Re: [exim] SMTP-AUTH, Kerberos and SSL

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Jaap Winius
Dátum:  
Címzett: exim-users
Régi témák: [exim] SMTP-AUTH, Kerberos and SSL
Tárgy: Re: [exim] SMTP-AUTH, Kerberos and SSL
Quoting Jaap Winius <jwinius@???>:

> Is it possible to configure an Exim4 server (exim4-daemon-heavy
> 4.72-6 on Debian squeeze) to offer an authenticated SMTP service
> with end-to-end SSL encryption while authenticating the passwords
> with Kerberos?
>
> So far I've added the following to 00_exim4-config_header:
>
>   sasl_gssapi:
>      driver = cyrus_sasl
>      public_name = GSSAPI
>      server_realm = EXAMPLE.COM
>      server_set_id = $auth1


To finally answer my own question of 2011-04-08, yes you can (I'm
still using MIT Kerberos, but now with Debian wheezy and Exim 4.80),
the section above is correct, and besides a working Kerberos client
(using k5start to regularly renew the host ticket) and a few extra
library packages (one or all three of libsasl2-2, libsasl2-modules and
libsasl2-modules-gssapi-mit), all I was missing was a properly set
environment variable that Exim needs to find its keytab file. I used
the following:

    export KRB5_KTNAME="/etc/exim4/exim.keytab"


All I did was append this line to /etc/default/exim4; a text file that
is sourced by /etc/init.d/exim4 every time this script is run. Oh, and
that keytab file is where I saved the keys for
smtp/mail.example.com@??? -- not in the host keytab file,
/etc/krb5.keytab (that's for host/mail.example.com@???).

It works like a charm.

Cheers,

Jaap

PS -- Thanks, Phil, for your reply of 2011-04-08. The configuration
above produces what you described at the time as 'Approach 1', which
is native Kerberos support. Excellent! Every serious SMTP MTA should
be capable of supporting this.