Loading ...
Sorry, an error occurred while loading the content.

Postfix-SASL-GSSAPI question

Expand Messages
  • Ali Majdzadeh
    Hello All I have installed cyrus-SASL libraries to do GSSAPI-based authentication when interacting with Postfix. I have also installed and tested Kerberos. I
    Message 1 of 9 , Oct 28, 2009
    • 0 Attachment
      Hello All
      I have installed cyrus-SASL libraries to do GSSAPI-based authentication when interacting with Postfix. I have also installed and tested Kerberos. I can successfully test GSSAPI authentication using samples provided by SASL (sample-server and sample-client). I have created a service principal for Postfix as smtp/client2.domain.net@DOMAIN.NET and I have put the corresponding keytab file in /etc/krb5.keytab. Also, I have set the KRB5_KTNAME environment variable to point to the keytab file. Using kadmin.local and ktadd -k, I import smtp's keytab and I can verify it by issuing klist -k. Under /etc/postfix/sasl, I have created smtp.conf with the following contents:
      keytab: /etc/smtp.keytab
      mech_list: gssapi
      Before testing Postfix, I use kinit to authenticate the user who wants to authenticate to Postfix. Then, I use telnet to test GSSAPI authentication:
      # telnet client2.domain.net 25
      ...
      ehlo example.com
      auth gssapi base 64 encoded userid
      When I monitor the logs, I see the following failure messages:
      warning: SASL authentication failure: GSSAPI Error: Invalid token was supplied (No error)
      What does the above line mean? Where do I go wrong in the process?

      Kind Regards
      Ali Majdzadeh Kohbanani
    • Victor Duchovni
      ... The GSSAPI handshake does not work this way. ... A base64 encoded username is not a valid GSSAPI token. Test with an actual GSSAPI client. FWIW, Postfix
      Message 2 of 9 , Oct 28, 2009
      • 0 Attachment
        On Wed, Oct 28, 2009 at 05:11:33PM +0330, Ali Majdzadeh wrote:

        > ehlo example.com
        > auth gssapi base 64 encoded userid

        The GSSAPI handshake does not work this way.

        > When I monitor the logs, I see the following failure messages:
        > warning: SASL authentication failure: GSSAPI Error: Invalid token was
        > supplied (No error)
        > What does the above line mean? Where do I go wrong in the process?

        A base64 encoded username is not a valid GSSAPI token. Test with an
        actual GSSAPI client. FWIW, Postfix works just fine with GSSAPI here.

        As in your configuration, the server uses a keytab and KRB5_KTNAME is
        set in the server environment (import_environment=...). The server
        keytab belongs to the "postfix" ($mail_owner) user.

        In our case the client (sending) system also has a keytab, but it is not
        used directly, rather a cron job runs periodically, and uses "kinit -t"
        to refresh the client credential cache. The client main.cf also has
        "import_environment=..." with a setting for KRB5_CCNAME.

        --
        Viktor.

        Disclaimer: off-list followups get on-list replies or get ignored.
        Please do not ignore the "Reply-To" header.

        To unsubscribe from the postfix-users list, visit
        http://www.postfix.org/lists.html or click the link below:
        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

        If my response solves your problem, the best way to thank me is to not
        send an "it worked, thanks" follow-up. If you must respond, please put
        "It worked, thanks" in the "Subject" so I can delete these quickly.
      • Ali Majdzadeh
        Viktor, Hello Thanks for your mail. Do you test the configuration using mail clients like Thunderbird or something like that? If not, what do you actually use
        Message 3 of 9 , Oct 29, 2009
        • 0 Attachment
          Viktor,
          Hello
          Thanks for your mail. Do you test the configuration using mail clients like Thunderbird or something like that? If not, what do you actually use in order to test the configuration?

          Kind Regards
          Ali Majdzadeh Kohbanani

          2009/10/28 Victor Duchovni <Victor.Duchovni@...>
          On Wed, Oct 28, 2009 at 05:11:33PM +0330, Ali Majdzadeh wrote:

          > ehlo example.com
          > auth gssapi base 64 encoded userid

          The GSSAPI handshake does not work this way.

          > When I monitor the logs, I see the following failure messages:
          > warning: SASL authentication failure: GSSAPI Error: Invalid token was
          > supplied (No error)
          > What does the above line mean? Where do I go wrong in the process?

          A base64 encoded username is not a valid GSSAPI token. Test with an
          actual GSSAPI client. FWIW, Postfix works just fine with GSSAPI here.

          As in your configuration, the server uses a keytab and KRB5_KTNAME is
          set in the server environment (import_environment=...). The server
          keytab belongs to the "postfix" ($mail_owner) user.

          In our case the client (sending) system also has a keytab, but it is not
          used directly, rather a cron job runs periodically, and uses "kinit -t"
          to refresh the client credential cache. The client main.cf also has
          "import_environment=..." with a setting for KRB5_CCNAME.

