On Mon, Nov 08, 2010 at 07:20:34PM +0100, Michael Sperber wrote:
> > On Mon, Nov 08, 2010 at 02:30:33AM +0100, Michael Sperber wrote:
> >
> >> . and indeed, telnetting to the Exchange server shows "AUTH GSSAPI
> >> NTLM" ...
> >
> > The Postfix SMTP client can do GSSAPI, if you place a suitable
> > keytab on the Postfix server, and use it from cron to keep a
> > credential cache file current.
>
> Are there instructions somewhere on how to do it?
Obtain the current (or default) value of the Postfix 'import_environment'
setting:
$ postconf 'import_environment'
import_environment = MAIL_CONFIG MAIL_SECONDARY MAIL_DEBUG MAIL_LOGTAG TZ
XAUTHORITY DISPLAY LANG=C
If you don't use an X11 debugger on Postfix, feel free to ignore the
"XAUTHORITY" and "DISPLAY" elements. Take all the others, and append:
KRB5CCNAME=${data_directory}/smtp
which (with my Postfix version) should be:
import_environment =
MAIL_CONFIG MAIL_SECONDARY MAIL_DEBUG MAIL_LOGTAG TZ LANG=C
KRB5CCNAME=${data_directory}/smtp_ccache
add the above to main.cf. Then you need a cron job that keeps
this file (if data_directory is /var/lib/postfix, then the file is
/var/lib/postfix/smtp_ccache) populated with fresh tickets.
We have a job that runs once an hour and uses a keytab file to obtain
a ticket stored in /var/lib/postfix/smtp_ccache and owned by "postfix"
mode 0600. The keytab belongs to "root" with group equal to the
primary group of the "postfix" user, mode 0640,.
The cron job creates the credential cache. The keytab file contains
the keys for the user authorized to submit mail to Exchange.
The cron job runs:
kinit -k -t /etc/postfix/postfix.keytab \
-c /var/lib/postfix/smtp_ccache.new ${PRINC} &&
mv /var/lib/postfix/smtp_ccache.new /var/lib/postfix/smtp_ccache
where "$PRINC" is the Kerberos principal name (u...@realm) of Exchange
login in question. You may also need an /etc/krb5.conf file that lists
the locations of the Exchange KDCs or enables DNS lookups via SRV
records, ...
> > If you want to use a password, your Exchange administrator needs
> > to enable AUTH PLAIN.
>
> I'm a bit confused - how does a normal Exchange client (like Apple Mail)
> do this? There, I just give an Active Directory password, and it works.
The Apple client likely talks MAPI when configured to use Exchange. It
probably also supports NTLM, but I would not bother with NTLM. Exchange
supports PLAIN, you just have to turn it on.
Why are you bothering with SASL at all. Why not just have Exchange
allow the IP address of the Postfix server?
--
Viktor.
