Loading ...
Sorry, an error occurred while loading the content.

Re: GSSAPI with SMTP client

Expand Messages
  • Viktor Dukhovni
    ... The destination needs to appear the smtp_sasl_password_maps database, even when you re not using a password-based mechanism. This tells Postfix to use
    Message 1 of 10 , Jul 2, 2013
    View Source
    • 0 Attachment
      On Tue, Jul 02, 2013 at 11:25:53AM -0400, Erinn Looney-Triggs wrote:

      > However, it still is not working.
      >
      > Running a debug_peer_list with the verbosity set to 2 against both a
      > thunderbird client working with GSSAPI and the postfix client. It
      > appears that GSSAPI is not even being tried by the postfix client. It
      > negotiates the TLS session, is presented with GSSAPI as an auth option,
      > and then it just attempts to send the message (MAIL FROM etc.). Whereas
      > the thunderbird client does the GSSAPI negotiation (AUTH GSSAPI etc.).

      The destination needs to appear the smtp_sasl_password_maps database,
      even when you're not using a password-based mechanism. This tells
      Postfix to use SASL for the destination.

      [smtp.example.com]:587 gssapi:nopassword

      You naturally need to make sure that you've installed the GSSAPI
      plugin for SASL and that smtp_sasl_mechanism_filter is set correctly.

      --
      Viktor.
    • Erinn Looney-Triggs
      ... Viktor, Thanks for the help, after a lot more messing about, and debugging (Wietse, you the man for putting in debug_peer_list, very helpful) I finally got
      Message 2 of 10 , Jul 5, 2013
      View Source
      • 0 Attachment
        On 07/02/2013 12:03 PM, Viktor Dukhovni wrote:
        > On Tue, Jul 02, 2013 at 11:25:53AM -0400, Erinn Looney-Triggs wrote:
        >
        >> However, it still is not working.
        >>
        >> Running a debug_peer_list with the verbosity set to 2 against both a
        >> thunderbird client working with GSSAPI and the postfix client. It
        >> appears that GSSAPI is not even being tried by the postfix client. It
        >> negotiates the TLS session, is presented with GSSAPI as an auth option,
        >> and then it just attempts to send the message (MAIL FROM etc.). Whereas
        >> the thunderbird client does the GSSAPI negotiation (AUTH GSSAPI etc.).
        >
        > The destination needs to appear the smtp_sasl_password_maps database,
        > even when you're not using a password-based mechanism. This tells
        > Postfix to use SASL for the destination.
        >
        > [smtp.example.com]:587 gssapi:nopassword
        >
        > You naturally need to make sure that you've installed the GSSAPI
        > plugin for SASL and that smtp_sasl_mechanism_filter is set correctly.
        >

        Viktor,
        Thanks for the help, after a lot more messing about, and debugging
        (Wietse, you the man for putting in debug_peer_list, very helpful) I
        finally got this working.

        All the constituent parts where there but the syntax for the sasl
        password maps database was incorrect (my fault), which client side
        debugging revealed as it wasn't matching the mail server host.

        I am going to write up a little how to for this and post it on up.
        Hopefully it will make folks lives easier if they decide to do this in
        the future.

        Thanks again,
        -Erinn
      • Erinn Looney-Triggs
        ... Just for posterity, I put together a set of instructions on how to do this beginning to end here:
        Message 3 of 10 , Jul 10, 2013
        View Source
        • 0 Attachment
          On 07/02/2013 12:03 PM, Viktor Dukhovni wrote:
          > On Tue, Jul 02, 2013 at 11:25:53AM -0400, Erinn Looney-Triggs wrote:
          >
          >> However, it still is not working.
          >>
          >> Running a debug_peer_list with the verbosity set to 2 against both a
          >> thunderbird client working with GSSAPI and the postfix client. It
          >> appears that GSSAPI is not even being tried by the postfix client. It
          >> negotiates the TLS session, is presented with GSSAPI as an auth option,
          >> and then it just attempts to send the message (MAIL FROM etc.). Whereas
          >> the thunderbird client does the GSSAPI negotiation (AUTH GSSAPI etc.).
          >
          > The destination needs to appear the smtp_sasl_password_maps database,
          > even when you're not using a password-based mechanism. This tells
          > Postfix to use SASL for the destination.
          >
          > [smtp.example.com]:587 gssapi:nopassword
          >
          > You naturally need to make sure that you've installed the GSSAPI
          > plugin for SASL and that smtp_sasl_mechanism_filter is set correctly.
          >

          Just for posterity, I put together a set of instructions on how to do
          this beginning to end here:
          https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/

          Though it uses FreeIPA you can easily just use straight kerberos tools
          like kadmin.

          Viktor, thanks again for the help.

