On 4/25/2013 1:02 PM, Viktor Dukhovni wrote:
What evidence do you have that the server is "doing" GSSAPI? It
seems likely you're mistaken. Simply listing GSSAPI as a supported
SASL AUTH mechanism is not "doing" GSSAPI, the client would actually
have to use GSSAPI. It is quite possible your client's IP address
was whitelisted on the Exchange servers, or access was unrestricted, ...
My apologies. I am mistaken about how this is happening. Sometimes it's
a challenge to get accurate information from a different division that
takes care of this client system.
The computers running the SMTP client software are members of a child
domain in our AD forest, there's a VPN between those computers and a
different segment of our network housing the child domain AD
infrastructure, but for some reason (probably bandwidth and latency) the
SMTP client is connecting over the public Internet connection at the
client sites rather than the VPN. I think that mostly explains how the
infrastructure is there to use Kerberos for authentication.
Here's what I see it doing with wireshark on the server.
A screen shot of some of what I see:
http://img94.imageshack.us/img94/2579/gssapismtpauth.png
The gist of it is
S: 220 mail.exch01.com ...
C: EHLO NETBIOSName
S: 250-mail.exch01.com Hello [ip.addr.of.client] | 250- ... several
items including AUTH GSSAPI NTLM LOGIN among others ....
C: AUTH gssapi ...long string...
S: 334 ...long string...
C: ...long string...
S: 235 2.7.0 Authentication successful.
C: MAIL FROM:<send...@address.com>
S: 250 2.1.0 send...@address.com ... Sender OK
C: RCPT TO:<someb...@yahoo.com>
S: 250 2.1.5 someb...@yahoo.com
C: DATA
S: 354 Start mail input; end with <CRLF>.<CRLF>
... blah blah blah ...
The clients may be doing NTLM or PLAIN or nothing at all. You need
to figure out what's actually used. If TLS is not in use a simple
packet capture plus wireshark or similar will show you exactly what
the client and server are doing.
In addition to what I see in Wireshark, the event log shows it's using
GSSAPI when I turn on the MSTransport authentication logging level to debug.
Event Type: Information
Event Source: MSExchangeTransport
Event Category: Authentication
Event ID: 1708
Date: 4/25/2013
Time: 11:17:49 AM
User: N/A
Computer: EXCH01
Description:
SMTP Authentication was performed successfully with client "A510E". The
authentication method was "GSSAPI" and the username was "MYDOMAIN\AAA".
I'm not sure that my understanding of the security of the GSSAPI
method is accurate, or that the infrastructure is there in this case
to support doing this with Postfix?
The Postfix SMTP client if compiled with Cyrus SASL support, and
provided the Cyrus SASL gssapi plugin is installed will do GSSAPI.
There is no GSSAPI-specific code in Postfix, all the logic is in
Cyrus SASL. However, you need to specify a KRB5CCNAME in the
client's environment that is readable by the "postfix" user and
contains valid tickets at all times. To do this, run a cron-job
periodically that uses a keytab file to populate the credential
cache with freshly valid tickets.
If the above is just a bunch of greek to you, you want to look for
alternatives to GSSAPI.
It's not entirely greek, but I'm trying to learn more greek. However, I
don't believe that I need the Postifix client to do any authentication
other than anonymous. It would be relaying messages from authenticated
clients to Internet recipients via MX records. I'm only trying to
configure the stmpd portion of Postfix for secure authentication.
If you replace the Exchange servers with Postfix, you can support
any of the following authorization methods:
- Allow any client to send anywhere (internal open relay).
- Whitelist the particular sending IPs.
- Allow the clients to send via authorized TLS client certs.
- Allow the clients to send via any mutually supported SASL
mechanism, including PLAIN and/or GSSAPI.
For server-side GSSAPI support the server will need a keytab file
containing shared keys with the appropriate realm's KDCs.
The fourth option listed is what I'm trying to accomplish with GSSAPI,
but have been finding challenging to get working. I'll go back over my
configuration a time or two and try and find something specific that
will point to where it's not working.
