Loading ...
Sorry, an error occurred while loading the content.

Re: GSSAPI with SMTP client

Expand Messages
  • Erinn Looney-Triggs
    ... Just for posterity, I put together a set of instructions on how to do this beginning to end here:
    Message 1 of 10 , Jul 10, 2013
    • 0 Attachment
      On 07/02/2013 12:03 PM, Viktor Dukhovni wrote:
      > On Tue, Jul 02, 2013 at 11:25:53AM -0400, Erinn Looney-Triggs wrote:
      >
      >> However, it still is not working.
      >>
      >> Running a debug_peer_list with the verbosity set to 2 against both a
      >> thunderbird client working with GSSAPI and the postfix client. It
      >> appears that GSSAPI is not even being tried by the postfix client. It
      >> negotiates the TLS session, is presented with GSSAPI as an auth option,
      >> and then it just attempts to send the message (MAIL FROM etc.). Whereas
      >> the thunderbird client does the GSSAPI negotiation (AUTH GSSAPI etc.).
      >
      > The destination needs to appear the smtp_sasl_password_maps database,
      > even when you're not using a password-based mechanism. This tells
      > Postfix to use SASL for the destination.
      >
      > [smtp.example.com]:587 gssapi:nopassword
      >
      > You naturally need to make sure that you've installed the GSSAPI
      > plugin for SASL and that smtp_sasl_mechanism_filter is set correctly.
      >

      Just for posterity, I put together a set of instructions on how to do
      this beginning to end here:
      https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/

      Though it uses FreeIPA you can easily just use straight kerberos tools
      like kadmin.

      Viktor, thanks again for the help.

      -Erinn
    • Viktor Dukhovni
      ... If active man-in-middle-attacks are a plausible risk, you should look into making TLS mandatory and authenticating the server. GSSAPI inside TLS currently
      Message 2 of 10 , Jul 11, 2013
      • 0 Attachment
        On Wed, Jul 10, 2013 at 09:17:40PM -0400, Erinn Looney-Triggs wrote:

        > Just for posterity, I put together a set of instructions on how to do
        > this beginning to end here:
        >
        > https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/
        >
        > Though it uses FreeIPA you can easily just use straight kerberos tools
        > like kadmin.

        If active man-in-middle-attacks are a plausible risk, you should
        look into making TLS mandatory and authenticating the server.

        GSSAPI inside TLS currently does not perform channel binding, and
        so your session can be hijacked, after the client authenticates
        with GSSAPI. You can use "fingerprint" security if your server
        certificate is not signed by a usable CA.

        As for where to keep non-system keytabs, there is some precedent for
        using /var/spool/keytabs/.

        Finally, the main.cf fragment in the document does not indent the
        continuation lines for import_environment correctly. I would also
        avoid the double-spacing.

        --
        Viktor.
      • Erinn Looney-Triggs
        ... Viktor, Thanks for giving it a read through and for the feedback. I ll make some adjustments. However, do you have a bit more info about what you mean by
        Message 3 of 10 , Jul 11, 2013
        • 0 Attachment
          On 07/11/2013 10:01 AM, Viktor Dukhovni wrote:
          > On Wed, Jul 10, 2013 at 09:17:40PM -0400, Erinn Looney-Triggs wrote:
          >
          >> Just for posterity, I put together a set of instructions on how to do
          >> this beginning to end here:
          >>
          >> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/
          >>
          >> Though it uses FreeIPA you can easily just use straight kerberos tools
          >> like kadmin.
          >
          > If active man-in-middle-attacks are a plausible risk, you should
          > look into making TLS mandatory and authenticating the server.
          >
          > GSSAPI inside TLS currently does not perform channel binding, and
          > so your session can be hijacked, after the client authenticates
          > with GSSAPI. You can use "fingerprint" security if your server
          > certificate is not signed by a usable CA.
          >
          > As for where to keep non-system keytabs, there is some precedent for
          > using /var/spool/keytabs/.
          >
          > Finally, the main.cf fragment in the document does not indent the
          > continuation lines for import_environment correctly. I would also
          > avoid the double-spacing.
          >

          Viktor,
          Thanks for giving it a read through and for the feedback. I'll make some
          adjustments. However, do you have a bit more info about what you mean by
          channel binding? A link, something along those lines just so I can
          understand the concepts here.

          -Erinn
        • Viktor Dukhovni
          ... https://tools.ietf.org/html/rfc5056 -- Viktor.
          Message 4 of 10 , Jul 11, 2013
          • 0 Attachment
            On Thu, Jul 11, 2013 at 11:23:50AM -0400, Erinn Looney-Triggs wrote:

            > > GSSAPI inside TLS currently does not perform channel binding, and
            > > so your session can be hijacked, after the client authenticates
            > > with GSSAPI. You can use "fingerprint" security if your server
            > > certificate is not signed by a usable CA.
            >
            > However, do you have a bit more info about what you mean by
            > channel binding? A link, something along those lines just so I can
            > understand the concepts here.

            https://tools.ietf.org/html/rfc5056

            --
            Viktor.
          • Erinn Looney-Triggs
            ... Viktor, Thanks again for the feedback, I updated the article. If you want to take a look at it again and have any more feedback feel free to send it along.
            Message 5 of 10 , Jul 18, 2013
            • 0 Attachment
              On 07/11/2013 07:45 AM, Viktor Dukhovni wrote:
              > On Thu, Jul 11, 2013 at 11:23:50AM -0400, Erinn Looney-Triggs wrote:
              >
              >>> GSSAPI inside TLS currently does not perform channel binding, and
              >>> so your session can be hijacked, after the client authenticates
              >>> with GSSAPI. You can use "fingerprint" security if your server
              >>> certificate is not signed by a usable CA.
              >>
              >> However, do you have a bit more info about what you mean by
              >> channel binding? A link, something along those lines just so I can
              >> understand the concepts here.
              >
              > https://tools.ietf.org/html/rfc5056
              >

              Viktor,
              Thanks again for the feedback, I updated the article. If you want to
              take a look at it again and have any more feedback feel free to send it
              along.

              https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/

              -Erinn
            Your message has been successfully submitted and would be delivered to recipients shortly.