Outgoing mail. Is this hard for everyone or just me?

I have been working on getting outgoing mail to run all week and I’m not having much luck. There are so many options and methods discussed in documentation, I’m having a hard time working out how to do it. I have a lot of problems.

In our environment, we’re running an RT instance in AWS govcloud on Ubuntu 22.04. Our mail is served by o365 in their respective govcloud environment. My first attempt, where postfix is configured simply to send out mail, seems to have hit o365 spam control and is timing out - I assume because it’s trying to hit a consumer endpoint, and it needs to hit a govcloud endpoint. It also seems to be trying to route all internal system user mail out to the internet.

Dec 6 22:00:31 rt postfix/smtp[1421]: connect to mydomain-com.mail.protection.outlook.com[104.47.65.110]:25: Connection timed out

Dec 6 22:01:01 rt postfix/smtp[1421]: 560323F3CA: to=<ubuntu@mydomain.com>, orig_to=<ubuntu>, relay=none, delay=60, delays=0.03/0/60/0, dsn=4.4.1, status=deferred (connect to mydomain-com.mail.protection.outlook.com[104.47.64.110]:25: Connection timed out)

To be honest, I’m a little mystified by this, because I can’t netcat to that address/IP/port from my local machine either.

Moving on, I have been trying to set up authenticated SMTP - I hit a snag on a more typical setup because we’ve got MFA and disallowed app passwords, so I’m attempting to use an MS registered application (which is successfully in use for incoming mail with wsgetmail) using sasl-xoauth2, and for the life of me, I can’t get it to work. Currently, it’s installed and I have been following the config guide but when I get to the part about testing the token file, it fails on token refresh.

2023-12-08 00:56:45: TokenStore::Refresh: code=400, response={"error":"invalid_grant","error_description":"AADSTS70000: Provided grant is invalid or malformed. Trace ID: 4806ffcd-ef49-45ae-a46f-73c1865ba300 Correlation ID: b4656199-95dc-45a5-9e42-c7772ea8a646 Timestamp: 2023-12-08 00:56:45Z","error_codes":[70000],"timestamp":"2023-12-08 00:56:45Z","trace_id":"4806ffcd-ef49-45ae-a46f-73c1865ba300","correlation_id":"b4656199-95dc-45a5-9e42-c7772ea8a646","error_uri":"https://login.microsoftonline.com/error?code=70000"}

I’ve tried a few different variants for the token endpoint, and given the failure messages I was getting before, the one I have now (using my client ID in place of ‘consumers’) seems to be right, but honestly I have no idea.

I’m running out of ideas on where to go from here. Is outgoing mail generally this tough for everyone, or am I overthinking this?

The only real issues I’ve had with email is misconfigured spam detection on our corporate email server that needed to have our RT server added to the allow list.

Your first example is trying to connect to port 25, maybe you need to use 465 for SMTP over TLS? Actually, I can connect to that IP on port 25. Perhaps you have an egress firewall in place?

But then, I’ve never had to deal with O365 (and hope I never have to!). Not allowing app passwords for connecting to a mail server seems like creating a world of pain for people. I think you need to talk to Microsoft about how to authenticate to their system,.

This sounds like more of a “setting up mail handling” rather than an RT issue. Its probably best to get the mail system working with manually sent/received emails before moving on to getting RT to send/receive ticket correspondence via email.

You say you need to connect to a “govcloud” mail system. I assume that service has systems administrators you could contact and talk to for support in getting your AWS instance to communicate with their mail system. That would be my next port of call at least.

Hi @RWM
To answer your subject: It is hard for everyone to use o365
Fortunaly I never had to do.

I agree to @GreenJimll , first try to set up a working postfix. It has to use o365 as relay for outgoing mail and maybe you want to switch to smtp for incoming mail. Work on both things separate!

So the google-words are “postfix relay office 365” and it will give you hints like this: Postfix SMTP relay to Office 365 - Single and Multiple SMTP Servers

But maybe meanwhile this information is too old.

Regards.

Thanks all. The solution, not surprisingly, was to dump o365 and find another provider (AWS SES for me). Made everything go a lot smoother.

As a beginner, my biggest issue so far is the interconnected applications, and how an error thrown from RT might pertain to an issue with nginx or postfix. It’s hard to find pre-existing help topics because there are so many different ways to configure this beast. Anyway, I’m all set on this now. Thanks.