On 07/11/2013 10:01 AM, Viktor Dukhovni wrote: > On Wed, Jul 10, 2013 at 09:17:40PM -0400, Erinn Looney-Triggs wrote: > >> Just for posterity, I put together a set of instructions on how to do >> this beginning to end here: >> >> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/ >> >> Though it uses FreeIPA you can easily just use straight kerberos tools >> like kadmin. > > If active man-in-middle-attacks are a plausible risk, you should > look into making TLS mandatory and authenticating the server. > > GSSAPI inside TLS currently does not perform channel binding, and > so your session can be hijacked, after the client authenticates > with GSSAPI. You can use "fingerprint" security if your server > certificate is not signed by a usable CA. > > As for where to keep non-system keytabs, there is some precedent for > using /var/spool/keytabs/. > > Finally, the main.cf fragment in the document does not indent the > continuation lines for import_environment correctly. I would also > avoid the double-spacing. >
Viktor, Thanks for giving it a read through and for the feedback. I'll make some adjustments. However, do you have a bit more info about what you mean by channel binding? A link, something along those lines just so I can understand the concepts here. -Erinn
signature.asc
Description: OpenPGP digital signature
