[exim] Smarthost with Kerberos Auth

Top Page
Delete this message
Reply to this message
Author: Andy Bennett
Date:  
To: exim-users
Subject: [exim] Smarthost with Kerberos Auth
Hi,

This message is about how to use Kerberos to authenticate other exim
MTAs in a smarthost configuration. First I shall describe my current
configuration and how I would like to change it.

For many years I have used exim to run both an MX and a Submission
service. I used Tony Finch's University of Cambridge documentation as a
guide but, briefly, I run exim on port 25, 587 and 465. If the user
connects with TLS or SSL on 587 or 465 and authenticates then we put
exim into submission mode and will relay mail to anywhere for them. If
the user connects on port 25 then there are no AUTH MECHs advertised and
we only accept mail to domains for which we are MX.

There are no local deliveries in the UNIX-mail sense of the word. All
"local" mail is delivered via LMTP-A to a Cyrus IMAP server. For this,
exim has a client authenticator configured with a username and a
password that is a cyrus admin. Exim authenticates as this user and, if
the incoming SMTP session is also authenticated, authorizes as that
user. This allows local users to use the Cyrus bulletin board and shared
folder functionality with ACLs.

Both exim and Cyrus use SASL to authenticate their users. Exim currently
uses saslauthd to provide PLAIN and LOGIN mechanisms over encrypted
connections.

This configuration works fine but now my requirements have grown.

+ I now have a Kerberos Realm set up for SSH and local logins to machines.
+ I need to provide a smarthost / relay service for some of these machines.
+ I need to authenticate the machines using the smarthost service even
if they are mobile.
+ I want to allow people to authenticate to the submission service with
their Kerberos tickets or Kerberos credentials instead of the sasldb2 ones.

Historically there has never been a major requirement for a smarthost /
relay service so in the one or two cases where it has been required I
have added an account 'exim@host' and, if appropriate, changed the
settings such that submission mode is not invoked for that account.

I have read the documentation and come across the cyrus_sasl
authenticator. It might make sense to use this to replace the current
saslauthd powered PLAIN and LOGIN mechanisms. I can also see how to use
it to provide a GSSAPI mechanism on the relay so that clients can use
their Kerberos tickets to authenticate without sending their username or
password.


Now for my question:

I want to configure some machines to use the relay that I described
above as a smarthost. Currently, when I deploy these machines I am able
to generate Kerberos keytabs for their host keys to enable Kerberized
login; i.e. I already have the infrastructure to generate and manage
these keytabs. A Kerberos keytab is essentially a Kerberos Principal
name and a bunch of random data which constitutes the Kerberos
Principal's passphrase.

I have not found any suggestions that the cyrus_sasl authenticator can
work in client mode.

Is it possible to do either of these things:

+ For exim acting as an SMTP client (i.e. when initiating an SMTP
connection to the smarthost) to use the data in a keytab to provide a
username and password to an authenticator.
In this scenario the Kerberos credentials would be sent over the wire.
This is preferred over having a separate username/password file
(/etc/exim4/passwd.client) because I already have the infrastructure for
generating and managing the keytabs.

+ For exim acting as an SMTP client to use a Kerberos service ticket
(obtained with the credentials in the keytab) to authenticate to the
relay via GSSAPI.
This is the ideal scenario and in this instance the credentials would
never be sent over the wire.


Alternatively, can anyone recommend a nullmailer or equivalent that I
can use on the client machines?


Is there a way for the client to authenticate to the smarthost and then
pass on the authorized user? For example, mail sent by local users would
end up being delivered authorized as that user on the relay in the same
way as it currently is when they do SMTP AUTH directly to the submission
service.
Would it be appropriate to set the authenticated sender to the envelope
sender when we receive mail from trusted machines?



The only vaguely relevant message I could find in the archive is this
one which explains auth negotiations:

https://lists.exim.org/lurker/message/20110409.005823.27da0235.en.html




Thanks for your time and any suggestions.



Regards,
@ndy

--
andyjpb@???
http://www.ashurst.eu.org/
0x7EBA75FF