Loading ...
Sorry, an error occurred while loading the content.

294255Re: GSSAPI with SMTP client

Expand Messages
  • Erinn Looney-Triggs
    Jul 11 8:23 AM
    • 0 Attachment
      On 07/11/2013 10:01 AM, Viktor Dukhovni wrote:
      > On Wed, Jul 10, 2013 at 09:17:40PM -0400, Erinn Looney-Triggs wrote:
      >
      >> Just for posterity, I put together a set of instructions on how to do
      >> this beginning to end here:
      >>
      >> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/
      >>
      >> Though it uses FreeIPA you can easily just use straight kerberos tools
      >> like kadmin.
      >
      > If active man-in-middle-attacks are a plausible risk, you should
      > look into making TLS mandatory and authenticating the server.
      >
      > GSSAPI inside TLS currently does not perform channel binding, and
      > so your session can be hijacked, after the client authenticates
      > with GSSAPI. You can use "fingerprint" security if your server
      > certificate is not signed by a usable CA.
      >
      > As for where to keep non-system keytabs, there is some precedent for
      > using /var/spool/keytabs/.
      >
      > Finally, the main.cf fragment in the document does not indent the
      > continuation lines for import_environment correctly. I would also
      > avoid the double-spacing.
      >

      Viktor,
      Thanks for giving it a read through and for the feedback. I'll make some
      adjustments. However, do you have a bit more info about what you mean by
      channel binding? A link, something along those lines just so I can
      understand the concepts here.

      -Erinn
    • Show all 10 messages in this topic