Postfix-SASL-GSSAPI question
in [Postfix]
|
Prev: check_recipient_access - negate ldap query to return reject if user is NOT found?
Next: smtpd_recipient_restrictions evaluation question
From: Ali Majdzadeh on 28 Oct 2009 09:41 Hello All I have installed cyrus-SASL libraries to do GSSAPI-based authentication when interacting with Postfix. I have also installed and tested Kerberos. I can successfully test GSSAPI authentication using samples provided by SASL (sample-server and sample-client). I have created a service principal for Postfix as smtp/client2.domain.net(a)DOMAIN.NET <http://domain.net/> and I have put the corresponding keytab file in /etc/krb5.keytab. Also, I have set the KRB5_KTNAME environment variable to point to the keytab file. Using kadmin.local and ktadd -k, I import smtp's keytab and I can verify it by issuing klist -k. Under /etc/postfix/sasl, I have created smtp.conf with the following contents: keytab: /etc/smtp.keytab mech_list: gssapi Before testing Postfix, I use kinit to authenticate the user who wants to authenticate to Postfix. Then, I use telnet to test GSSAPI authentication: # telnet client2.domain.net 25 .... ehlo example.com auth gssapi base 64 encoded userid When I monitor the logs, I see the following failure messages: warning: SASL authentication failure: GSSAPI Error: Invalid token was supplied (No error) What does the above line mean? Where do I go wrong in the process? Kind Regards Ali Majdzadeh Kohbanani
From: Victor Duchovni on 28 Oct 2009 10:48 On Wed, Oct 28, 2009 at 05:11:33PM +0330, Ali Majdzadeh wrote: > ehlo example.com > auth gssapi base 64 encoded userid The GSSAPI handshake does not work this way. > When I monitor the logs, I see the following failure messages: > warning: SASL authentication failure: GSSAPI Error: Invalid token was > supplied (No error) > What does the above line mean? Where do I go wrong in the process? A base64 encoded username is not a valid GSSAPI token. Test with an actual GSSAPI client. FWIW, Postfix works just fine with GSSAPI here. As in your configuration, the server uses a keytab and KRB5_KTNAME is set in the server environment (import_environment=...). The server keytab belongs to the "postfix" ($mail_owner) user. In our case the client (sending) system also has a keytab, but it is not used directly, rather a cron job runs periodically, and uses "kinit -t" to refresh the client credential cache. The client main.cf also has "import_environment=..." with a setting for KRB5_CCNAME. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.
From: Ali Majdzadeh on 29 Oct 2009 06:56 Viktor, Hello Thanks for your mail. Do you test the configuration using mail clients like Thunderbird or something like that? If not, what do you actually use in order to test the configuration? Kind Regards Ali Majdzadeh Kohbanani 2009/10/28 Victor Duchovni <Victor.Duchovni(a)morganstanley.com> > On Wed, Oct 28, 2009 at 05:11:33PM +0330, Ali Majdzadeh wrote: > > > ehlo example.com > > auth gssapi base 64 encoded userid > > The GSSAPI handshake does not work this way. > > > When I monitor the logs, I see the following failure messages: > > warning: SASL authentication failure: GSSAPI Error: Invalid token was > > supplied (No error) > > What does the above line mean? Where do I go wrong in the process? > > A base64 encoded username is not a valid GSSAPI token. Test with an > actual GSSAPI client. FWIW, Postfix works just fine with GSSAPI here. > > As in your configuration, the server uses a keytab and KRB5_KTNAME is > set in the server environment (import_environment=...). The server > keytab belongs to the "postfix" ($mail_owner) user. > > In our case the client (sending) system also has a keytab, but it is not > used directly, rather a cron job runs periodically, and uses "kinit -t" > to refresh the client credential cache. The client main.cf also has > "import_environment=..." with a setting for KRB5_CCNAME. > > -- > Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. >
From: Victor Duchovni on 29 Oct 2009 08:58 On Thu, Oct 29, 2009 at 02:26:54PM +0330, Ali Majdzadeh wrote: > Thanks for your mail. Do you test the configuration using mail clients like > Thunderbird or something like that? If not, what do you actually use in > order to test the configuration? I have successfully performed GSSAPI authenticated SMTP submission to Postfix with Thunderbird, Mail.app (MacOSX native email client), mutt and a GSSAPI-capable Postfix client. All work. Not much "testing" these days, it all just works. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.
From: Ali Majdzadeh on 29 Oct 2009 11:41
Viktor, Hi Thanks for your mail. Among your experiences with Postfix, GSSAPI and probably SASL, have you ever tested your configuration using telnet? If it is so, would you please describe the procedure? According to your previous mail, I figured out that since I use telnet to test the configuration, I should know about the exact handshake process. Thanks again. Kind Regards Ali Majdzadeh Kohbanani 2009/10/29 Victor Duchovni <Victor.Duchovni(a)morganstanley.com> > On Thu, Oct 29, 2009 at 02:26:54PM +0330, Ali Majdzadeh wrote: > > > Thanks for your mail. Do you test the configuration using mail clients > like > > Thunderbird or something like that? If not, what do you actually use in > > order to test the configuration? > > I have successfully performed GSSAPI authenticated SMTP submission to > Postfix with Thunderbird, Mail.app (MacOSX native email client), mutt > and a GSSAPI-capable Postfix client. All work. > > Not much "testing" these days, it all just works. > > -- > Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. > |