Le 17/06/2019 à 12:05, Emmanuel Fusté a écrit :
Le 16/06/2019 à 22:37, Viktor Dukhovni a écrit :
On Sun, Jun 16, 2019 at 05:46:52PM +0200, Stefan Bauer wrote:
Some of our users use o365 but would like to use our service for
outgoing
mails. We are offering smtp sending services. Integrating our
service in
o365 is tricky, as one can only specify a smarthost but microsoft
does not
offer any kind of authentication for smarthosts.
Are these individual users or cloud-hosted domains? Who's authorized
to ask Microsoft to route their outbound traffic through your relay?
Can you distinguish one such Office365 sender from another? ...
What's the point (if I may ask) of having their mail sent through
your relay? I assume that Microsoft could quite easily send their
outbound traffic directly to its destination.
Cloud-hosted domains is "hosting" service. You have the control on the
outbound routing.
There is many reason why you want your outbound traffic not directly
delivered to its destination.
Some want to provide "value added services". In my case is is because
the o365 users are only a fraction of my users (hybrid cloud mode) and
that inboud/ouboud internet mails policy/routing/delivery is under the
control of another infrastructure.
Microsoft is always presenting a client certificate. That the only
way to authenticate O365. (the experimental certificate matching will
help you)
For the next part, the complete missing of outbound SMTP AUTH (under
the control of Microsoft or the client organization) is the
difficult/crazy part.
The easy/lame way is to match the "under Microsoft control"
X-MS-Exchange-CrossTenant-id header and the SMTP From domains to
filter/differentiate o365 customers.
The "proper" Microsoft way is to use their proprietary XOORG SMTP
extension used in their hybrid cloud scenario.
=> after having authenticated o365 with the presented client
certificate, if you announce the XOORG extension in the EHLO, o365
will provide you the remote o365 organization (in the "MS Exchange"
sense) as part of the MAIL FROM verb.
MAIL FROM: <m...@my-company.com> OORG=my-organization.com
I have implemented the client part in postfix to not have to deploy 40
Microsoft Exchange Edge servers in a multi-tenant hybrid cloud
scenario and use only my existing postfix infrastructure between o365
and all my Exchange platforms. It is the easy part. A few simple lines
of code. I don't know what Wietse and Viktor will think about it, so I
did not submit it yet... Will do. Would be great if it could be
integrated in one form or another.
Replying to myself, attached is the client patch for Postfix.
Configure your Exchange with the proper TlsCapability and X509 authority
Present the configured client certificate on the postfix smtp side.
Exchange will announce the XOORG in the post TLS handshake EHLO.
Postfix will pass the configured XOORG to Exchange during the "MAIL FROM:"
Use debug_peer_list to observe the complete smtp transaction.
Emmanuel.
diff -u -r postfix-3.4.5-cert-auto/src/global/ehlo_mask.c
postfix-3.4.5-xoorg/src/global/ehlo_mask.c
--- postfix-3.4.5-cert-auto/src/global/ehlo_mask.c 2018-11-07
01:34:26.000000000 +0100
+++ postfix-3.4.5-xoorg/src/global/ehlo_mask.c 2019-06-05 15:12:38.386204490
+0200
@@ -21,6 +21,7 @@
/* #define EHLO_MASK_SMTPUTF8 (1<<12)
/* #define EHLO_MASK_CHUNKING (1<<13)
/* #define EHLO_MASK_SILENT (1<<15)
+/* #define EHLO_MASK_XOORG (1<<16)
/*
/* int ehlo_mask(keyword_list)
/* const char *keyword_list;
@@ -86,6 +87,7 @@
"SMTPUTF8", EHLO_MASK_SMTPUTF8,
"CHUNKING", EHLO_MASK_CHUNKING,
"SILENT-DISCARD", EHLO_MASK_SILENT, /* XXX In-band signaling */
+ "XOORG", EHLO_MASK_XOORG,
0,
};
diff -u -r postfix-3.4.5-cert-auto/src/global/ehlo_mask.h
postfix-3.4.5-xoorg/src/global/ehlo_mask.h
--- postfix-3.4.5-cert-auto/src/global/ehlo_mask.h 2018-08-27
23:54:59.000000000 +0200
+++ postfix-3.4.5-xoorg/src/global/ehlo_mask.h 2019-06-05 15:11:10.176862868
+0200
@@ -30,6 +30,7 @@
#define EHLO_MASK_SMTPUTF8 (1<<12)
#define EHLO_MASK_CHUNKING (1<<13)
#define EHLO_MASK_SILENT (1<<15)
+#define EHLO_MASK_XOORG (1<<16)
extern int ehlo_mask(const char *);
extern const char *str_ehlo_mask(int);
diff -u -r postfix-3.4.5-cert-auto/src/global/mail_params.h
postfix-3.4.5-xoorg/src/global/mail_params.h
--- postfix-3.4.5-cert-auto/src/global/mail_params.h 2019-04-09
16:17:03.471238888 +0200
+++ postfix-3.4.5-xoorg/src/global/mail_params.h 2019-06-05
15:05:32.571358595 +0200
@@ -1620,6 +1620,12 @@
#define DEF_SMTP_TLS_INSECURE_MX_POLICY "dane"
extern char *var_smtp_tls_insecure_mx_policy;
+#define VAR_SMTP_XOORG "smtp_xoorg"
+#define DEF_SMTP_XOORG ""
+#define VAR_LMTP_XOORG "smtp_xoorg"
+#define DEF_LMTP_XOORG ""
+extern char *var_smtp_xoorg;
+
/*
* SASL authentication support, SMTP server side.
