Loading ...
Sorry, an error occurred while loading the content.

292836Re: GSSAPI SMTPD Authentication and MS Active Directory

Expand Messages
  • Matthew Larsen
    Apr 25, 2013
    • 0 Attachment
      On Wed, Apr 24, 2013 at 5:57 PM, Quanah Gibson-Mount <quanah@...> wrote:

      If you replaced Exchange 2003 with Zimbra, and set up external auth to your AD server, then it would use the custom zimbra authentication method for cyrus-sasl to auth your clients against AD.  I don't know what you intend on replacing Exchange with though, so that may be a bit more than you want. But it is a solution.

      Zimbra would be more than I want in this case.  All I need is a secure authenticated SMTP server, and it would be nice to have a GUI to monitor the message queues.  My thought has been that Postfix with webmin would be a good fit if I can get the authentication to work with Active Directory. 

      Ifyou want to use SASL/GSSAPI, the clients have to be able to get a TGT from the KDC.

      The reason I've been looking at configuring the SASL/GSSAPI mechanism is that's what I see the current Exchange server doing.  I'm hoping to build something I can drop in place without needing to touch client systems for reconfiguration. 

      I'm just puzzled as to how this works because the clients aren't members of our AD domain, and I strongly doubt they have data for, or access to, the DNS servers in the domain or a KDC.  All they are given is an SMTP server, username (DOMAIN\Username), and password. 

      It's also my understanding that the GSSAPI mechanism is more secure on the wire than a plain text authentication method without TLS.  Is that accurate? 

      I'm not sure that my understanding of the security of the GSSAPI method is accurate, or that the infrastructure is there in this case to support doing this with Postfix?

      Here's a screen shot of an SMTP authentication exchange taken from a wireshark trace on the Exchange server.

      Any pointers or further information on this works would be appreciated. 

      Alternatively,you could just do straight ldap authentication against AD, instead of Kerberos-AD, something like:


       I'll check out the LDAP authentication setup.  Hopefully as I gain a better understanding of other possible pieces of this configuration the whole thing will start to gel together for me. 


    • Show all 8 messages in this topic