          --
                 Viktor.

          Disclaimer: off-list followups get on-list replies or get ignored.
          Please do not ignore the "Reply-To" header.

          To unsubscribe from the postfix-users list, visit
          http://www.postfix.org/lists.html or click the link below:
          <mailto:majordomo@...?body=unsubscribe%20postfix-users>

          If my response solves your problem, the best way to thank me is to not
          send an "it worked, thanks" follow-up. If you must respond, please put
          "It worked, thanks" in the "Subject" so I can delete these quickly.

        • Victor Duchovni
          ... I have successfully performed GSSAPI authenticated SMTP submission to Postfix with Thunderbird, Mail.app (MacOSX native email client), mutt and a
          Message 4 of 9 , Oct 29, 2009
          • 0 Attachment
            On Thu, Oct 29, 2009 at 02:26:54PM +0330, Ali Majdzadeh wrote:

            > Thanks for your mail. Do you test the configuration using mail clients like
            > Thunderbird or something like that? If not, what do you actually use in
            > order to test the configuration?

            I have successfully performed GSSAPI authenticated SMTP submission to
            Postfix with Thunderbird, Mail.app (MacOSX native email client), mutt
            and a GSSAPI-capable Postfix client. All work.

            Not much "testing" these days, it all just works.

            --
            Viktor.

            Disclaimer: off-list followups get on-list replies or get ignored.
            Please do not ignore the "Reply-To" header.

            To unsubscribe from the postfix-users list, visit
            http://www.postfix.org/lists.html or click the link below:
            <mailto:majordomo@...?body=unsubscribe%20postfix-users>

            If my response solves your problem, the best way to thank me is to not
            send an "it worked, thanks" follow-up. If you must respond, please put
            "It worked, thanks" in the "Subject" so I can delete these quickly.
          • Ali Majdzadeh
            Viktor, Hi Thanks for your mail. Among your experiences with Postfix, GSSAPI and probably SASL, have you ever tested your configuration using telnet? If it is
            Message 5 of 9 , Oct 29, 2009
            • 0 Attachment
              Viktor,
              Hi
              Thanks for your mail. Among your experiences with Postfix, GSSAPI and probably SASL, have you ever tested your configuration using telnet? If it is so, would you please describe the procedure? According to your previous mail, I figured out that since I use telnet to test the configuration, I should know about the exact handshake process.
              Thanks again.

              Kind Regards
              Ali Majdzadeh Kohbanani

              2009/10/29 Victor Duchovni <Victor.Duchovni@...>
              On Thu, Oct 29, 2009 at 02:26:54PM +0330, Ali Majdzadeh wrote:

              > Thanks for your mail. Do you test the configuration using mail clients like
              > Thunderbird or something like that? If not, what do you actually use in
              > order to test the configuration?

              I have successfully performed GSSAPI authenticated SMTP submission to
              Postfix with Thunderbird, Mail.app (MacOSX native email client), mutt
              and a GSSAPI-capable Postfix client. All work.

              Not much "testing" these days, it all just works.

              --
                     Viktor.

              Disclaimer: off-list followups get on-list replies or get ignored.
              Please do not ignore the "Reply-To" header.

              To unsubscribe from the postfix-users list, visit
              http://www.postfix.org/lists.html or click the link below:
              <mailto:majordomo@...?body=unsubscribe%20postfix-users>

              If my response solves your problem, the best way to thank me is to not
              send an "it worked, thanks" follow-up. If you must respond, please put
              "It worked, thanks" in the "Subject" so I can delete these quickly.

            • Victor Duchovni
              ... The GSSAPI handshake is too complex for hand-tests with telnet. Use a real GSSAPI client, e.g. a suitably configured Postfix client. -- Viktor.
              Message 6 of 9 , Oct 29, 2009
              • 0 Attachment
                On Thu, Oct 29, 2009 at 07:11:54PM +0330, Ali Majdzadeh wrote:

                > Thanks for your mail. Among your experiences with Postfix, GSSAPI and
                > probably SASL, have you ever tested your configuration using telnet? If it
                > is so, would you please describe the procedure? According to your previous
                > mail, I figured out that since I use telnet to test the configuration, I
                > should know about the exact handshake process.

                The GSSAPI handshake is too complex for hand-tests with telnet. Use a
                real GSSAPI client, e.g. a suitably configured Postfix client.

                --
                Viktor.

                Disclaimer: off-list followups get on-list replies or get ignored.
                Please do not ignore the "Reply-To" header.

                To unsubscribe from the postfix-users list, visit
                http://www.postfix.org/lists.html or click the link below:
                <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                If my response solves your problem, the best way to thank me is to not
                send an "it worked, thanks" follow-up. If you must respond, please put
                "It worked, thanks" in the "Subject" so I can delete these quickly.
              • Ali Majdzadeh
                Viktor, Hi Thanks for your guidance. Would please keep an eye on this thread? I am going to test the configuration using a properly configured GSSAPI client.
                Message 7 of 9 , Oct 30, 2009
                • 0 Attachment
                  Viktor,
                  Hi
                  Thanks for your guidance. Would please keep an eye on this thread? I am going to test the configuration using a properly configured GSSAPI client. Possibly, there will be much more questions to ask ;)
                  Thank you so much.

