Hi All,
I wanted to post this for everyone else that encounters the same issue in the future.
Problem:
Trying to use SMTP relay on clearpass with smtp.office365.com (Outlook Office 365).
Soulution:
From what ive discovered, you must use the following configuration for SMTP to work with office365
Servername: smtp.office365.com
Username: user@domain.com - This username must licenced and exist in office365
Password: <userspassword>
Default From address: from@domain.com - The user must have send privilages over this account in office365
Connection Security: StartTLS
Port: 587
Connection Timeout: 30
The next part is what had me stuck!
When changing the security to SSL or StartTLS you will notice the warning message that appears at the top of the screen "SMTP Server certificate must be imported to Trust List as SSL setting is enabled" which sounds easy enough... how do I get the certificates though?
Fire up openssl and run the following command:
openssl.exe s_client -showcerts -starttls smtp -crlf -connect smtp.office365.com:587
The output should looks similar to the following:
Loading 'screen' into random state - done
CONNECTED(000001DC)
depth=1 /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA1
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Microsoft Corporation/CN=outlook.com
i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA1
-----BEGIN CERTIFICATE-----
MIIGzjCCBbagAwIBAgITGQAADkwY0+oD6i7gSwABAAAOTDANBgkqhkiG9w0BAQUF
ADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEVMBMGA1UE
CxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgU1NMIFNIQTEw
HhcNMTUwMjEzMDAzODE1WhcNMTYwMjEzMDAzODE1WjCBgjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3Nv
ZnQgQ29ycG9yYXRpb24xHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEU
MBIGA1UEAxMLb3V0bG9vay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCx1np0uaQcYd3xAokYkWte3+EH+fuWg0cZKmSvud9O9rlWyTTaMzlo1FR0
dqmyfuzClQxG0kKwPhhl4G6A+yE4hoYCYY/RYokSmVdFddoA7kVPwnE8b/DA+ge3
qGWJCOJoxYmlRF/exQlPfrTZ57mfRD4ajbxqPqhD20MGtKS4Plsr5qiJ7Wt7nV68
58LdG5xm/kCVj6A4Px+tL/wL1HraQYN8FEi8Aq8AovbSfDBFgL1QwMT6ZotjwJ5k
/LpCgbPNcYr1WZ8chUHrchWV5qmsZcmYCeMzn1HQBDRptoQNnQsuXB8VOPRPvW6g
rKDSUqiYGOYfMM/ZNn6iHDp4uby/AgMBAAGjggMwMIIDLDALBgNVHQ8EBAMCBLAw
HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMHgGCSqGSIb3DQEJDwRrMGkw
DgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJ
YIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYI
KoZIhvcNAwcwHQYDVR0OBBYEFG/I8zShnKgaS1lmD85Fl6GnqcsjMB8GA1UdIwQY
MBaAFNyILdlsTT0AUDPxFbl4+8HmoSSvMH0GA1UdHwR2MHQwcqBwoG6GNmh0dHA6
Ly9tc2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL21zaXR3d3cxLmNy
bIY0aHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL21zaXR3
d3cxLmNybDBwBggrBgEFBQcBAQRkMGIwPAYIKwYBBQUHMAKGMGh0dHA6Ly93d3cu
bWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL21zaXR3d3cxLmNydDAiBggrBgEFBQcw
AYYWaHR0cDovL29jc3AubXNvY3NwLmNvbTBOBgNVHSAERzBFMEMGCSsGAQQBgjcq
ATA2MDQGCCsGAQUFBwIBFihodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21z
Y29ycC9jcHMAMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwIwCgYIKwYBBQUH
AwEwgdkGA1UdEQSB0TCBzoILb3V0bG9vay5jb22CDSoub3V0bG9vay5jb22CDW9m
ZmljZTM2NS5jb22CDyoub2ZmaWNlMzY1LmNvbYIKKi5saXZlLmNvbYIWKi5pbnRl
cm5hbC5vdXRsb29rLmNvbYIXKi5vdXRsb29rLm9mZmljZTM2NS5jb22CEm91dGxv
b2sub2ZmaWNlLmNvbYIdYXR0YWNobWVudC5vdXRsb29rLm9mZmljZS5uZXSCIGF0
dGFjaG1lbnQub3V0bG9vay5vZmZpY2VwcGUubmV0MA0GCSqGSIb3DQEBBQUAA4IB
AQAaG/qZoWu4xncpyyd2dcqqIar8yjq3XrSaS0V0QTm2aJAUEOldvG+Jy0p82ObJ
wk1EOdw1OZNFzzg8TKWFs7nHRNeGeQLLVVwAR0s9VTEyl8KsRlZlKz+tfrRuHDRW
GpqS7oC7wkrJziDn8c1CCiYO4DSJjR708E6TTi5yOGaCvIEKfQ4bHPCRAsBrsTHE
qLD1jfz7nX0wu41vNxlD7yzvYp/NXRYRC63Nxm2f2gGGBWYu9dTM/VF3FJJ6VTu1
499r9KLM4zKU+JJ3eLCbNzU0MTCS8mGCQtr9QG5+tZSMNOv1y9lSbkl08WP5dX3W
YzVLRobM+Gokge2V62lz1T3U
-----END CERTIFICATE-----
1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA1
i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
-----BEGIN CERTIFICATE-----
MIIEhjCCA26gAwIBAgIEByeaqjANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTEzMTIxOTIwMTAwMFoX
DTE3MTIxOTIwMDkyNVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5n
dG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9y
YXRpb24xFTATBgNVBAsTDE1pY3Jvc29mdCBJVDEeMBwGA1UEAxMVTWljcm9zb2Z0
IElUIFNTTCBTSEExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmRcK
eJ+kTrxYPoTdxt1nr2UjNfTLMYASCkMr/3PCseWj76DnCOn+tmTEJnHgfbdqQcFU
kaSYP+Om0AfVkbgWyIFdXfHE5Y7SR+hT9PwMk9CiYimrzAfjFXKEkw6zz7pm/gAt
ZimgPz8Ui24tJfYTmVRRG1/I59t5qiekJ6rCYQH7FvTSoNkTLlRwnF4X2h6MgRiG
tc5sovoWCwFUDbo4jNnQrZXO29zIkDMp1ZPTeusDIddl9JbpOumU625ZIGAMPs5Q
hwaoNUyniCZmpJweLQsx2rGiNbPP8j1cLb3QG9amy/Ywq4CiW6+5FlFgxV87w2RM
mscRhn2SwpdxQ9U9YQIDAQABo4IBIDCCARwwEgYDVR0TAQH/BAgwBgEB/wIBADBT
BgNVHSAETDBKMEgGCSsGAQQBsT4BADA7MDkGCCsGAQUFBwIBFi1odHRwOi8vY3li
ZXJ0cnVzdC5vbW5pcm9vdC5jb20vcmVwb3NpdG9yeS5jZm0wDgYDVR0PAQH/BAQD
AgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBTl
nVkwgkdYzKz6CFQ2hns6tQRN8DBCBgNVHR8EOzA5MDegNaAzhjFodHRwOi8vY2Rw
MS5wdWJsaWMtdHJ1c3QuY29tL0NSTC9PbW5pcm9vdDIwMjUuY3JsMB0GA1UdDgQW
BBTciC3ZbE09AFAz8RW5ePvB5qEkrzANBgkqhkiG9w0BAQUFAAOCAQEAA/oKzlMZ
Vl+Z0Sn/hsZK4q5DWqi7mCUYGifZ++jtrcORZM884aBQQhNkCrVhTwKpJQaoJdRQ
UsuvDI3TQG5YRbxt/BPevQQbJQ1ZbGMKt3Ryb5ARr9x9o6sSLZJLNM0GE6IKUVXK
y4IMcZTDlbo0dtoAvanClXerPo2cIwHsTU1jfQJkRwjwjrT/C71nK820iQeBMrVY
PfmujAt8xjPKXMJjeq95iPWu1N5h8JUierCpgv5/RD7Yst7aVrt9ggvJ80pr0rNd
