/packages/postfix24/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_path = /etc/sasl2/
smtp_sasl_security_options = noanonymous
smtp_sasl_type = cyrus
smtpd_recipient_restrictions = permit_sasl_authenticated,   permit_mynetworks,   permit_auth_destination,   reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile = /etc/ssl/private/postfix-smtp.bdl
smtpd_tls_cert_file = /etc/ssl/private/postfix-smtp.pem
smtpd_tls_key_file = /etc/ssl/private/postfix-smtp.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:/var/mail/postfix/smtpd_scache
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/
virtual_gid_maps = static:124
virtual_mailbox_base = /var/mail/postfix/virtual_mailboxes
virtual_mailbox_domains = mysql:/etc/postfix/
virtual_mailbox_maps = mysql:/etc/postfix/
virtual_transport = lmtp:unix:/var/lib/imap/socket/lmtp
virtual_uid_maps = static:1002


# ==========================================================================    
# service type  private unpriv  chroot  wakeup  maxproc command + args          
#               (yes)   (yes)   (yes)   (never) (100)                           
# ==========================================================================    
smtp      inet  n       -       n       -       -       smtpd
# -o smtpd_etrn_restrictions=reject                                             
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject                 
  -o content_filter=smtp-amavis:[]:10024

submission inet n      -       n       -       -       smtpd -v
# -o smtpd_etrn_restrictions=reject                                             
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject                 
  -o content_filter=smtp-amavis:[]:10024

#smtps     inet  n       -       n       -       -       smtpd -o smtpd_tls_wra\
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes                   
#submission   inet    n       -       n       -       -       smtpd             
#  -o smtpd_etrn_restrictions=reject                                            
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes                       

#587       inet n        -       n       -       -       smtpd                  
#        -o content_filter=smtp-amavis:[]:10024                        

#628      inet  n       -       n       -       -       qmqpd                   
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr                   
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops     
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5                        
  -o fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
#  localhost:10025 inet n - n - - smtpd -o content_filter=                      
scache    unix  - - n - 1 scache
# ====================================================================                                                                                                           
# Interfaces to non-Postfix software. Be sure to examine the manual                                                                                                              
# pages of the non-Postfix software to find out what options it wants.                                                                                                           
# Many of the following services use the Postfix pipe(8) delivery                                                                                                                
# agent.  See the pipe(8) man page for information about ${recipient}                                                                                                            
# and other message envelope options.                                                                                                                                            
# ====================================================================                                                                                                           
# maildrop. See the Postfix MAILDROP_README file for details.                                                                                                                    
# Also specify in maildrop_destination_recipient_limit=1                                                                                                                
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus   unix  - n n - - pipe
  user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp    unix  - n n - - pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
procmail  unix  -       n       n       -       -       pipe
  flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} ${recipient}
retry     unix  -       -       n       -       -       error
proxywrite unix -       -       n       -       1       proxymap

# AMA 2                                                                                                                                                                          
smtp-amavis unix -      -       n       -       4       lmtp
    -o smtpd_tls_security_level=none
    -o lmtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20 inet n  -       n       -       -       smtpd
    -o smtpd_tls_security_level=none
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
#   -o smtpd_client_restrictions=                                                                                                                                                
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
#   -o strict_rfc821_envelopes=yes                                                                                                                                               
    -o smtpd_restriction_classes=
    -o mynetworks=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
    -o local_header_rewrite_clients=

From smtp.conf

auxprop_plugin: sql
log_level: 7
mech_list: CRAM-MD5 DIGEST-MD5

pwcheck_method: auxprop

Open in new window

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Add below line to your
broken_sasl_auth_clients = yes
System Architect
1- put the line that oklit abov pointed out (Its meant for MS OutLook)

2- The Error message you got
postfix/smtpd[5981]: warning: unknown[]: SASL DIGEST-MD5 authentication failed: authentication failure

The client is trying to auth using DIGEST-MD5, as far as I know MS OutLook does not support Digest it uses LOGIN, although  i am not sure of this 100% but you can check that

3- If the oklit's line didnt solve your problem try to remove the  reject_unauth_destination from the line
smtpd_recipient_restrictions = permit_sasl_authenticated,   permit_mynetworks,   permit_auth_destination,   reject_unauth_destination


The option "broken_sasl_auth_clients = yes" was one of the first I tried. It doesn't help and is made specifically for older versions, current versions don't have this problem.

You got it small_student, Outlook doesn't support any form of MD5 login that I can see from the logs. Once I added "LOGIN" to the mech_list it worked.

I've tested almost a dozen email clients and all of them that handle security, i.e.: STARTTLS etc. NONE from memory are incapable of MD5 authentication. I just couldn't believe that a company the size of M$ could do so poorly... I should have known... I left being a developer on Windows for Linux just because I wanted to keep what little hair I hadn't already torn out from dealing with their (seemingly) quasi-technology. Oh well, enough said, maybe they'll send a team of lawyers out after me now that I've vented on their (apparent) incompetence.

Thanks heaps! I still have some hair left.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial