sendmail as MSA and client side GSSAPI

Victor Sudakov vas at mpeks.no-spam-here.tomsk.su
Thu Mar 20 01:16:01 EDT 2008


Nicolas Williams wrote:
> > 
> > > Now how do I enable GSSAPI authentication for local users? What should
> > > I put into the /etc/mail/authinfo file so that each local user who has
> > > a Kerberos ticket could authenticate herself to the mailhub?
> > 
> > > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail.
> > 
> > Am I asking something extraordinary?
> > 
> > fetchmail works fine as GSSAPI client, so there is no more need to
> > store a password in the config for receiving mail. I wish we could do
> > the same for sending.

> See:

> http://www.sendmail.org/~ca/email/auth.html

> under "Using sendmail as a client with AUTH."

> It doesn't really address how to use this with Kerberos.  It's not clear
> if you just have to give sendmail your Kerberos password (I doubt that
> will work, much less be acceptable), or if sendmail is able to somehow
> find your ccache and tickets.

Moreover, this document does not specify if per user authentication is
at all possible. The tags U, P and others seem to have global
significance because they live in /etc/mail/authinfo.

> My guess: it just doesn't work, at least when sendmail is running in
> queue mode.

> To make it work will require enough changes 

I wonder. SASL client is already there.

> that one could be forgiven
> for wondering why mutt et. al. shouldn't just learn how to talk SMTP/
> SUBMIT to the real MSA anyways the way Thunderbird, Evolution and
> all other MUAs do it.  Or,

In fact, mutt *can* do this if compiled with --enable-smtp. But the
advantage of calling /usr/sbin/sendmail is its universality. You have
all your MUAs, all your scripts, all your cron jobs call sendmail or
mail. I often redirect output of various programs to mail.

> alternatively, why a standalone, non-queueing (or per-used queue
> daemon) mail submission program isn't the right answer.

Oh, it is. Please name one with Kerberos support, and I shall install it
as /usr/sbin/sendmail.

> Or you might argue that sendmail just needs an option to work as
> described above (no queueing, no privs, or per-user queueing).

> BTW, on Solaris it wouldn't work anyways pending this:

> 6481399 sendmail needs to ship /etc/sasl/Sendmail.conf
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I think it is
for server side SASL.


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/



More information about the Kerberos mailing list