Loading ...
Sorry, an error occurred while loading the content.

292837Re: GSSAPI SMTPD Authentication and MS Active Directory

Expand Messages
  • Quanah Gibson-Mount
    Apr 25, 2013
    • 0 Attachment
      --On Thursday, April 25, 2013 12:27 PM -0700 Matthew Larsen
      <utegrad@...> wrote:

      >> If you want to use SASL/GSSAPI, the clients have to be able to get a TGT
      >> from the KDC.

      > The reason I've been looking at configuring the SASL/GSSAPI mechanism is
      > that's what I see the current Exchange server doing.  I'm hoping to
      > build something I can drop in place without needing to touch client
      > systems for reconfiguration. 

      But exchange knows about your domain, correct? And how to authenticate
      users to AD?

      > I'm just puzzled as to how this works because the clients aren't
      > members of our AD domain, and I strongly doubt they have data for, or
      > access to, the DNS servers in the domain or a KDC.  All they are given
      > is an SMTP server, username (DOMAIN\Username), and password. 

      Because Exchange is cheating and doing the kerberos auth for them to AD?
      I.e., it isn't the clients themselves doing SASL/GSSAPI, correct? It is
      exchange?

      > It's also my understanding that the GSSAPI mechanism is more secure on
      > the wire than a plain text authentication method without TLS.  Is that
      > accurate? 

      Any form of encryption is more secure than plain text... so yes, that is a
      correct statement.

      --Quanah

      --

      Quanah Gibson-Mount
      Sr. Member of Technical Staff
      Zimbra, Inc
      A Division of VMware, Inc.
      --------------------
      Zimbra :: the leader in open source messaging and collaboration
    • Show all 8 messages in this topic