Matthew Larsen
2013-04-25 00:35:17 UTC
I'm working on a project to replace an Exchange 2003 server that is only
still around these days because we have lots of SMTP clients around the
country that use it as an SMTP relay. It only relays messages for clients
authenticated by our Active Directory domain. Members of a group in the
parent domain and a group in the child domain are given relay permissions
for this server.
The clients are almost entirely a .Net application that's configured with a
username, password, server name, port, SSL requirement toggle, and return
address. The application uses this information to relay messages through
this server when there isn't another option available for relay at that
customer's site.
I've been working on a Postfix and SASL configuration to take this Exchange
server's place as an authenticated SMTP relay and have a couple of
questions about SASL and SMTP AUTH that I'm struggling to find information
on.
I've noticed in a network trace of the traffic on the Exchange server that
the authentication by SMTP clients uses the GSSAPI mechanism. I'm not sure
how a Kerberos exchange would work with these clients. None of them are
computers joined to our AD domain and would have no way of knowing where to
find or even accessing a KDC (domain controller) to get a TGT or make a
TGS_REQ from the KDC. I'm not sure how that works.
As this is translated to a Postfix configuration:
Is Postfix and the SASL framework both the client and service in the
Kerberos authentication process, and how would / does the SMTP client
exchange the credentials with the SMTP AUTH process?
Does the SMTP client have a fallback method where it encrypts or encodes
the username and password that is passed on to the SMTP AUTH process using
the GSSAPI mechanism? This obviously depends on the SMTP client, but I
guess I'm asking how this is even possible.
Is it a correct assumption that the authentication communication between
the SMTP client and the SMTP server with the GSSAPI mechanism is more
secure on the wire than AUTH LOGIN without TLS?
Among several other sources I've read through online, I've read through the
SASL documentation at:
http://cyrusimap.web.cmu.edu/docs/cyrus-sasl/2.1.23/
http://www.unixdev.net/docs/postfix/SASL_README.html#server_cyrus
As of yet I've been unsuccessful at getting Postfix and SMTP AUTH to work
with the GSSAPI mechanism and our AD. I've referenced a couple of guides
online, but I'm still not understanding something.
http://www.codealias.info/technotes/postfix_gssapi_authentication_howto
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=6717
My apologies for the long email. Any answers, pointers, information, or
how-to information I should check out to get this working would be very
much appreciated.
The results from postfinger and saslfinger are given below:
/////////////////////////////////
postfinger - postfix configuration on Wed Apr 24 16:34:45 PDT 2013
version: 1.30
Warning: postfinger output may show private configuration information,
such as ip addresses and/or domain names which you do not want to show
to the public. If this is the case it is your responsibility to modify
the output to hide this private information. [Remove this warning with
the --nowarn option.]
--System Parameters--
mail_version = 2.6.6
hostname = SBSMTPNV03.mydomain.com
uname = Linux SBSMTPNV03.mydomain.com 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed
Mar 13 00:26:49 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
--Packaging information--
looks like this postfix comes from RPM package:
postfix-2.6.6-2.2.el6_1.x86_64
--main.cf non-default parameters--
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mynetworks = 10.20.3.0/24, 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = $mydestination, hash:/etc/postfix/relay_domains
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
smtpd_recipient_restrictions =
permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous,noplaintext
transport_maps = hash:/etc/postfix/exchange_domains
--master.cf--
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
-- end of postfinger output --
///////////////////////////////
//////////////////////////////
saslfinger - postfix Cyrus sasl configuration Wed Apr 24 16:32:46 PDT 2013
version: 1.0.2
mode: server-side SMTP AUTH
-- basics --
Postfix: 2.6.6
System: CentOS release 6.4 (Final)
-- smtpd is linked to --
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f8161d95000)
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous,noplaintext
-- listing of /usr/lib64/sasl2 --
total 432
drwxr-xr-x. 2 root root 4096 Apr 23 15:49 .
dr-xr-xr-x. 27 root root 20480 Apr 23 16:56 ..
