Re: sendmail as MSA and client side GSSAPI
Nicolas Williams wrote: > > > I followed up on March 19th on the list. I seem to recall my e-mails to > > > you bouncing, so see the list archives. > > > > Sorry, what list? I posted the question to the Usenet newsgroup > > comp.protocols.kerberos, so I expected a reply there. > Bah, I forgot about comp.protocols.kerberos (it's bidirectionally > gatewayed to kerberos@mit.edu). Is the gateway having trouble again? > Anyways, the list archives are here: > http://mailman.mit.edu/mailman/listinfo/kerberos In http://mailman.mit.edu/pipermail/kerberos/2008-March/013358.html you were going to ask the Sun's sendmail contact about GSSAPI. There is nothing in the list archives whether you have asked them and what they answered. When you say "I followed up on March 19th" I think this is not the followup I was eagerly waiting for. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
On Tue, Apr 08, 2008 at 01:49:02AM +, Victor Sudakov wrote: > Nicolas Williams wrote: > > I followed up on March 19th on the list. I seem to recall my e-mails to > > you bouncing, so see the list archives. > > Sorry, what list? I posted the question to the Usenet newsgroup > comp.protocols.kerberos, so I expected a reply there. Bah, I forgot about comp.protocols.kerberos (it's bidirectionally gatewayed to kerberos@mit.edu). Is the gateway having trouble again? Anyways, the list archives are here: http://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
On Apr 7, 2008, at 21:49, Victor Sudakov wrote: > Sorry, what list? I posted the question to the Usenet newsgroup > comp.protocols.kerberos, so I expected a reply there. There's a bidirectional relay between the [EMAIL PROTECTED] mailing list and the c.p.k newsgroup. The mailing list archive is at http://mailman.mit.edu/pipermail/kerberos/ . Nico's response on the 19th: http://mailman.mit.edu/pipermail/kerberos/2008-March/013363.html Your reply to him on the 20th: http://mailman.mit.edu/pipermail/kerberos/2008-March/013382.html That appears to be the end of the discussion. I do see both messages on MIT's news server, as well. Ken Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
Nicolas Williams wrote: > > I followed up on March 19th on the list. I seem to recall my e-mails to > > you bouncing, so see the list archives. > Right, because your sender address is obfuscated. Guess what: when I > post my reply including the non-obfuscated form of your address then all > will be able to see it. Why would you want to post a reply including the non-obfuscated address? You don't need my address to post to Usenet. > Please don't obfuscate your sender address. In today's Usenet you have to obfuscate the address because of the address collecting robots. Should someone want to reply by private mail, the obfuscation algorithm is pretty obvious to the human eye. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
Nicolas Williams wrote: > > > > > > > > > > > Now how do I enable GSSAPI authentication for local users? What > > > > > > should > > > > > > I put into the /etc/mail/authinfo file so that each local user who > > > > > > has > > > > > > a Kerberos ticket could authenticate herself to the mailhub? > > > > > > > > > > > The users send mail from mutt, pine etc by calling > > > > > > /usr/sbin/sendmail. > > > > > > > > > > Am I asking something extraordinary? > > > > > > > > > > fetchmail works fine as GSSAPI client, so there is no more need to > > > > > store a password in the config for receiving mail. I wish we could do > > > > > the same for sending. > > > > > > Actually, I want to know about this too. I'll ask Sun's sendmail > > > > contact. > > > > Nicolas, any results? > I followed up on March 19th on the list. I seem to recall my e-mails to > you bouncing, so see the list archives. Sorry, what list? I posted the question to the Usenet newsgroup comp.protocols.kerberos, so I expected a reply there. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
On Mon, Apr 07, 2008 at 01:48:31PM -0500, Nicolas Williams wrote: > I followed up on March 19th on the list. I seem to recall my e-mails to > you bouncing, so see the list archives. Right, because your sender address is obfuscated. Guess what: when I post my reply including the non-obfuscated form of your address then all will be able to see it. Please don't obfuscate your sender address. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
