On Wed, Jul 10, 2013 at 09:17:40PM -0400, Erinn Looney-Triggs wrote:
> Just for posterity, I put together a set of instructions on how to do
> this beginning to end here:
>
> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/
>
> Though it uses FreeIPA you can easily just use straight kerberos tools
> like kadmin.
If active man-in-middle-attacks are a plausible risk, you should
look into making TLS mandatory and authenticating the server.
GSSAPI inside TLS currently does not perform channel binding, and
so your session can be hijacked, after the client authenticates
with GSSAPI. You can use "fingerprint" security if your server
certificate is not signed by a usable CA.
As for where to keep non-system keytabs, there is some precedent for
using /var/spool/keytabs/.
Finally, the main.cf fragment in the document does not indent the
continuation lines for import_environment correctly. I would also
avoid the double-spacing.
--
Viktor.
