Quoting Jaap Winius <[email protected]>:
Is it possible to configure an Exim4 server (exim4-daemon-heavy
4.72-6 on Debian squeeze) to offer an authenticated SMTP service
with end-to-end SSL encryption while authenticating the passwords
with Kerberos?
So far I've added the following to 00_exim4-config_header:
sasl_gssapi:
driver = cyrus_sasl
public_name = GSSAPI
server_realm = EXAMPLE.COM
server_set_id = $auth1
To finally answer my own question of 2011-04-08, yes you can (I'm
still using MIT Kerberos, but now with Debian wheezy and Exim 4.80),
the section above is correct, and besides a working Kerberos client
(using k5start to regularly renew the host ticket) and a few extra
library packages (one or all three of libsasl2-2, libsasl2-modules and
libsasl2-modules-gssapi-mit), all I was missing was a properly set
environment variable that Exim needs to find its keytab file. I used
the following:
export KRB5_KTNAME="/etc/exim4/exim.keytab"
All I did was append this line to /etc/default/exim4; a text file that
is sourced by /etc/init.d/exim4 every time this script is run. Oh, and
that keytab file is where I saved the keys for
smtp/[email protected] -- not in the host keytab file,
/etc/krb5.keytab (that's for host/[email protected]).
It works like a charm.
Cheers,
Jaap
PS -- Thanks, Phil, for your reply of 2011-04-08. The configuration
above produces what you described at the time as 'Approach 1', which
is native Kerberos support. Excellent! Every serious SMTP MTA should
be capable of supporting this.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
