On Thu, May 13, 2010 at 12:19:04PM -0400, Kaleb Hosie wrote:
> Hello,
> In our environment, we have a postfix server that receives mail and forwards
> only the HAM onto Exchange.
>
> I have several users that are using notebooks and looking to send and
> receive mail remotely. I have Exchange setup to allow IMAP connections and
> forwarded the port on the firewall.
>
> As you can imagine, the problem is with SMTP authentication. When a user
> sends an email from a remote location, I would like for it to require
> authentication. What's the best way to do that in an Exchange environment?
I would use a PAM Kerberos module, that uses the provided password to
obtain (and verify against the server's keytab) a Kerberos ticket issued
by Microsoft's Active Directory.
To avoid having to populate AD accounts into /etc/passwd on the server,
you can use a custom passwd file for the SMTP SASL module
smtpd.conf:
pwcheck_method: saslauthd
mech_list: PLAIN
$ ps -e -o args | grep sasl
saslauthd -m /var/run/saslauthd -a pam
/etc/pam.d/smtp:
auth requisite pam_krb5.so auth_only
account required pam_localuser.so file=/etc/postfix/saslusers
password required pam_deny.so
session required pam_deny.so
/etc/postfix/saslusers:
joeuser:x:99:99:SASL user:/:
freduser:x:99:99:SASL user:/:
...
You'll also need keys for "host/<servername>@EXAMPLE.COM" where
"EXAMPLE.COM" is your AD Kerberos realm and "servername" is the hostname
of your Postfix SMTP server. These should be in /etc/krb5.keytab.
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
