On Thu, May 13, 2010 at 12:19:04PM -0400, Kaleb Hosie wrote: > Hello, > In our environment, we have a postfix server that receives mail and forwards > only the HAM onto Exchange. > > I have several users that are using notebooks and looking to send and > receive mail remotely. I have Exchange setup to allow IMAP connections and > forwarded the port on the firewall. > > As you can imagine, the problem is with SMTP authentication. When a user > sends an email from a remote location, I would like for it to require > authentication. What's the best way to do that in an Exchange environment?
I would use a PAM Kerberos module, that uses the provided password to obtain (and verify against the server's keytab) a Kerberos ticket issued by Microsoft's Active Directory. To avoid having to populate AD accounts into /etc/passwd on the server, you can use a custom passwd file for the SMTP SASL module smtpd.conf: pwcheck_method: saslauthd mech_list: PLAIN $ ps -e -o args | grep sasl saslauthd -m /var/run/saslauthd -a pam /etc/pam.d/smtp: auth requisite pam_krb5.so auth_only account required pam_localuser.so file=/etc/postfix/saslusers password required pam_deny.so session required pam_deny.so /etc/postfix/saslusers: joeuser:x:99:99:SASL user:/: freduser:x:99:99:SASL user:/: ... You'll also need keys for "host/<servername>@EXAMPLE.COM" where "EXAMPLE.COM" is your AD Kerberos realm and "servername" is the hostname of your Postfix SMTP server. These should be in /etc/krb5.keytab. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.