Re: GSSAPI SMTPD Authentication and MS Active Directory

Thu, 25 Apr 2013 12:28:27 -0700

On Wed, Apr 24, 2013 at 5:57 PM, Quanah Gibson-Mount <qua...@zimbra.com <mailto:qua...@zimbra.com>> wrote: 

    If you replaced Exchange 2003 with Zimbra, and set up external
    auth to your AD server, then it would use the custom zimbra
    authentication method for cyrus-sasl to auth your clients against
    AD.  I don't know what you intend on replacing Exchange with
    though, so that may be a bit more than you want. But it is a solution.




Zimbra would be more than I want in this case.  All I need is a secure 
authenticated SMTP server, and it would be nice to have a GUI to monitor 
the message queues.  My thought has been that Postfix with webmin would 
be a good fit if I can get the authentication to work with Active 
Directory.




    If you want to use SASL/GSSAPI, the clients have to be able to get
    a TGT from the KDC.




The reason I've been looking at configuring the SASL/GSSAPI mechanism is 
that's what I see the current Exchange server doing.  I'm hoping to 
build something I can drop in place without needing to touch client 
systems for reconfiguration.



I'm just puzzled as to how this works because the clients aren't members 
of our AD domain, and I strongly doubt they have data for, or access to, 
the DNS servers in the domain or a KDC.  All they are given is an SMTP 
server, username (DOMAIN\Username), and password.



It's also my understanding that the GSSAPI mechanism is more secure on 
the wire than a plain text authentication method without TLS.  Is that 
accurate?



I'm not sure that my understanding of the security of the GSSAPI method 
is accurate, or that the infrastructure is there in this case to support 
doing this with Postfix?



Here's a screen shot 
<http://s21.postimg.org/7hlu8cl13/GSSAPI_SMTP_AUTH.png> of an SMTP 
authentication exchange taken from a wireshark trace on the Exchange server.



Any pointers or further information on this works would be appreciated.

   Alternatively, you could just do straight ldap authentication
   against AD, instead of Kerberos-AD, something like:

   
<http://www.howtoforge.com/postfix-dovecot-authentication-against-active-directory-on-centos-5
   
<http://www.howtoforge.com/postfix-dovecot-authentication-against-active-directory-on-centos-5.x>



 I'll check out the LDAP authentication setup.  Hopefully as I gain a 
better understanding of other possible pieces of this configuration the 
whole thing will start to gel together for me.



Thanks,
ML
























					Reply via email to