sendmail as MSA and client side GSSAPI

Nicolas Williams Nicolas.Williams at sun.com
Wed Mar 19 13:29:55 EDT 2008


On Wed, Mar 19, 2008 at 02:52:41AM +0000, Victor Sudakov wrote:
> In comp.mail.sendmail Victor Sudakov <vas at mpeks.no-spam-here.tomsk.su> wrote:
> 
> > Now how do I enable GSSAPI authentication for local users? What should
> > I put into the /etc/mail/authinfo file so that each local user who has
> > a Kerberos ticket could authenticate herself to the mailhub?
> 
> > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail.
> 
> Am I asking something extraordinary?
> 
> fetchmail works fine as GSSAPI client, so there is no more need to
> store a password in the config for receiving mail. I wish we could do
> the same for sending.

See:

http://www.sendmail.org/~ca/email/auth.html

under "Using sendmail as a client with AUTH."

It doesn't really address how to use this with Kerberos.  It's not clear
if you just have to give sendmail your Kerberos password (I doubt that
will work, much less be acceptable), or if sendmail is able to somehow
find your ccache and tickets.

My guess: it just doesn't work, at least when sendmail is running in
queue mode.

To make it work will require enough changes that one could be forgiven
for wondering why mutt et. al. shouldn't just learn how to talk SMTP/
SUBMIT to the real MSA anyways -- the way Thunderbird, Evolution and all
other MUAs do it.  Or, alternatively, why a standalone, non-queueing (or
per-used queue daemon) mail submission program isn't the right answer.

Or you might argue that sendmail just needs an option to work as
described above (no queueing, no privs, or per-user queueing).

BTW, on Solaris it wouldn't work anyways pending this:

6481399 sendmail needs to ship /etc/sasl/Sendmail.conf

Nico
-- 



More information about the Kerberos mailing list