Postfix-SASL-GSSAPI question
in [Postfix]
|
Prev: check_recipient_access - negate ldap query to return reject if user is NOT found?
Next: smtpd_recipient_restrictions evaluation question
From: Victor Duchovni on 29 Oct 2009 14:39 On Thu, Oct 29, 2009 at 07:11:54PM +0330, Ali Majdzadeh wrote: > Thanks for your mail. Among your experiences with Postfix, GSSAPI and > probably SASL, have you ever tested your configuration using telnet? If it > is so, would you please describe the procedure? According to your previous > mail, I figured out that since I use telnet to test the configuration, I > should know about the exact handshake process. The GSSAPI handshake is too complex for hand-tests with telnet. Use a real GSSAPI client, e.g. a suitably configured Postfix client. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.
From: Ali Majdzadeh on 30 Oct 2009 11:21 Viktor, Hi Thanks for your guidance. Would please keep an eye on this thread? I am going to test the configuration using a properly configured GSSAPI client. Possibly, there will be much more questions to ask ;) Thank you so much. Kind Regards Ali Majdzadeh Kohbanani 2009/10/29 Victor Duchovni <Victor.Duchovni(a)morganstanley.com> > On Thu, Oct 29, 2009 at 07:11:54PM +0330, Ali Majdzadeh wrote: > > > Thanks for your mail. Among your experiences with Postfix, GSSAPI and > > probably SASL, have you ever tested your configuration using telnet? If > it > > is so, would you please describe the procedure? According to your > previous > > mail, I figured out that since I use telnet to test the configuration, I > > should know about the exact handshake process. > > The GSSAPI handshake is too complex for hand-tests with telnet. Use a > real GSSAPI client, e.g. a suitably configured Postfix client. > > -- > Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. >
From: Ali Majdzadeh on 1 Nov 2009 07:36 Viktor, Hello Thanks a lot for your help. I managed to solve the problem. By the way, have you got any experiences about using kerberos as a pam module? Kind Regards Ali Majdzadeh Kohbanani 2009/10/30 Ali Majdzadeh <ali.majdzadeh(a)gmail.com> > Viktor, > Hi > Thanks for your guidance. Would please keep an eye on this thread? I am > going to test the configuration using a properly configured GSSAPI client. > Possibly, there will be much more questions to ask ;) > Thank you so much. > > > Kind Regards > Ali Majdzadeh Kohbanani > > 2009/10/29 Victor Duchovni <Victor.Duchovni(a)morganstanley.com> > >> On Thu, Oct 29, 2009 at 07:11:54PM +0330, Ali Majdzadeh wrote: >> >> >> > Thanks for your mail. Among your experiences with Postfix, GSSAPI and >> > probably SASL, have you ever tested your configuration using telnet? If >> it >> > is so, would you please describe the procedure? According to your >> previous >> > mail, I figured out that since I use telnet to test the configuration, I >> > should know about the exact handshake process. >> >> The GSSAPI handshake is too complex for hand-tests with telnet. Use a >> real GSSAPI client, e.g. a suitably configured Postfix client. >> >> -- >> Viktor. >> >> Disclaimer: off-list followups get on-list replies or get ignored. >> Please do not ignore the "Reply-To" header. >> >> To unsubscribe from the postfix-users list, visit >> http://www.postfix.org/lists.html or click the link below: >> <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> >> >> If my response solves your problem, the best way to thank me is to not >> send an "it worked, thanks" follow-up. If you must respond, please put >> "It worked, thanks" in the "Subject" so I can delete these quickly. >> > >
From: Victor Duchovni on 2 Nov 2009 11:03
On Sun, Nov 01, 2009 at 04:06:53PM +0330, Ali Majdzadeh wrote: > Thanks a lot for your help. I managed to solve the problem. By the way, have > you got any experiences about using kerberos as a pam module? Processes running as root can use kerberos as a PAM module, by obtaining and validating a service ticket for the host/<hostname>@REALM service in the system keytab. So if you want to have Postfix offer "PLAIN", utilizing a KDC as a password "oracle", you need a "root" co-process to validate passwords, which is what "saslauthd -a pam" is for. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly. |