D3d6VDOeXQB+s/likZ69QQ5sq2rpYbhjZKfQ3k7yF7D66+/aR2H6xpdKnX3XeQU2
hH/eG1LbY+j2MQ==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Microsoft Corporation/CN=outlook.com
issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA1
---
No client certificate CA names sent
---
SSL handshake has read 3405 bytes and written 497 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: B01000009CF51C5EBCBC14B2C63F2481FCF9C6721263150BFCF1F93BBDABFE03
Session-ID-ctx:
Master-Key: 95B12889CE2E10F16F330544F5BF9AFD61AAA6350BD9D6A196141125CD9E40A3F32DA038CA23EFEEC9A236FC0708CEDD
Key-Arg : None
Start Time: 1441587607
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 CHUNKING
451 4.7.0 Timeout waiting for client input
read:errno=0
Copy the two certificates in the output to test files with .cer extentions like so (be sure to include the BEGIN CERTIFICATE and END CERTIFICATE sections):
-----BEGIN CERTIFICATE-----
MIIEhjCCA26gAwIBAgIEByeaqjANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTEzMTIxOTIwMTAwMFoX
DTE3MTIxOTIwMDkyNVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5n
dG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9y
YXRpb24xFTATBgNVBAsTDE1pY3Jvc29mdCBJVDEeMBwGA1UEAxMVTWljcm9zb2Z0
IElUIFNTTCBTSEExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmRcK
eJ+kTrxYPoTdxt1nr2UjNfTLMYASCkMr/3PCseWj76DnCOn+tmTEJnHgfbdqQcFU
kaSYP+Om0AfVkbgWyIFdXfHE5Y7SR+hT9PwMk9CiYimrzAfjFXKEkw6zz7pm/gAt
ZimgPz8Ui24tJfYTmVRRG1/I59t5qiekJ6rCYQH7FvTSoNkTLlRwnF4X2h6MgRiG
tc5sovoWCwFUDbo4jNnQrZXO29zIkDMp1ZPTeusDIddl9JbpOumU625ZIGAMPs5Q
hwaoNUyniCZmpJweLQsx2rGiNbPP8j1cLb3QG9amy/Ywq4CiW6+5FlFgxV87w2RM
mscRhn2SwpdxQ9U9YQIDAQABo4IBIDCCARwwEgYDVR0TAQH/BAgwBgEB/wIBADBT
BgNVHSAETDBKMEgGCSsGAQQBsT4BADA7MDkGCCsGAQUFBwIBFi1odHRwOi8vY3li
ZXJ0cnVzdC5vbW5pcm9vdC5jb20vcmVwb3NpdG9yeS5jZm0wDgYDVR0PAQH/BAQD
AgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBTl
nVkwgkdYzKz6CFQ2hns6tQRN8DBCBgNVHR8EOzA5MDegNaAzhjFodHRwOi8vY2Rw
MS5wdWJsaWMtdHJ1c3QuY29tL0NSTC9PbW5pcm9vdDIwMjUuY3JsMB0GA1UdDgQW
BBTciC3ZbE09AFAz8RW5ePvB5qEkrzANBgkqhkiG9w0BAQUFAAOCAQEAA/oKzlMZ
Vl+Z0Sn/hsZK4q5DWqi7mCUYGifZ++jtrcORZM884aBQQhNkCrVhTwKpJQaoJdRQ
UsuvDI3TQG5YRbxt/BPevQQbJQ1ZbGMKt3Ryb5ARr9x9o6sSLZJLNM0GE6IKUVXK
y4IMcZTDlbo0dtoAvanClXerPo2cIwHsTU1jfQJkRwjwjrT/C71nK820iQeBMrVY
PfmujAt8xjPKXMJjeq95iPWu1N5h8JUierCpgv5/RD7Yst7aVrt9ggvJ80pr0rNd
D3d6VDOeXQB+s/likZ69QQ5sq2rpYbhjZKfQ3k7yF7D66+/aR2H6xpdKnX3XeQU2
hH/eG1LbY+j2MQ==
-----END CERTIFICATE-----
Now upload these certificates to the Clearpass Trust Store at CPPM > Administration > Certificates> Trust List. After this you should have a working SMTP Relay connection to office365 which is secure!