Re: Postfix-SASL-GSSAPI question
On Sun, Nov 01, 2009 at 04:06:53PM +0330, Ali Majdzadeh wrote: Thanks a lot for your help. I managed to solve the problem. By the way, have you got any experiences about using kerberos as a pam module? Processes running as root can use kerberos as a PAM module, by obtaining and validating a service ticket for the host/hostname@REALM service in the system keytab. So if you want to have Postfix offer PLAIN, utilizing a KDC as a password oracle, you need a root co-process to validate passwords, which is what saslauthd -a pam is for. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix-SASL-GSSAPI question
Viktor, Hello Thanks a lot for your help. I managed to solve the problem. By the way, have you got any experiences about using kerberos as a pam module? Kind Regards Ali Majdzadeh Kohbanani 2009/10/30 Ali Majdzadeh ali.majdza...@gmail.com Viktor, Hi Thanks for your guidance. Would please keep an eye on this thread? I am going to test the configuration using a properly configured GSSAPI client. Possibly, there will be much more questions to ask ;) Thank you so much. Kind Regards Ali Majdzadeh Kohbanani 2009/10/29 Victor Duchovni victor.ducho...@morganstanley.com On Thu, Oct 29, 2009 at 07:11:54PM +0330, Ali Majdzadeh wrote: Thanks for your mail. Among your experiences with Postfix, GSSAPI and probably SASL, have you ever tested your configuration using telnet? If it is so, would you please describe the procedure? According to your previous mail, I figured out that since I use telnet to test the configuration, I should know about the exact handshake process. The GSSAPI handshake is too complex for hand-tests with telnet. Use a real GSSAPI client, e.g. a suitably configured Postfix client. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix-SASL-GSSAPI question
Viktor, Hi Thanks for your guidance. Would please keep an eye on this thread? I am going to test the configuration using a properly configured GSSAPI client. Possibly, there will be much more questions to ask ;) Thank you so much. Kind Regards Ali Majdzadeh Kohbanani 2009/10/29 Victor Duchovni victor.ducho...@morganstanley.com On Thu, Oct 29, 2009 at 07:11:54PM +0330, Ali Majdzadeh wrote: Thanks for your mail. Among your experiences with Postfix, GSSAPI and probably SASL, have you ever tested your configuration using telnet? If it is so, would you please describe the procedure? According to your previous mail, I figured out that since I use telnet to test the configuration, I should know about the exact handshake process. The GSSAPI handshake is too complex for hand-tests with telnet. Use a real GSSAPI client, e.g. a suitably configured Postfix client. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix-SASL-GSSAPI question
Viktor, Hello Thanks for your mail. Do you test the configuration using mail clients like Thunderbird or something like that? If not, what do you actually use in order to test the configuration? Kind Regards Ali Majdzadeh Kohbanani 2009/10/28 Victor Duchovni victor.ducho...@morganstanley.com On Wed, Oct 28, 2009 at 05:11:33PM +0330, Ali Majdzadeh wrote: ehlo example.com auth gssapi base 64 encoded userid The GSSAPI handshake does not work this way. When I monitor the logs, I see the following failure messages: warning: SASL authentication failure: GSSAPI Error: Invalid token was supplied (No error) What does the above line mean? Where do I go wrong in the process? A base64 encoded username is not a valid GSSAPI token. Test with an actual GSSAPI client. FWIW, Postfix works just fine with GSSAPI here. As in your configuration, the server uses a keytab and KRB5_KTNAME is set in the server environment (import_environment=...). The server keytab belongs to the postfix ($mail_owner) user. In our case the client (sending) system also has a keytab, but it is not used directly, rather a cron job runs periodically, and uses kinit -t to refresh the client credential cache. The client main.cf also has import_environment=... with a setting for KRB5_CCNAME. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix-SASL-GSSAPI question
