On 5/13/2010 12:57 PM, Victor Duchovni wrote: > On Thu, May 13, 2010 at 12:19:04PM -0400, Kaleb Hosie wrote: > >> Hello, >> In our environment, we have a postfix server that receives mail and forwards >> only the HAM onto Exchange. >> >> I have several users that are using notebooks and looking to send and >> receive mail remotely. I have Exchange setup to allow IMAP connections and >> forwarded the port on the firewall. >> >> As you can imagine, the problem is with SMTP authentication. When a user >> sends an email from a remote location, I would like for it to require >> authentication. What's the best way to do that in an Exchange environment? > > I would use a PAM Kerberos module, that uses the provided password to > obtain (and verify against the server's keytab) a Kerberos ticket issued > by Microsoft's Active Directory. > > To avoid having to populate AD accounts into /etc/passwd on the server, > you can use a custom passwd file for the SMTP SASL module > > smtpd.conf: > pwcheck_method: saslauthd > mech_list: PLAIN > > $ ps -e -o args | grep sasl > saslauthd -m /var/run/saslauthd -a pam > > /etc/pam.d/smtp: > auth requisite pam_krb5.so auth_only > account required pam_localuser.so file=/etc/postfix/saslusers > password required pam_deny.so > session required pam_deny.so > > /etc/postfix/saslusers: > joeuser:x:99:99:SASL user:/: > freduser:x:99:99:SASL user:/: > ... > > You'll also need keys for "host/<servername>@EXAMPLE.COM" where > "EXAMPLE.COM" is your AD Kerberos realm and "servername" is the hostname > of your Postfix SMTP server. These should be in /etc/krb5.keytab. >
*bows before the master*
