Re: [exim] SMTP-AUTH, Kerberos and SSL

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Phil Pennock
Date:  
À: Jaap Winius
CC: exim-users
Sujet: Re: [exim] SMTP-AUTH, Kerberos and SSL
On 2011-04-08 at 19:27 +0200, Jaap Winius wrote:
> Is it possible to configure an Exim4 server (exim4-daemon-heavy 4.72-6
> on Debian squeeze) to offer an authenticated SMTP service with
> end-to-end SSL encryption while authenticating the passwords with
> Kerberos?


"Yes". But I can't help you with the Debian-specific configuration.

You need to clarify because of your phrasing: if using GSSAPI, then no
passwords are exchanged over the SMTP session; instead, you prove
possession of a service ticket. This approach needs the client to have
tickets and to support GSSAPI/Kerberos.

It's possible to coerce this on for clients such as Thunderbird, but
takes a little tinkering of the raw config options (or did, back when I
last set this up a couple of years back; there's a button which brings
up the same sort of config access as Firefox gives you with the
<about:config> URL).

Separately, you can use passwords over SMTP, which the backend then
authenticates against Kerberos; you lose much of the protection that
Kerberos provides and your client had better be verifying certificates
to get the disclosure-to-MitM protection that Kerberos would provide if
you were using it.

You currently have a setup which mostly does the former, but you
describe the latter.

           Mail-Client       Mail-Server      Auth-Server
              |                   |               |
Approach 1:   > Get TGT -------------------------->
              <---------------------- TGT issued -<


              > SMTP =============>
               > SASL GSSAPI =====>
                * Get service ticket ------------->
                <---------- service ticket issued <
               > continue GSSAPI =>
               * mutually authed  *
              <- SMTP continues -->


Approach 2:   > SMTP =============>
               > Auth: user/pass ->
                                  < Kerberos auth >
               * client authed    *
              <- SMTP continues -->


With approach 1, it doesn't matter if there's an attacker and the user
clicks through a certificate warning, their password still won't be
compromised.

> So far I've added the following to 00_exim4-config_header:
>
>    sasl_gssapi:
>       driver = cyrus_sasl
>       public_name = GSSAPI
>       server_realm = EXAMPLE.COM
>       server_set_id = $auth1


Looks mostly sane. I'd add:
server_advertise_condition = ${if def:tls_cipher}
so that you don't risk using confidentiality or authentication
protection layers from GSSAPI wrapping -- as long as SSL/TLS is in use,
that will be used. Exim doesn't support GSSAPI wrapping.

> In addition to that:
>
> * The mail server has a functioning Kerberos client.
> * I've created the following principal for it in the KDC:
>      smtp/email.example.com@???
> * I've added the keys for it to the local key table.
> * I've created the following environment variable:
>      KRB5_KTNAME=/etc/krb5.keytab
> * The key table has permissions 640 and owner.group
>    root.Debian-exim.


I believe that KRB5_KTNAME is Heimdal-specific and you don't mention
which Kerberos implementation you're using.

/etc/krb5.keytab really has the host-login tabs, so would be used by
ssh, kerberised telnet, etc. Probably not good to open that up to Exim.
Instead, use a different file and open the permissions on that up.

Eg, on FreeBSD, my /etc/rc.conf.d/exim contains:
KRB5_KTNAME=/etc/kerberos/tabs/exim.keytab
export KRB5_KTNAME

> Still, I'm missing some things. For instance, I'm not even sure how
> the MUAs should be configured (e.g. port 25, 465 or 587? SSL/TLS or
> STARTTLS?).


MUAs using 465 or 587. Doesn't matter which. 465 is SSL-on-connect;
many client apps take "SSL" to mean SSL-on-connect and "TLS" to imply
STARTTLS. So you probably should aim for 587 with STARTTLS and the
clients set to "TLS".

I don't recall finding a decent command-line testing tool that supports
GSSAPI. I've written such clients for IMAP and ManageSieve, I don't
know when I might get around to writing one for SMTP, since for most of
my SMTP debugging use, telnet, gnutls-cli and swaks cover it all.

-Phil