Hi, This message is about how to use Kerberos to authenticate other exim MTAs in a smarthost configuration. First I shall describe my current configuration and how I would like to change it.
For many years I have used exim to run both an MX and a Submission service. I used Tony Finch's University of Cambridge documentation as a guide but, briefly, I run exim on port 25, 587 and 465. If the user connects with TLS or SSL on 587 or 465 and authenticates then we put exim into submission mode and will relay mail to anywhere for them. If the user connects on port 25 then there are no AUTH MECHs advertised and we only accept mail to domains for which we are MX. There are no local deliveries in the UNIX-mail sense of the word. All "local" mail is delivered via LMTP-A to a Cyrus IMAP server. For this, exim has a client authenticator configured with a username and a password that is a cyrus admin. Exim authenticates as this user and, if the incoming SMTP session is also authenticated, authorizes as that user. This allows local users to use the Cyrus bulletin board and shared folder functionality with ACLs. Both exim and Cyrus use SASL to authenticate their users. Exim currently uses saslauthd to provide PLAIN and LOGIN mechanisms over encrypted connections. This configuration works fine but now my requirements have grown. + I now have a Kerberos Realm set up for SSH and local logins to machines. + I need to provide a smarthost / relay service for some of these machines. + I need to authenticate the machines using the smarthost service even if they are mobile. + I want to allow people to authenticate to the submission service with their Kerberos tickets or Kerberos credentials instead of the sasldb2 ones. Historically there has never been a major requirement for a smarthost / relay service so in the one or two cases where it has been required I have added an account 'exim@host' and, if appropriate, changed the settings such that submission mode is not invoked for that account. I have read the documentation and come across the cyrus_sasl authenticator. It might make sense to use this to replace the current saslauthd powered PLAIN and LOGIN mechanisms. I can also see how to use it to provide a GSSAPI mechanism on the relay so that clients can use their Kerberos tickets to authenticate without sending their username or password. Now for my question: I want to configure some machines to use the relay that I described above as a smarthost. Currently, when I deploy these machines I am able to generate Kerberos keytabs for their host keys to enable Kerberized login; i.e. I already have the infrastructure to generate and manage these keytabs. A Kerberos keytab is essentially a Kerberos Principal name and a bunch of random data which constitutes the Kerberos Principal's passphrase. I have not found any suggestions that the cyrus_sasl authenticator can work in client mode. Is it possible to do either of these things: + For exim acting as an SMTP client (i.e. when initiating an SMTP connection to the smarthost) to use the data in a keytab to provide a username and password to an authenticator. In this scenario the Kerberos credentials would be sent over the wire. This is preferred over having a separate username/password file (/etc/exim4/passwd.client) because I already have the infrastructure for generating and managing the keytabs. + For exim acting as an SMTP client to use a Kerberos service ticket (obtained with the credentials in the keytab) to authenticate to the relay via GSSAPI. This is the ideal scenario and in this instance the credentials would never be sent over the wire. Alternatively, can anyone recommend a nullmailer or equivalent that I can use on the client machines? Is there a way for the client to authenticate to the smarthost and then pass on the authorized user? For example, mail sent by local users would end up being delivered authorized as that user on the relay in the same way as it currently is when they do SMTP AUTH directly to the submission service. Would it be appropriate to set the authenticated sender to the envelope sender when we receive mail from trusted machines? The only vaguely relevant message I could find in the archive is this one which explains auth negotiations: https://lists.exim.org/lurker/message/20110409.005823.27da0235.en.html Thanks for your time and any suggestions. Regards, @ndy -- andy...@ashurst.eu.org http://www.ashurst.eu.org/ 0x7EBA75FF -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
