Loading ...
Sorry, an error occurred while loading the content.

292842Re: GSSAPI SMTPD Authentication and MS Active Directory

Expand Messages
  • Viktor Dukhovni
    Apr 25, 2013
    • 0 Attachment
      On Thu, Apr 25, 2013 at 02:39:28PM -0700, Matthew Larsen wrote:

      > The gist of it is
      >
      > S: 220 mail.exch01.com ...
      > C: EHLO NETBIOSName
      > S: 250-mail.exch01.com Hello [ip.addr.of.client] | 250- ... several
      > items including AUTH GSSAPI NTLM LOGIN among others ....
      > C: AUTH gssapi ...long string...
      > S: 334 ...long string...
      > C: ...long string...
      > S: 235 2.7.0 Authentication successful.

      So GSSAPI it is and the clients already have GSS credentials.

      > >If the above is just a bunch of greek to you, you want to look for
      > >alternatives to GSSAPI.
      >
      > It's not entirely greek, but I'm trying to learn more greek.
      > However, I don't believe that I need the Postifix client to do any
      > authentication other than anonymous. It would be relaying messages
      > from authenticated clients to Internet recipients via MX records.
      > I'm only trying to configure the stmpd portion of Postfix for secure
      > authentication.
      >
      > >If you replace the Exchange servers with Postfix, you can support
      > >any of the following authorization methods:
      > >
      > > - Allow any client to send anywhere (internal open relay).
      > > - Whitelist the particular sending IPs.
      > > - Allow the clients to send via authorized TLS client certs.
      > > - Allow the clients to send via any mutually supported SASL
      > > mechanism, including PLAIN and/or GSSAPI.
      > >
      > >For server-side GSSAPI support the server will need a keytab file
      > >containing shared keys with the appropriate realm's KDCs.
      >
      > The fourth option listed is what I'm trying to accomplish with
      > GSSAPI, but have been finding challenging to get working. I'll go
      > back over my configuration a time or two and try and find something
      > specific that will point to where it's not working.

      You'll need to use the Microsoft command-line tools for to create
      "SPN"s (service principals) for smtp/<hostname> for each new host
      on which you plan to install Postfix. Then another tool to extract
      a keytab file for each SPN. The keytab file will need to installed
      mode 0600 owned by "postfix".

      The Postfix SMTP server will need:

      import_environment = ... KRB5_KTNAME=FILE:/path/of/keytab/file

      where "..." includes all the default values of import_environment. It
      is also possible to delegate all the work of doing GSSAPI auth to dovecot,
      in which case the dovecot keytab will need to contain keys for both
      imap and smtp (or perhaps just smtp if dovecot is not used for imap),
      or choose gssapi as the mechanism in smtpd.conf for Cyrus SASL.

      The clients will need to be reconfigured to connect to a new set of
      server hosts.

      --
      Viktor.
    • Show all 8 messages in this topic