On 11/29/2013 11:27 AM, Natxo Asenjo wrote:
> just came accross Erinn Looney-Triggs's excellent writeup on using
> kerberos voor relaying e-mail
> and have a question.
> Would it not be possibly easier to just use the host's keytab
> (/etc/krb5.keytab) instead of just deploying a new service principal
> to every smtp client?
> I ask this because I am in the point of deploying something similar
> and would rather not need to have to deploy another set of keytabs
> everywhere unless this is a security malpractice, of course.
Easier? Yes. More secure? Probably not.
Kerberos experts may correct me, but from my POV, it is better to separate
these privileges. It postfix works on host/`hostname`@REALM, it could act as a
host identity. For example, attacker could change host's SSH public keys in
FreeIPA host entry in LDAP if it takes control over the mail service. Or it
could unenroll the host entirely from FreeIPA.
If it run's on own keytab and thus an own identity, it can only act on behalf
Freeipa-users mailing list