*/
diff -u -r postfix-3.4.5-cert-auto/src/smtp/lmtp_params.c
postfix-3.4.5-xoorg/src/smtp/lmtp_params.c
--- postfix-3.4.5-cert-auto/src/smtp/lmtp_params.c 2018-12-26
20:21:49.000000000 +0100
+++ postfix-3.4.5-xoorg/src/smtp/lmtp_params.c 2019-06-05 14:04:03.926274831
+0200
@@ -64,6 +64,7 @@
VAR_LMTP_DSN_FILTER, DEF_LMTP_DSN_FILTER, &var_smtp_dsn_filter, 0, 0,
VAR_LMTP_DNS_RE_FILTER, DEF_LMTP_DNS_RE_FILTER,
&var_smtp_dns_re_filter, 0, 0,
VAR_TLSPROXY_SERVICE, DEF_TLSPROXY_SERVICE, &var_tlsproxy_service, 1, 0,
+ VAR_LMTP_XOORG, DEF_LMTP_XOORG, &var_smtp_xoorg, 0, 0,
0,
};
static const CONFIG_TIME_TABLE lmtp_time_table[] = {
diff -u -r postfix-3.4.5-cert-auto/src/smtp/smtp.c
postfix-3.4.5-xoorg/src/smtp/smtp.c
--- postfix-3.4.5-cert-auto/src/smtp/smtp.c 2019-02-10 18:18:26.000000000
+0100
+++ postfix-3.4.5-xoorg/src/smtp/smtp.c 2019-06-05 13:15:40.014693732 +0200
@@ -979,6 +979,7 @@
char *var_smtp_dsn_filter;
char *var_smtp_dns_re_filter;
bool var_smtp_balance_inet_proto;
+char *var_smtp_xoorg;
/* Special handling of 535 AUTH errors. */
char *var_smtp_sasl_auth_cache_name;
diff -u -r postfix-3.4.5-cert-auto/src/smtp/smtp.h
postfix-3.4.5-xoorg/src/smtp/smtp.h
--- postfix-3.4.5-cert-auto/src/smtp/smtp.h 2018-12-26 20:21:49.000000000
+0100
+++ postfix-3.4.5-xoorg/src/smtp/smtp.h 2019-06-05 12:41:08.226548645 +0200
@@ -235,6 +235,7 @@
#define SMTP_FEATURE_XFORWARD_IDENT (1<<20)
#define SMTP_FEATURE_SMTPUTF8 (1<<21) /* RFC 6531 */
#define SMTP_FEATURE_FROM_PROXY (1<<22) /* proxied connection */
+#define SMTP_FEATURE_XOORG (1<<23) /* Microsoft proprietary
extension for O365 */
/*
* Features that passivate under the endpoint.
diff -u -r postfix-3.4.5-cert-auto/src/smtp/smtp_params.c
postfix-3.4.5-xoorg/src/smtp/smtp_params.c
--- postfix-3.4.5-cert-auto/src/smtp/smtp_params.c 2018-12-26
20:21:49.000000000 +0100
+++ postfix-3.4.5-xoorg/src/smtp/smtp_params.c 2019-06-05 13:27:15.254110289
+0200
@@ -65,6 +65,7 @@
VAR_SMTP_DSN_FILTER, DEF_SMTP_DSN_FILTER, &var_smtp_dsn_filter, 0, 0,
VAR_SMTP_DNS_RE_FILTER, DEF_SMTP_DNS_RE_FILTER,
&var_smtp_dns_re_filter, 0, 0,
VAR_TLSPROXY_SERVICE, DEF_TLSPROXY_SERVICE, &var_tlsproxy_service, 1, 0,
+ VAR_SMTP_XOORG, DEF_SMTP_XOORG, &var_smtp_xoorg, 0, 0,
0,
};
static const CONFIG_TIME_TABLE smtp_time_table[] = {
diff -u -r postfix-3.4.5-cert-auto/src/smtp/smtp_proto.c
postfix-3.4.5-xoorg/src/smtp/smtp_proto.c
--- postfix-3.4.5-cert-auto/src/smtp/smtp_proto.c 2019-02-19
19:51:39.000000000 +0100
+++ postfix-3.4.5-xoorg/src/smtp/smtp_proto.c 2019-06-05 15:07:29.109339019
+0200
@@ -603,7 +603,9 @@
} else if (strcasecmp(word, "SMTPUTF8") == 0) {
if ((discard_mask & EHLO_MASK_SMTPUTF8) == 0)
session->features |= SMTP_FEATURE_SMTPUTF8;
- }
+ } else if (strcasecmp(word, "XOORG") == 0)
+ if ((discard_mask & EHLO_MASK_XOORG) == 0)
+ session->features |= SMTP_FEATURE_XOORG;
n++;
}
}
@@ -1660,6 +1662,15 @@
#endif
/*
+ * Implement the XOORG extension as expected by a Microsoft
Exchange
+ * Receive Connector configured to provide the TlsCapability
+ */
+ if (session->features & SMTP_FEATURE_XOORG
+ && *var_smtp_xoorg )
+ vstring_sprintf_append(next_command, " XOORG=%s",
+ var_smtp_xoorg);
+
+ /*
* CVE-2009-3555 (TLS renegotiation). Try to detect a mail
* hijacking attack that prepends malicious EHLO/MAIL/RCPT/DATA
* commands to our TLS session.
