On Thu, Apr 25, 2013 at 12:27:59PM -0700, Matthew Larsen wrote:
> >
> > If you want to use SASL/GSSAPI, the clients have to be able to get
> > a TGT from the KDC.
> >
>
> The reason I've been looking at configuring the SASL/GSSAPI
> mechanism is that's what I see the current Exchange server doing.
What evidence do you have that the server is "doing" GSSAPI? It
seems likely you're mistaken. Simply listing GSSAPI as a supported
SASL AUTH mechanism is not "doing" GSSAPI, the client would actually
have to use GSSAPI. It is quite possible your client's IP address
was whitelisted on the Exchange servers, or access was unrestricted, ...
> I'm just puzzled as to how this works because the clients aren't
> members of our AD domain, and I strongly doubt they have data for,
> or access to, the DNS servers in the domain or a KDC. All they are
> given is an SMTP server, username (DOMAIN\Username), and password.
The clients may be doing NTLM or PLAIN or nothing at all. You need
to figure out what's actually used. If TLS is not in use a simple
packet capture plus wireshark or similar will show you exactly what
the client and server are doing.
> I'm not sure that my understanding of the security of the GSSAPI
> method is accurate, or that the infrastructure is there in this case
> to support doing this with Postfix?
The Postfix SMTP client if compiled with Cyrus SASL support, and
provided the Cyrus SASL gssapi plugin is installed will do GSSAPI.
There is no GSSAPI-specific code in Postfix, all the logic is in
Cyrus SASL. However, you need to specify a KRB5CCNAME in the
client's environment that is readable by the "postfix" user and
contains valid tickets at all times. To do this, run a cron-job
periodically that uses a keytab file to populate the credential
cache with freshly valid tickets.
If the above is just a bunch of greek to you, you want to look for
alternatives to GSSAPI.
> I'll check out the LDAP authentication setup. Hopefully as I gain
> a better understanding of other possible pieces of this
> configuration the whole thing will start to gel together for me.
If you replace the Exchange servers with Postfix, you can support
any of the following authorization methods:
- Allow any client to send anywhere (internal open relay).
- Whitelist the particular sending IPs.
- Allow the clients to send via authorized TLS client certs.
- Allow the clients to send via any mutually supported SASL
mechanism, including PLAIN and/or GSSAPI.
For server-side GSSAPI support the server will need a keytab file
containing shared keys with the appropriate realm's KDCs.
--
Viktor.