                  Kind Regards
                  Ali Majdzadeh Kohbanani

                  2009/10/29 Victor Duchovni <Victor.Duchovni@...>
                  On Thu, Oct 29, 2009 at 07:11:54PM +0330, Ali Majdzadeh wrote:

                  > Thanks for your mail. Among your experiences with Postfix, GSSAPI and
                  > probably SASL, have you ever tested your configuration using telnet? If it
                  > is so, would you please describe the procedure? According to your previous
                  > mail, I figured out that since I use telnet to test the configuration, I
                  > should know about the exact handshake process.

                  The GSSAPI handshake is too complex for hand-tests with telnet.  Use a
                  real GSSAPI client, e.g. a suitably configured Postfix client.

                  --
                         Viktor.

                  Disclaimer: off-list followups get on-list replies or get ignored.
                  Please do not ignore the "Reply-To" header.

                  To unsubscribe from the postfix-users list, visit
                  http://www.postfix.org/lists.html or click the link below:
                  <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                  If my response solves your problem, the best way to thank me is to not
                  send an "it worked, thanks" follow-up. If you must respond, please put
                  "It worked, thanks" in the "Subject" so I can delete these quickly.

                • Ali Majdzadeh
                  Viktor, Hello Thanks a lot for your help. I managed to solve the problem. By the way, have you got any experiences about using kerberos as a pam module? Kind
                  Message 8 of 9 , Nov 1, 2009
                  • 0 Attachment
                    Viktor,
                    Hello
                    Thanks a lot for your help. I managed to solve the problem. By the way, have you got any experiences about using kerberos as a pam module?

                    Kind Regards
                    Ali Majdzadeh Kohbanani

                    2009/10/30 Ali Majdzadeh <ali.majdzadeh@...>
                    Viktor,
                    Hi
                    Thanks for your guidance. Would please keep an eye on this thread? I am going to test the configuration using a properly configured GSSAPI client. Possibly, there will be much more questions to ask ;)
                    Thank you so much.


                    Kind Regards
                    Ali Majdzadeh Kohbanani

                    2009/10/29 Victor Duchovni <Victor.Duchovni@...>
                    On Thu, Oct 29, 2009 at 07:11:54PM +0330, Ali Majdzadeh wrote:


                    > Thanks for your mail. Among your experiences with Postfix, GSSAPI and
                    > probably SASL, have you ever tested your configuration using telnet? If it
                    > is so, would you please describe the procedure? According to your previous
                    > mail, I figured out that since I use telnet to test the configuration, I
                    > should know about the exact handshake process.

                    The GSSAPI handshake is too complex for hand-tests with telnet.  Use a
                    real GSSAPI client, e.g. a suitably configured Postfix client.

                    --
                           Viktor.

                    Disclaimer: off-list followups get on-list replies or get ignored.
                    Please do not ignore the "Reply-To" header.

                    To unsubscribe from the postfix-users list, visit
                    http://www.postfix.org/lists.html or click the link below:
                    <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                    If my response solves your problem, the best way to thank me is to not
                    send an "it worked, thanks" follow-up. If you must respond, please put
                    "It worked, thanks" in the "Subject" so I can delete these quickly.


                  • Victor Duchovni
                    ... Processes running as root can use kerberos as a PAM module, by obtaining and validating a service ticket for the host/ @REALM service in the
                    Message 9 of 9 , Nov 2, 2009
                    • 0 Attachment
                      On Sun, Nov 01, 2009 at 04:06:53PM +0330, Ali Majdzadeh wrote:

                      > Thanks a lot for your help. I managed to solve the problem. By the way, have
                      > you got any experiences about using kerberos as a pam module?

                      Processes running as root can use kerberos as a PAM module, by obtaining
                      and validating a service ticket for the host/<hostname>@REALM service
                      in the system keytab.

                      So if you want to have Postfix offer "PLAIN", utilizing a KDC as a password
                      "oracle", you need a "root" co-process to validate passwords, which is what
                      "saslauthd -a pam" is for.

                      --
                      Viktor.

                      Disclaimer: off-list followups get on-list replies or get ignored.
                      Please do not ignore the "Reply-To" header.

                      To unsubscribe from the postfix-users list, visit
                      http://www.postfix.org/lists.html or click the link below:
                      <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                      If my response solves your problem, the best way to thank me is to not
                      send an "it worked, thanks" follow-up. If you must respond, please put
                      "It worked, thanks" in the "Subject" so I can delete these quickly.
                    Your message has been successfully submitted and would be delivered to recipients shortly.