-rwxr-xr-x. 1 root root 18776 Nov 27 03:49 libanonymous.so
-rwxr-xr-x. 1 root root 18776 Nov 27 03:49 libanonymous.so.2
-rwxr-xr-x. 1 root root 18776 Nov 27 03:49 libanonymous.so.2.0.23
-rwxr-xr-x. 1 root root 31256 Nov 27 03:49 libgssapiv2.so
-rwxr-xr-x. 1 root root 31256 Nov 27 03:49 libgssapiv2.so.2
-rwxr-xr-x. 1 root root 31256 Nov 27 03:49 libgssapiv2.so.2.0.23
-rwxr-xr-x. 1 root root 18784 Nov 27 03:49 libldapdb.so
-rwxr-xr-x. 1 root root 18784 Nov 27 03:49 libldapdb.so.2
-rwxr-xr-x. 1 root root 18784 Nov 27 03:49 libldapdb.so.2.0.23
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 liblogin.so
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 liblogin.so.2
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 liblogin.so.2.0.23
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 libplain.so
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 libplain.so.2
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 libplain.so.2.0.23
-rwxr-xr-x. 1 root root 22784 Nov 27 03:49 libsasldb.so
-rwxr-xr-x. 1 root root 22784 Nov 27 03:49 libsasldb.so.2
-rwxr-xr-x. 1 root root 22784 Nov 27 03:49 libsasldb.so.2.0.23
-- listing of /etc/sasl2 --
total 12
drwxr-xr-x. 2 root root 4096 Apr 24 15:22 .
drwxr-xr-x. 61 root root 4096 Apr 24 15:22 ..
-rw-r--r-- 1 root root 69 Apr 23 11:30 smtpd.conf
-- content of /etc/sasl2/smtpd.conf --
log_level: 6
pwcheck_method: saslauthd
mech_list: gssapi plain login
-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
-- mechanisms on localhost --
-- end of saslfinger output --
////////////////////////////////////////////
The contents of my keytab file imported from ktpass:
[***@SBSMTPNV03 mpiadmin]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
4 smtp/***@MYDOMAIN.com (des-cbc-crc)
4 smtp/***@MYDOMAIN.com (des-cbc-md5)
4 smtp/***@MYDOMAIN.com (arcfour-hmac)
4 smtp/***@MYDOMAIN.com (aes256-cts-hmac-sha1-96)
4 smtp/***@MYDOMAIN.com (aes128-cts-hmac-sha1-96)
still around these days because we have lots of SMTP clients around the
country that use it as an SMTP relay. It only relays messages for clients
authenticated by our Active Directory domain. Members of a group in the
parent domain and a group in the child domain are given relay permissions
for this server.
The clients are almost entirely a .Net application that's configured with a
username, password, server name, port, SSL requirement toggle, and return
address. The application uses this information to relay messages through
this server when there isn't another option available for relay at that
customer's site.
I've been working on a Postfix and SASL configuration to take this Exchange
server's place as an authenticated SMTP relay and have a couple of
questions about SASL and SMTP AUTH that I'm struggling to find information
on.
I've noticed in a network trace of the traffic on the Exchange server that
the authentication by SMTP clients uses the GSSAPI mechanism. I'm not sure
how a Kerberos exchange would work with these clients. None of them are
computers joined to our AD domain and would have no way of knowing where to
find or even accessing a KDC (domain controller) to get a TGT or make a
TGS_REQ from the KDC. I'm not sure how that works.
As this is translated to a Postfix configuration:
Is Postfix and the SASL framework both the client and service in the
Kerberos authentication process, and how would / does the SMTP client
exchange the credentials with the SMTP AUTH process?
Does the SMTP client have a fallback method where it encrypts or encodes
the username and password that is passed on to the SMTP AUTH process using
the GSSAPI mechanism? This obviously depends on the SMTP client, but I
guess I'm asking how this is even possible.
Is it a correct assumption that the authentication communication between
the SMTP client and the SMTP server with the GSSAPI mechanism is more
secure on the wire than AUTH LOGIN without TLS?
Among several other sources I've read through online, I've read through the
SASL documentation at:
http://cyrusimap.web.cmu.edu/docs/cyrus-sasl/2.1.23/
http://www.unixdev.net/docs/postfix/SASL_README.html#server_cyrus
As of yet I've been unsuccessful at getting Postfix and SMTP AUTH to work
with the GSSAPI mechanism and our AD. I've referenced a couple of guides
online, but I'm still not understanding something.
http://www.codealias.info/technotes/postfix_gssapi_authentication_howto
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=6717
My apologies for the long email. Any answers, pointers, information, or
how-to information I should check out to get this working would be very
much appreciated.