On Sun, Apr 06, 2008 at 02:52:43PM +, Victor Sudakov wrote: > > Nicolas Williams wrote: > > > > > > > > > Now how do I enable GSSAPI authentication for local users? What should > > > > > I put into the /etc/mail/authinfo file so that each local user who has > > > > > a Kerberos ticket could authenticate herself to the mailhub? > > > > > > > > > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail. > > > > > > > > Am I asking something extraordinary? > > > > > > > > fetchmail works fine as GSSAPI client, so there is no more need to > > > > store a password in the config for receiving mail. I wish we could do > > > > the same for sending. > > > > Actually, I want to know about this too. I'll ask Sun's sendmail > > > contact. > > Nicolas, any results? I followed up on March 19th on the list. I seem to recall my e-mails to you bouncing, so see the list archives. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
> Nicolas Williams wrote: > > > > > > > Now how do I enable GSSAPI authentication for local users? What should > > > > I put into the /etc/mail/authinfo file so that each local user who has > > > > a Kerberos ticket could authenticate herself to the mailhub? > > > > > > > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail. > > > > > > Am I asking something extraordinary? > > > > > > fetchmail works fine as GSSAPI client, so there is no more need to > > > store a password in the config for receiving mail. I wish we could do > > > the same for sending. > > Actually, I want to know about this too. I'll ask Sun's sendmail > > contact. Nicolas, any results? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
Nicolas Williams wrote: > > > > > Now how do I enable GSSAPI authentication for local users? What should > > > I put into the /etc/mail/authinfo file so that each local user who has > > > a Kerberos ticket could authenticate herself to the mailhub? > > > > > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail. > > > > Am I asking something extraordinary? > > > > fetchmail works fine as GSSAPI client, so there is no more need to > > store a password in the config for receiving mail. I wish we could do > > the same for sending. > See: > http://www.sendmail.org/~ca/email/auth.html > under "Using sendmail as a client with AUTH." > It doesn't really address how to use this with Kerberos. It's not clear > if you just have to give sendmail your Kerberos password (I doubt that > will work, much less be acceptable), or if sendmail is able to somehow > find your ccache and tickets. Moreover, this document does not specify if per user authentication is at all possible. The tags U, P and others seem to have global significance because they live in /etc/mail/authinfo. > My guess: it just doesn't work, at least when sendmail is running in > queue mode. > To make it work will require enough changes I wonder. SASL client is already there. > that one could be forgiven > for wondering why mutt et. al. shouldn't just learn how to talk SMTP/ > SUBMIT to the real MSA anyways the way Thunderbird, Evolution and > all other MUAs do it. Or, In fact, mutt *can* do this if compiled with --enable-smtp. But the advantage of calling /usr/sbin/sendmail is its universality. You have all your MUAs, all your scripts, all your cron jobs call sendmail or mail. I often redirect output of various programs to mail. > alternatively, why a standalone, non-queueing (or per-used queue > daemon) mail submission program isn't the right answer. Oh, it is. Please name one with Kerberos support, and I shall install it as /usr/sbin/sendmail. > Or you might argue that sendmail just needs an option to work as > described above (no queueing, no privs, or per-user queueing). > BTW, on Solaris it wouldn't work anyways pending this: > 6481399 sendmail needs to ship /etc/sasl/Sendmail.conf ^ I think it is for server side SASL. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
On Wed, Mar 19, 2008 at 03:17:29PM -0400, Sam Hartman wrote: > MIt does have a configuration where this works with sendmail for > foreground delivery to a mailhub. > I don't have details though. Good to know. Could you cajole someone into posting the details? Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
> "Nicolas" == Nicolas Williams <[EMAIL PROTECTED]> writes: Nicolas> See: Nicolas> http://www.sendmail.org/~ca/email/auth.html Nicolas> under "Using sendmail as a client with AUTH." Nicolas> It doesn't really address how to use this with Kerberos. Nicolas> It's not clear if you just have to give sendmail your Nicolas> Kerberos password (I doubt that will work, much less be Nicolas> acceptable), or if sendmail is able to somehow find your Nicolas> ccache and tickets. MIt does have a configuration where this works with sendmail for foreground delivery to a mailhub. I don't have details though. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
