--On Thursday, April 25, 2013 12:27 PM -0700 Matthew Larsen
<uteg...@gmail.com> wrote:
If you want to use SASL/GSSAPI, the clients have to be able to get a TGT
from the KDC.
The reason I've been looking at configuring the SASL/GSSAPI mechanism is
that's what I see the current Exchange server doing. I'm hoping to
build something I can drop in place without needing to touch client
systems for reconfiguration.
But exchange knows about your domain, correct? And how to authenticate
users to AD?
I'm just puzzled as to how this works because the clients aren't
members of our AD domain, and I strongly doubt they have data for, or
access to, the DNS servers in the domain or a KDC. All they are given
is an SMTP server, username (DOMAIN\Username), and password.
Because Exchange is cheating and doing the kerberos auth for them to AD?
I.e., it isn't the clients themselves doing SASL/GSSAPI, correct? It is
exchange?
It's also my understanding that the GSSAPI mechanism is more secure on
the wire than a plain text authentication method without TLS. Is that
accurate?
Any form of encryption is more secure than plain text... so yes, that is a
correct statement.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