The results from postfinger and saslfinger are given below:
/////////////////////////////////
postfinger - postfix configuration on Wed Apr 24 16:34:45 PDT 2013
version: 1.30
Warning: postfinger output may show private configuration information,
such as ip addresses and/or domain names which you do not want to show
to the public. If this is the case it is your responsibility to modify
the output to hide this private information. [Remove this warning with
the --nowarn option.]
--System Parameters--
mail_version = 2.6.6
hostname = SBSMTPNV03.mydomain.com
uname = Linux SBSMTPNV03.mydomain.com 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed
Mar 13 00:26:49 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
--Packaging information--
looks like this postfix comes from RPM package:
postfix-2.6.6-2.2.el6_1.x86_64
--main.cf non-default parameters--
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mynetworks = 10.20.3.0/24, 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = $mydestination, hash:/etc/postfix/relay_domains
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
smtpd_recipient_restrictions =
permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous,noplaintext
transport_maps = hash:/etc/postfix/exchange_domains
--master.cf--
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
-- end of postfinger output --
///////////////////////////////
//////////////////////////////
saslfinger - postfix Cyrus sasl configuration Wed Apr 24 16:32:46 PDT 2013
version: 1.0.2
mode: server-side SMTP AUTH
-- basics --
Postfix: 2.6.6
System: CentOS release 6.4 (Final)
-- smtpd is linked to --
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f8161d95000)
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous,noplaintext
-- listing of /usr/lib64/sasl2 --
total 432
drwxr-xr-x. 2 root root 4096 Apr 23 15:49 .
dr-xr-xr-x. 27 root root 20480 Apr 23 16:56 ..
-rwxr-xr-x. 1 root root 18776 Nov 27 03:49 libanonymous.so
-rwxr-xr-x. 1 root root 18776 Nov 27 03:49 libanonymous.so.2
-rwxr-xr-x. 1 root root 18776 Nov 27 03:49 libanonymous.so.2.0.23
-rwxr-xr-x. 1 root root 31256 Nov 27 03:49 libgssapiv2.so
-rwxr-xr-x. 1 root root 31256 Nov 27 03:49 libgssapiv2.so.2
-rwxr-xr-x. 1 root root 31256 Nov 27 03:49 libgssapiv2.so.2.0.23
-rwxr-xr-x. 1 root root 18784 Nov 27 03:49 libldapdb.so
-rwxr-xr-x. 1 root root 18784 Nov 27 03:49 libldapdb.so.2
-rwxr-xr-x. 1 root root 18784 Nov 27 03:49 libldapdb.so.2.0.23
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 liblogin.so
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 liblogin.so.2
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 liblogin.so.2.0.23
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 libplain.so
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 libplain.so.2
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 libplain.so.2.0.23
-rwxr-xr-x. 1 root root 22784 Nov 27 03:49 libsasldb.so
-rwxr-xr-x. 1 root root 22784 Nov 27 03:49 libsasldb.so.2
-rwxr-xr-x. 1 root root 22784 Nov 27 03:49 libsasldb.so.2.0.23
-- listing of /etc/sasl2 --
total 12
drwxr-xr-x. 2 root root 4096 Apr 24 15:22 .
drwxr-xr-x. 61 root root 4096 Apr 24 15:22 ..
-rw-r--r-- 1 root root 69 Apr 23 11:30 smtpd.conf
-- content of /etc/sasl2/smtpd.conf --
log_level: 6
pwcheck_method: saslauthd
mech_list: gssapi plain login
-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
-- mechanisms on localhost --
-- end of saslfinger output --
////////////////////////////////////////////
The contents of my keytab file imported from ktpass:
[***@SBSMTPNV03 mpiadmin]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
4 smtp/***@MYDOMAIN.com (des-cbc-crc)
4 smtp/***@MYDOMAIN.com (des-cbc-md5)
4 smtp/***@MYDOMAIN.com (arcfour-hmac)
4 smtp/***@MYDOMAIN.com (aes256-cts-hmac-sha1-96)
4 smtp/***@MYDOMAIN.com (aes128-cts-hmac-sha1-96)
--
Thanks,
Matt Larsen
Thanks,
Matt Larsen
