On Mon, Jan 11, 2016 at 11:42:53 -0500, Michael Gold wrote: > The server greeting ("220" line) includes the canonical hostname: > 220 HOSTNAME.example Microsoft ESMTP MAIL Service ready at Mon, 11 Jan 2016 > 11:21:25 -0500 > Please consider using this value, instead of the configured hostname, > for gssapi authentication. I'd do this by default, with an option to > disable it. It should be safe--RFC 5321 states: > "all the greeting-type replies have the official name (the fully- > qualified primary domain name) of the server host as the first word > following the reply code."
It occurs to me that this will enable a new attack vector if not done carefully. Normally if somebody spoofs DNS to point the user to another server, or otherwise diverts the connection, the Kerberos authentication will fail because the fake server doesn't have the proper key. But this protection won't work if we pull the hostname from the greeting. So, it could only be done after some extra checks, e.g.: * DNSSEC validation or TLS certificate validation on the original name, * some kind of secure out-of-band lookup like LDAP; or, * a configured list of acceptable aliases. -- Michael
signature.asc
Description: PGP signature
--------------------------------------------------------------------- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.