          -Erinn
        • Viktor Dukhovni
          ... If active man-in-middle-attacks are a plausible risk, you should look into making TLS mandatory and authenticating the server. GSSAPI inside TLS currently
          Message 4 of 10 , Jul 11, 2013
          View Source
          • 0 Attachment
            On Wed, Jul 10, 2013 at 09:17:40PM -0400, Erinn Looney-Triggs wrote:

            > Just for posterity, I put together a set of instructions on how to do
            > this beginning to end here:
            >
            > https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/
            >
            > Though it uses FreeIPA you can easily just use straight kerberos tools
            > like kadmin.

            If active man-in-middle-attacks are a plausible risk, you should
            look into making TLS mandatory and authenticating the server.

            GSSAPI inside TLS currently does not perform channel binding, and
            so your session can be hijacked, after the client authenticates
            with GSSAPI. You can use "fingerprint" security if your server
            certificate is not signed by a usable CA.

            As for where to keep non-system keytabs, there is some precedent for
            using /var/spool/keytabs/.

            Finally, the main.cf fragment in the document does not indent the
            continuation lines for import_environment correctly. I would also
            avoid the double-spacing.

            --
            Viktor.
          • Erinn Looney-Triggs
            ... Viktor, Thanks for giving it a read through and for the feedback. I ll make some adjustments. However, do you have a bit more info about what you mean by
            Message 5 of 10 , Jul 11, 2013
            View Source
            • 0 Attachment
              On 07/11/2013 10:01 AM, Viktor Dukhovni wrote:
              > On Wed, Jul 10, 2013 at 09:17:40PM -0400, Erinn Looney-Triggs wrote:
              >
              >> Just for posterity, I put together a set of instructions on how to do
              >> this beginning to end here:
              >>
              >> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/
              >>
              >> Though it uses FreeIPA you can easily just use straight kerberos tools
              >> like kadmin.
              >
              > If active man-in-middle-attacks are a plausible risk, you should
              > look into making TLS mandatory and authenticating the server.
              >
              > GSSAPI inside TLS currently does not perform channel binding, and
              > so your session can be hijacked, after the client authenticates
              > with GSSAPI. You can use "fingerprint" security if your server
              > certificate is not signed by a usable CA.
              >
              > As for where to keep non-system keytabs, there is some precedent for
              > using /var/spool/keytabs/.
              >
              > Finally, the main.cf fragment in the document does not indent the
              > continuation lines for import_environment correctly. I would also
              > avoid the double-spacing.
              >

              Viktor,
              Thanks for giving it a read through and for the feedback. I'll make some
              adjustments. However, do you have a bit more info about what you mean by
              channel binding? A link, something along those lines just so I can
              understand the concepts here.

              -Erinn
            • Viktor Dukhovni
              ... https://tools.ietf.org/html/rfc5056 -- Viktor.
              Message 6 of 10 , Jul 11, 2013
              View Source
              • 0 Attachment
                On Thu, Jul 11, 2013 at 11:23:50AM -0400, Erinn Looney-Triggs wrote:

                > > GSSAPI inside TLS currently does not perform channel binding, and
                > > so your session can be hijacked, after the client authenticates
                > > with GSSAPI. You can use "fingerprint" security if your server
                > > certificate is not signed by a usable CA.
                >
                > However, do you have a bit more info about what you mean by
                > channel binding? A link, something along those lines just so I can
                > understand the concepts here.

                https://tools.ietf.org/html/rfc5056

                --
                Viktor.
              • Erinn Looney-Triggs
                ... Viktor, Thanks again for the feedback, I updated the article. If you want to take a look at it again and have any more feedback feel free to send it along.
                Message 7 of 10 , Jul 18, 2013
                View Source
                • 0 Attachment
                  On 07/11/2013 07:45 AM, Viktor Dukhovni wrote:
                  > On Thu, Jul 11, 2013 at 11:23:50AM -0400, Erinn Looney-Triggs wrote:
                  >
                  >>> GSSAPI inside TLS currently does not perform channel binding, and
                  >>> so your session can be hijacked, after the client authenticates
                  >>> with GSSAPI. You can use "fingerprint" security if your server
                  >>> certificate is not signed by a usable CA.
                  >>
                  >> However, do you have a bit more info about what you mean by
                  >> channel binding? A link, something along those lines just so I can
                  >> understand the concepts here.
                  >
                  > https://tools.ietf.org/html/rfc5056
                  >

                  Viktor,
                  Thanks again for the feedback, I updated the article. If you want to
                  take a look at it again and have any more feedback feel free to send it
                  along.

                  https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/

                  -Erinn
                Your message has been successfully submitted and would be delivered to recipients shortly.