On Wed, Mar 19, 2008 at 12:29:55PM -0500, Nicolas Williams wrote: > To make it work will require enough changes that one could be forgiven may Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
Nicolas Williams wrote: > > > > > Now how do I enable GSSAPI authentication for local users? What should > > > I put into the /etc/mail/authinfo file so that each local user who has > > > a Kerberos ticket could authenticate herself to the mailhub? > > > > > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail. > > > > Am I asking something extraordinary? > > > > fetchmail works fine as GSSAPI client, so there is no more need to > > store a password in the config for receiving mail. I wish we could do > > the same for sending. > Actually, I want to know about this too. I'll ask Sun's sendmail > contact. Please do, and share the result. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
On Wed, Mar 19, 2008 at 02:52:41AM +, Victor Sudakov wrote: > In comp.mail.sendmail Victor Sudakov <[EMAIL PROTECTED]> wrote: > > > Now how do I enable GSSAPI authentication for local users? What should > > I put into the /etc/mail/authinfo file so that each local user who has > > a Kerberos ticket could authenticate herself to the mailhub? > > > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail. > > Am I asking something extraordinary? > > fetchmail works fine as GSSAPI client, so there is no more need to > store a password in the config for receiving mail. I wish we could do > the same for sending. See: http://www.sendmail.org/~ca/email/auth.html under "Using sendmail as a client with AUTH." It doesn't really address how to use this with Kerberos. It's not clear if you just have to give sendmail your Kerberos password (I doubt that will work, much less be acceptable), or if sendmail is able to somehow find your ccache and tickets. My guess: it just doesn't work, at least when sendmail is running in queue mode. To make it work will require enough changes that one could be forgiven for wondering why mutt et. al. shouldn't just learn how to talk SMTP/ SUBMIT to the real MSA anyways -- the way Thunderbird, Evolution and all other MUAs do it. Or, alternatively, why a standalone, non-queueing (or per-used queue daemon) mail submission program isn't the right answer. Or you might argue that sendmail just needs an option to work as described above (no queueing, no privs, or per-user queueing). BTW, on Solaris it wouldn't work anyways pending this: 6481399 sendmail needs to ship /etc/sasl/Sendmail.conf Nico -- Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
On Wed, Mar 19, 2008 at 02:52:41AM +, Victor Sudakov wrote: > In comp.mail.sendmail Victor Sudakov <[EMAIL PROTECTED]> wrote: > > > Now how do I enable GSSAPI authentication for local users? What should > > I put into the /etc/mail/authinfo file so that each local user who has > > a Kerberos ticket could authenticate herself to the mailhub? > > > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail. > > Am I asking something extraordinary? > > fetchmail works fine as GSSAPI client, so there is no more need to > store a password in the config for receiving mail. I wish we could do > the same for sending. Actually, I want to know about this too. I'll ask Sun's sendmail contact. Nico -- Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
In comp.mail.sendmail Victor Sudakov <[EMAIL PROTECTED]> wrote: > Now how do I enable GSSAPI authentication for local users? What should > I put into the /etc/mail/authinfo file so that each local user who has > a Kerberos ticket could authenticate herself to the mailhub? > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail. Am I asking something extraordinary? fetchmail works fine as GSSAPI client, so there is no more need to store a password in the config for receiving mail. I wish we could do the same for sending. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
In comp.mail.sendmail Victor Sudakov <[EMAIL PROTECTED]> wrote: > I have sendmail 8.13.6 acting as MSA for local users. It should have been "MSP" instead of "MSA". The rest of the message is correct. Any ideas please? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos