On 2011-04-08 at 19:27 +0200, Jaap Winius wrote:
> Is it possible to configure an Exim4 server (exim4-daemon-heavy 4.72-6
> on Debian squeeze) to offer an authenticated SMTP service with
> end-to-end SSL encryption while authenticating the passwords with
> Kerberos?
"Yes". But I can't help you with the Debian-specific configuration.
You need to clarify because of your phrasing: if using GSSAPI, then no
passwords are exchanged over the SMTP session; instead, you prove
possession of a service ticket. This approach needs the client to have
tickets and to support GSSAPI/Kerberos.
It's possible to coerce this on for clients such as Thunderbird, but
takes a little tinkering of the raw config options (or did, back when I
last set this up a couple of years back; there's a button which brings
up the same sort of config access as Firefox gives you with the
<about:config> URL).
Separately, you can use passwords over SMTP, which the backend then
authenticates against Kerberos; you lose much of the protection that
Kerberos provides and your client had better be verifying certificates
to get the disclosure-to-MitM protection that Kerberos would provide if
you were using it.
You currently have a setup which mostly does the former, but you
describe the latter.
Mail-Client Mail-Server Auth-Server
| | |
Approach 1: > Get TGT -------------------------->
<---------------------- TGT issued -<
> SMTP =============>
> SASL GSSAPI =====>
* Get service ticket ------------->
<---------- service ticket issued <
> continue GSSAPI =>
* mutually authed *
<- SMTP continues -->
Approach 2: > SMTP =============>
> Auth: user/pass ->
< Kerberos auth >
* client authed *
<- SMTP continues -->
With approach 1, it doesn't matter if there's an attacker and the user
clicks through a certificate warning, their password still won't be
compromised.
> So far I've added the following to 00_exim4-config_header:
>
> sasl_gssapi:
> driver = cyrus_sasl
> public_name = GSSAPI
> server_realm = EXAMPLE.COM
> server_set_id = $auth1
Looks mostly sane. I'd add:
server_advertise_condition = ${if def:tls_cipher}
so that you don't risk using confidentiality or authentication
protection layers from GSSAPI wrapping -- as long as SSL/TLS is in use,
that will be used. Exim doesn't support GSSAPI wrapping.
> In addition to that:
>
> * The mail server has a functioning Kerberos client.
> * I've created the following principal for it in the KDC:
> smtp/email.example.com@???
> * I've added the keys for it to the local key table.
> * I've created the following environment variable:
> KRB5_KTNAME=/etc/krb5.keytab
> * The key table has permissions 640 and owner.group
> root.Debian-exim.
I believe that KRB5_KTNAME is Heimdal-specific and you don't mention
which Kerberos implementation you're using.
/etc/krb5.keytab really has the host-login tabs, so would be used by
ssh, kerberised telnet, etc. Probably not good to open that up to Exim.
Instead, use a different file and open the permissions on that up.
Eg, on FreeBSD, my /etc/rc.conf.d/exim contains:
KRB5_KTNAME=/etc/kerberos/tabs/exim.keytab
export KRB5_KTNAME
> Still, I'm missing some things. For instance, I'm not even sure how
> the MUAs should be configured (e.g. port 25, 465 or 587? SSL/TLS or
> STARTTLS?).
MUAs using 465 or 587. Doesn't matter which. 465 is SSL-on-connect;
many client apps take "SSL" to mean SSL-on-connect and "TLS" to imply
STARTTLS. So you probably should aim for 587 with STARTTLS and the
clients set to "TLS".
I don't recall finding a decent command-line testing tool that supports
GSSAPI. I've written such clients for IMAP and ManageSieve, I don't
know when I might get around to writing one for SMTP, since for most of
my SMTP debugging use, telnet, gnutls-cli and swaks cover it all.
-Phil
