I have been working on getting outgoing mail to run all week and I’m not having much luck. There are so many options and methods discussed in documentation, I’m having a hard time working out how to do it. I have a lot of problems.
In our environment, we’re running an RT instance in AWS govcloud on Ubuntu 22.04. Our mail is served by o365 in their respective govcloud environment. My first attempt, where postfix is configured simply to send out mail, seems to have hit o365 spam control and is timing out - I assume because it’s trying to hit a consumer endpoint, and it needs to hit a govcloud endpoint. It also seems to be trying to route all internal system user mail out to the internet.
Dec 6 22:00:31 rt postfix/smtp[1421]: connect to mydomain-com.mail.protection.outlook.com[104.47.65.110]:25: Connection timed out
Dec 6 22:01:01 rt postfix/smtp[1421]: 560323F3CA: to=<ubuntu@mydomain.com>, orig_to=<ubuntu>, relay=none, delay=60, delays=0.03/0/60/0, dsn=4.4.1, status=deferred (connect to mydomain-com.mail.protection.outlook.com[104.47.64.110]:25: Connection timed out)
To be honest, I’m a little mystified by this, because I can’t netcat to that address/IP/port from my local machine either.
Moving on, I have been trying to set up authenticated SMTP - I hit a snag on a more typical setup because we’ve got MFA and disallowed app passwords, so I’m attempting to use an MS registered application (which is successfully in use for incoming mail with wsgetmail) using sasl-xoauth2, and for the life of me, I can’t get it to work. Currently, it’s installed and I have been following the config guide but when I get to the part about testing the token file, it fails on token refresh.
2023-12-08 00:56:45: TokenStore::Refresh: code=400, response={"error":"invalid_grant","error_description":"AADSTS70000: Provided grant is invalid or malformed. Trace ID: 4806ffcd-ef49-45ae-a46f-73c1865ba300 Correlation ID: b4656199-95dc-45a5-9e42-c7772ea8a646 Timestamp: 2023-12-08 00:56:45Z","error_codes":[70000],"timestamp":"2023-12-08 00:56:45Z","trace_id":"4806ffcd-ef49-45ae-a46f-73c1865ba300","correlation_id":"b4656199-95dc-45a5-9e42-c7772ea8a646","error_uri":"https://login.microsoftonline.com/error?code=70000"}
I’ve tried a few different variants for the token endpoint, and given the failure messages I was getting before, the one I have now (using my client ID in place of ‘consumers’) seems to be right, but honestly I have no idea.
I’m running out of ideas on where to go from here. Is outgoing mail generally this tough for everyone, or am I overthinking this?