sendmail as MSA and client side GSSAPI
Victor Sudakov
vas at mpeks.no-spam-here.tomsk.su
Thu Mar 20 01:16:01 EDT 2008
Nicolas Williams wrote:
> >
> > > Now how do I enable GSSAPI authentication for local users? What should
> > > I put into the /etc/mail/authinfo file so that each local user who has
> > > a Kerberos ticket could authenticate herself to the mailhub?
> >
> > > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail.
> >
> > Am I asking something extraordinary?
> >
> > fetchmail works fine as GSSAPI client, so there is no more need to
> > store a password in the config for receiving mail. I wish we could do
> > the same for sending.
> See:
> http://www.sendmail.org/~ca/email/auth.html
> under "Using sendmail as a client with AUTH."
> It doesn't really address how to use this with Kerberos. It's not clear
> if you just have to give sendmail your Kerberos password (I doubt that
> will work, much less be acceptable), or if sendmail is able to somehow
> find your ccache and tickets.
Moreover, this document does not specify if per user authentication is
at all possible. The tags U, P and others seem to have global
significance because they live in /etc/mail/authinfo.
> My guess: it just doesn't work, at least when sendmail is running in
> queue mode.
> To make it work will require enough changes
I wonder. SASL client is already there.
> that one could be forgiven
> for wondering why mutt et. al. shouldn't just learn how to talk SMTP/
> SUBMIT to the real MSA anyways the way Thunderbird, Evolution and
> all other MUAs do it. Or,
In fact, mutt *can* do this if compiled with --enable-smtp. But the
advantage of calling /usr/sbin/sendmail is its universality. You have
all your MUAs, all your scripts, all your cron jobs call sendmail or
mail. I often redirect output of various programs to mail.
> alternatively, why a standalone, non-queueing (or per-used queue
> daemon) mail submission program isn't the right answer.
Oh, it is. Please name one with Kerberos support, and I shall install it
as /usr/sbin/sendmail.
> Or you might argue that sendmail just needs an option to work as
> described above (no queueing, no privs, or per-user queueing).
> BTW, on Solaris it wouldn't work anyways pending this:
> 6481399 sendmail needs to ship /etc/sasl/Sendmail.conf
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I think it is
for server side SASL.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Kerberos
mailing list