Re: [exim] Smarthost with Kerberos Auth

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Andy Bennett
CC: exim-users
Subject: Re: [exim] Smarthost with Kerberos Auth
On 2013-01-05 at 00:10 +0000, Andy Bennett wrote:
> I have not found any suggestions that the cyrus_sasl authenticator can
> work in client mode.


It can't, it's server-only. And even if it weren't, it's limited in
things like being able to specify alternative keytab files. Exim as a
client is going to be running as the Exim runtime user, so should not
have access to `/etc/krb5.keytab`. There's no way to direct Exim with
cyrus-sasl to use an alternative keytab in a reliable and portable way,
in large part because Exim is a setuid binary (so, eg, Heimdal will
ignore KRB5_KTNAME).

> + For exim acting as an SMTP client (i.e. when initiating an SMTP
> connection to the smarthost) to use the data in a keytab to provide a
> username and password to an authenticator.


>  + For exim acting as an SMTP client to use a Kerberos service ticket
> (obtained with the credentials in the keytab) to authenticate to the
> relay via GSSAPI.
>    This is the ideal scenario and in this instance the credentials would
> never be sent over the wire.


Neither at present. The correct fix is to expand the heimdal_gssapi
authenticator to handle client-side authentication. This would be the
simplest, with fewer layers of abstraction to manipulate, and is newer
code (introduced with Exim 4.80).

> Alternatively, can anyone recommend a nullmailer or equivalent that I
> can use on the client machines?


I'm not aware of a Kerberos-speaking one.

> The only vaguely relevant message I could find in the archive is this
> one which explains auth negotiations:
>
> https://lists.exim.org/lurker/message/20110409.005823.27da0235.en.html


That was me, and since then I've written the heimdal_gssapi
authenticator.

I welcome patches to add the client-side code for heimdal_gssapi; I'm
not going to have time to write the code myself, any time soon.

`src/auths/heimdal_gssapi.c` and fill out the body of
`auth_heimdal_gssapi_client()`, probably adding options to
`auth_heimdal_gssapi_options` (keep sorted alphabetically) and change
`auth_heimdal_gssapi_init()` so that if the client side is configured
acceptably, then `ablock->client` is set `TRUE`. You'll need to make
sure that both client and server can be independently enabled in the
..._init() function without bailing out too early.

-Phil