Loading ...
Sorry, an error occurred while loading the content.

292838Re: GSSAPI SMTPD Authentication and MS Active Directory

Expand Messages
  • Matthew Larsen
    Apr 25, 2013
    • 0 Attachment
      On 4/25/2013 12:41 PM, Quanah Gibson-Mount wrote:
      > --On Thursday, April 25, 2013 12:27 PM -0700 Matthew Larsen
      > <utegrad@...> wrote:
      >
      >>> If you want to use SASL/GSSAPI, the clients have to be able to get a TGT
      >>> from the KDC.
      >
      >> The reason I've been looking at configuring the SASL/GSSAPI mechanism is
      >> that's what I see the current Exchange server doing. I'm hoping to
      >> build something I can drop in place without needing to touch client
      >> systems for reconfiguration.
      >
      > But exchange knows about your domain, correct? And how to authenticate
      > users to AD?

      Yes.

      >
      >> I'm just puzzled as to how this works because the clients aren't
      >> members of our AD domain, and I strongly doubt they have data for, or
      >> access to, the DNS servers in the domain or a KDC. All they are given
      >> is an SMTP server, username (DOMAIN\Username), and password.
      >
      > Because Exchange is cheating and doing the kerberos auth for them to AD?
      > I.e., it isn't the clients themselves doing SASL/GSSAPI, correct? It is
      > exchange?
      >

      I guess that's what I'm asking, and it would make sense. Exchange would
      be both the client and service in the Kerberos exchange if that's the
      case. Can Postfix / SASL be made to do the same?
    • Show all 8 messages in this topic