SMTP Authentication in Exchange environment
in [Postfix]
|
Prev: To know home many e-mail per session
Next: SMTP Authentication in Luminis / iPlanet Environment
From: Matt Hayes on 13 May 2010 12:36 On 5/13/2010 12:19 PM, Kaleb Hosie wrote: > Hello, > In our environment, we have a postfix server that receives mail and forwards > only the HAM onto Exchange. > > I have several users that are using notebooks and looking to send and > receive mail remotely. I have Exchange setup to allow IMAP connections and > forwarded the port on the firewall. > > As you can imagine, the problem is with SMTP authentication. When a user > sends an email from a remote location, I would like for it to require > authentication. What's the best way to do that in an Exchange environment? > > Thanks for your help. > Kaleb What is going to be doing the authentication? Exchange or postfix? -Matt
From: Victor Duchovni on 13 May 2010 12:57 On Thu, May 13, 2010 at 12:19:04PM -0400, Kaleb Hosie wrote: > Hello, > In our environment, we have a postfix server that receives mail and forwards > only the HAM onto Exchange. > > I have several users that are using notebooks and looking to send and > receive mail remotely. I have Exchange setup to allow IMAP connections and > forwarded the port on the firewall. > > As you can imagine, the problem is with SMTP authentication. When a user > sends an email from a remote location, I would like for it to require > authentication. What's the best way to do that in an Exchange environment? I would use a PAM Kerberos module, that uses the provided password to obtain (and verify against the server's keytab) a Kerberos ticket issued by Microsoft's Active Directory. To avoid having to populate AD accounts into /etc/passwd on the server, you can use a custom passwd file for the SMTP SASL module smtpd.conf: pwcheck_method: saslauthd mech_list: PLAIN $ ps -e -o args | grep sasl saslauthd -m /var/run/saslauthd -a pam /etc/pam.d/smtp: auth requisite pam_krb5.so auth_only account required pam_localuser.so file=/etc/postfix/saslusers password required pam_deny.so session required pam_deny.so /etc/postfix/saslusers: joeuser:x:99:99:SASL user:/: freduser:x:99:99:SASL user:/: ... You'll also need keys for "host/<servername>@EXAMPLE.COM" where "EXAMPLE.COM" is your AD Kerberos realm and "servername" is the hostname of your Postfix SMTP server. These should be in /etc/krb5.keytab. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
From: Matt Hayes on 13 May 2010 13:07 On 5/13/2010 12:57 PM, Victor Duchovni wrote: > On Thu, May 13, 2010 at 12:19:04PM -0400, Kaleb Hosie wrote: > >> Hello, >> In our environment, we have a postfix server that receives mail and forwards >> only the HAM onto Exchange. >> >> I have several users that are using notebooks and looking to send and >> receive mail remotely. I have Exchange setup to allow IMAP connections and >> forwarded the port on the firewall. >> >> As you can imagine, the problem is with SMTP authentication. When a user >> sends an email from a remote location, I would like for it to require >> authentication. What's the best way to do that in an Exchange environment? > > I would use a PAM Kerberos module, that uses the provided password to > obtain (and verify against the server's keytab) a Kerberos ticket issued > by Microsoft's Active Directory. > > To avoid having to populate AD accounts into /etc/passwd on the server, > you can use a custom passwd file for the SMTP SASL module > > smtpd.conf: > pwcheck_method: saslauthd > mech_list: PLAIN > > $ ps -e -o args | grep sasl > saslauthd -m /var/run/saslauthd -a pam > > /etc/pam.d/smtp: > auth requisite pam_krb5.so auth_only > account required pam_localuser.so file=/etc/postfix/saslusers > password required pam_deny.so > session required pam_deny.so > > /etc/postfix/saslusers: > joeuser:x:99:99:SASL user:/: > freduser:x:99:99:SASL user:/: > ... > > You'll also need keys for "host/<servername>@EXAMPLE.COM" where > "EXAMPLE.COM" is your AD Kerberos realm and "servername" is the hostname > of your Postfix SMTP server. These should be in /etc/krb5.keytab. > *bows before the master*
From: Victor Duchovni on 13 May 2010 13:50 On Thu, May 13, 2010 at 01:07:00PM -0400, Matt Hayes wrote: > > You'll also need keys for "host/<servername>@EXAMPLE.COM" where > > "EXAMPLE.COM" is your AD Kerberos realm and "servername" is the hostname > > of your Postfix SMTP server. These should be in /etc/krb5.keytab. > > > > *bows before the master* Not necessary. If you don't have any experience setting up Unix systems as Kerberos clients of Active Directory, this will take a bit of time to figure out... Good luck! IF your Unix nodes are already Kerberos enabled, but Unix uses a different realm, things can get a lot more complicated, since PAM will want to authenticate users in the "local" realm, getting PAM to work in a cross-realm environment is not something I've yet tried to do. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
From: Matt Hayes on 13 May 2010 13:54 On 5/13/2010 1:50 PM, Victor Duchovni wrote: > On Thu, May 13, 2010 at 01:07:00PM -0400, Matt Hayes wrote: > >>> You'll also need keys for "host/<servername>@EXAMPLE.COM" where >>> "EXAMPLE.COM" is your AD Kerberos realm and "servername" is the hostname >>> of your Postfix SMTP server. These should be in /etc/krb5.keytab. >>> >> >> *bows before the master* > > Not necessary. If you don't have any experience setting up Unix systems > as Kerberos clients of Active Directory, this will take a bit of time > to figure out... Good luck! > > IF your Unix nodes are already Kerberos enabled, but Unix uses a different > realm, things can get a lot more complicated, since PAM will want to > authenticate users in the "local" realm, getting PAM to work in a > cross-realm environment is not something I've yet tried to do. > I've never had to do this yet, but I'm sure in time I will. I'll definitely refer back to the archives for this thread though! -Matt
|
Next
|
Last
Pages: 1 2 Prev: To know home many e-mail per session Next: SMTP Authentication in Luminis / iPlanet Environment |