On Thu, Oct 29, 2009 at 02:26:54PM +0330, Ali Majdzadeh wrote: Thanks for your mail. Do you test the configuration using mail clients like Thunderbird or something like that? If not, what do you actually use in order to test the configuration? I have successfully performed GSSAPI authenticated SMTP submission to Postfix with Thunderbird, Mail.app (MacOSX native email client), mutt and a GSSAPI-capable Postfix client. All work. Not much testing these days, it all just works. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix-SASL-GSSAPI question
Viktor, Hi Thanks for your mail. Among your experiences with Postfix, GSSAPI and probably SASL, have you ever tested your configuration using telnet? If it is so, would you please describe the procedure? According to your previous mail, I figured out that since I use telnet to test the configuration, I should know about the exact handshake process. Thanks again. Kind Regards Ali Majdzadeh Kohbanani 2009/10/29 Victor Duchovni victor.ducho...@morganstanley.com On Thu, Oct 29, 2009 at 02:26:54PM +0330, Ali Majdzadeh wrote: Thanks for your mail. Do you test the configuration using mail clients like Thunderbird or something like that? If not, what do you actually use in order to test the configuration? I have successfully performed GSSAPI authenticated SMTP submission to Postfix with Thunderbird, Mail.app (MacOSX native email client), mutt and a GSSAPI-capable Postfix client. All work. Not much testing these days, it all just works. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix-SASL-GSSAPI question
On Thu, Oct 29, 2009 at 07:11:54PM +0330, Ali Majdzadeh wrote: Thanks for your mail. Among your experiences with Postfix, GSSAPI and probably SASL, have you ever tested your configuration using telnet? If it is so, would you please describe the procedure? According to your previous mail, I figured out that since I use telnet to test the configuration, I should know about the exact handshake process. The GSSAPI handshake is too complex for hand-tests with telnet. Use a real GSSAPI client, e.g. a suitably configured Postfix client. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Postfix-SASL-GSSAPI question
Hello All I have installed cyrus-SASL libraries to do GSSAPI-based authentication when interacting with Postfix. I have also installed and tested Kerberos. I can successfully test GSSAPI authentication using samples provided by SASL (sample-server and sample-client). I have created a service principal for Postfix as smtp/client2.domain@domain.net http://domain.net/ and I have put the corresponding keytab file in /etc/krb5.keytab. Also, I have set the KRB5_KTNAME environment variable to point to the keytab file. Using kadmin.local and ktadd -k, I import smtp's keytab and I can verify it by issuing klist -k. Under /etc/postfix/sasl, I have created smtp.conf with the following contents: keytab: /etc/smtp.keytab mech_list: gssapi Before testing Postfix, I use kinit to authenticate the user who wants to authenticate to Postfix. Then, I use telnet to test GSSAPI authentication: # telnet client2.domain.net 25 ... ehlo example.com auth gssapi base 64 encoded userid When I monitor the logs, I see the following failure messages: warning: SASL authentication failure: GSSAPI Error: Invalid token was supplied (No error) What does the above line mean? Where do I go wrong in the process? Kind Regards Ali Majdzadeh Kohbanani
Re: Postfix-SASL-GSSAPI question
On Wed, Oct 28, 2009 at 05:11:33PM +0330, Ali Majdzadeh wrote: ehlo example.com auth gssapi base 64 encoded userid The GSSAPI handshake does not work this way. When I monitor the logs, I see the following failure messages: warning: SASL authentication failure: GSSAPI Error: Invalid token was supplied (No error) What does the above line mean? Where do I go wrong in the process? A base64 encoded username is not a valid GSSAPI token. Test with an actual GSSAPI client. FWIW, Postfix works just fine with GSSAPI here. As in your configuration, the server uses a keytab and KRB5_KTNAME is set in the server environment (import_environment=...). The server keytab belongs to the postfix ($mail_owner) user. In our case the client (sending) system also has a keytab, but it is not used directly, rather a cron job runs periodically, and uses kinit -t to refresh the client credential cache. The client main.cf also has import_environment=... with a setting for KRB5_CCNAME. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
