sendmail as MSA and client side GSSAPI - Kerberos

This is a discussion on sendmail as MSA and client side GSSAPI - Kerberos ; Colleagues, I have sendmail 8.13.6 acting as MSA for local users. It is compiled with SASLv2 and has the following lines in the submit.mc file: FEATURE(`authinfo')dnl FEATURE(`msp', `[mailhub]')dnl The mailhub to which mail is submitted supports GSSAPI: 250-AUTH LOGIN PLAIN ...

+ Reply to Thread
Results 1 to 18 of 18

Thread: sendmail as MSA and client side GSSAPI

  1. sendmail as MSA and client side GSSAPI

    Colleagues,

    I have sendmail 8.13.6 acting as MSA for local users. It is compiled
    with SASLv2 and has the following lines in the submit.mc file:
    FEATURE(`authinfo')dnl
    FEATURE(`msp', `[mailhub]')dnl

    The mailhub to which mail is submitted supports GSSAPI:
    250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5 GSSAPI

    Now how do I enable GSSAPI authentication for local users? What should
    I put into the /etc/mail/authinfo file so that each local user who has
    a Kerberos ticket could authenticate herself to the mailhub?

    The users send mail from mutt, pine etc by calling /usr/sbin/sendmail.

    Reading cf/README "Providing SMTP AUTH Data when sendmail acts as
    Client" did not enlighten me. I want no U or P tags in the authinfo
    file, since I want the calling user's Kerberos principal name as U and
    her ticket instead of password.

    Thanks in advance for any input.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  2. Re: sendmail as MSA and client side GSSAPI

    In comp.mail.sendmail Victor Sudakov wrote:

    > I have sendmail 8.13.6 acting as MSA for local users.


    It should have been "MSP" instead of "MSA".
    The rest of the message is correct. Any ideas please?

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  3. Re: sendmail as MSA and client side GSSAPI

    In comp.mail.sendmail Victor Sudakov wrote:

    > Now how do I enable GSSAPI authentication for local users? What should
    > I put into the /etc/mail/authinfo file so that each local user who has
    > a Kerberos ticket could authenticate herself to the mailhub?


    > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail.


    Am I asking something extraordinary?

    fetchmail works fine as GSSAPI client, so there is no more need to
    store a password in the config for receiving mail. I wish we could do
    the same for sending.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  4. Re: sendmail as MSA and client side GSSAPI

    On Wed, Mar 19, 2008 at 02:52:41AM +0000, Victor Sudakov wrote:
    > In comp.mail.sendmail Victor Sudakov wrote:
    >
    > > Now how do I enable GSSAPI authentication for local users? What should
    > > I put into the /etc/mail/authinfo file so that each local user who has
    > > a Kerberos ticket could authenticate herself to the mailhub?

    >
    > > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail.

    >
    > Am I asking something extraordinary?
    >
    > fetchmail works fine as GSSAPI client, so there is no more need to
    > store a password in the config for receiving mail. I wish we could do
    > the same for sending.


    Actually, I want to know about this too. I'll ask Sun's sendmail
    contact.

    Nico
    --

  5. Re: sendmail as MSA and client side GSSAPI

    Nicolas Williams wrote:
    > >
    > > > Now how do I enable GSSAPI authentication for local users? What should
    > > > I put into the /etc/mail/authinfo file so that each local user who has
    > > > a Kerberos ticket could authenticate herself to the mailhub?

    > >
    > > > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail.

    > >
    > > Am I asking something extraordinary?
    > >
    > > fetchmail works fine as GSSAPI client, so there is no more need to
    > > store a password in the config for receiving mail. I wish we could do
    > > the same for sending.


    > Actually, I want to know about this too. I'll ask Sun's sendmail
    > contact.


    Please do, and share the result.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  6. Re: sendmail as MSA and client side GSSAPI

    On Wed, Mar 19, 2008 at 02:52:41AM +0000, Victor Sudakov wrote:
    > In comp.mail.sendmail Victor Sudakov wrote:
    >
    > > Now how do I enable GSSAPI authentication for local users? What should
    > > I put into the /etc/mail/authinfo file so that each local user who has
    > > a Kerberos ticket could authenticate herself to the mailhub?

    >
    > > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail.

    >
    > Am I asking something extraordinary?
    >
    > fetchmail works fine as GSSAPI client, so there is no more need to
    > store a password in the config for receiving mail. I wish we could do
    > the same for sending.


    See:

    http://www.sendmail.org/~ca/email/auth.html

    under "Using sendmail as a client with AUTH."

    It doesn't really address how to use this with Kerberos. It's not clear
    if you just have to give sendmail your Kerberos password (I doubt that
    will work, much less be acceptable), or if sendmail is able to somehow
    find your ccache and tickets.

    My guess: it just doesn't work, at least when sendmail is running in
    queue mode.

    To make it work will require enough changes that one could be forgiven
    for wondering why mutt et. al. shouldn't just learn how to talk SMTP/
    SUBMIT to the real MSA anyways -- the way Thunderbird, Evolution and all
    other MUAs do it. Or, alternatively, why a standalone, non-queueing (or
    per-used queue daemon) mail submission program isn't the right answer.

    Or you might argue that sendmail just needs an option to work as
    described above (no queueing, no privs, or per-user queueing).

    BTW, on Solaris it wouldn't work anyways pending this:

    6481399 sendmail needs to ship /etc/sasl/Sendmail.conf

    Nico
    --

  7. Re: sendmail as MSA and client side GSSAPI

    On Wed, Mar 19, 2008 at 12:29:55PM -0500, Nicolas Williams wrote:
    > To make it work will require enough changes that one could be forgiven

    ^^^^
    may

  8. Re: sendmail as MSA and client side GSSAPI

    >>>>> "Nicolas" == Nicolas Williams writes:

    Nicolas> See:

    Nicolas> http://www.sendmail.org/~ca/email/auth.html

    Nicolas> under "Using sendmail as a client with AUTH."

    Nicolas> It doesn't really address how to use this with Kerberos.
    Nicolas> It's not clear if you just have to give sendmail your
    Nicolas> Kerberos password (I doubt that will work, much less be
    Nicolas> acceptable), or if sendmail is able to somehow find your
    Nicolas> ccache and tickets.

    MIt does have a configuration where this works with sendmail for
    foreground delivery to a mailhub.
    I don't have details though.

  9. Re: sendmail as MSA and client side GSSAPI

    On Wed, Mar 19, 2008 at 03:17:29PM -0400, Sam Hartman wrote:
    > MIt does have a configuration where this works with sendmail for
    > foreground delivery to a mailhub.
    > I don't have details though.


    Good to know. Could you cajole someone into posting the details?

  10. Re: sendmail as MSA and client side GSSAPI

    Nicolas Williams wrote:
    > >
    > > > Now how do I enable GSSAPI authentication for local users? What should
    > > > I put into the /etc/mail/authinfo file so that each local user who has
    > > > a Kerberos ticket could authenticate herself to the mailhub?

    > >
    > > > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail.

    > >
    > > Am I asking something extraordinary?
    > >
    > > fetchmail works fine as GSSAPI client, so there is no more need to
    > > store a password in the config for receiving mail. I wish we could do
    > > the same for sending.


    > See:


    > http://www.sendmail.org/~ca/email/auth.html


    > under "Using sendmail as a client with AUTH."


    > It doesn't really address how to use this with Kerberos. It's not clear
    > if you just have to give sendmail your Kerberos password (I doubt that
    > will work, much less be acceptable), or if sendmail is able to somehow
    > find your ccache and tickets.


    Moreover, this document does not specify if per user authentication is
    at all possible. The tags U, P and others seem to have global
    significance because they live in /etc/mail/authinfo.

    > My guess: it just doesn't work, at least when sendmail is running in
    > queue mode.


    > To make it work will require enough changes


    I wonder. SASL client is already there.

    > that one could be forgiven
    > for wondering why mutt et. al. shouldn't just learn how to talk SMTP/
    > SUBMIT to the real MSA anyways the way Thunderbird, Evolution and
    > all other MUAs do it. Or,


    In fact, mutt *can* do this if compiled with --enable-smtp. But the
    advantage of calling /usr/sbin/sendmail is its universality. You have
    all your MUAs, all your scripts, all your cron jobs call sendmail or
    mail. I often redirect output of various programs to mail.

    > alternatively, why a standalone, non-queueing (or per-used queue
    > daemon) mail submission program isn't the right answer.


    Oh, it is. Please name one with Kerberos support, and I shall install it
    as /usr/sbin/sendmail.

    > Or you might argue that sendmail just needs an option to work as
    > described above (no queueing, no privs, or per-user queueing).


    > BTW, on Solaris it wouldn't work anyways pending this:


    > 6481399 sendmail needs to ship /etc/sasl/Sendmail.conf

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I think it is
    for server side SASL.


    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  11. Re: sendmail as MSA and client side GSSAPI

    > Nicolas Williams wrote:
    > > >
    > > > > Now how do I enable GSSAPI authentication for local users? What should
    > > > > I put into the /etc/mail/authinfo file so that each local user who has
    > > > > a Kerberos ticket could authenticate herself to the mailhub?
    > > >
    > > > > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail.
    > > >
    > > > Am I asking something extraordinary?
    > > >
    > > > fetchmail works fine as GSSAPI client, so there is no more need to
    > > > store a password in the config for receiving mail. I wish we could do
    > > > the same for sending.


    > > Actually, I want to know about this too. I'll ask Sun's sendmail
    > > contact.


    Nicolas, any results?

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  12. Re: sendmail as MSA and client side GSSAPI

    On Sun, Apr 06, 2008 at 02:52:43PM +0000, Victor Sudakov wrote:
    > > Nicolas Williams wrote:
    > > > >
    > > > > > Now how do I enable GSSAPI authentication for local users? What should
    > > > > > I put into the /etc/mail/authinfo file so that each local user who has
    > > > > > a Kerberos ticket could authenticate herself to the mailhub?
    > > > >
    > > > > > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail.
    > > > >
    > > > > Am I asking something extraordinary?
    > > > >
    > > > > fetchmail works fine as GSSAPI client, so there is no more need to
    > > > > store a password in the config for receiving mail. I wish we could do
    > > > > the same for sending.

    >
    > > > Actually, I want to know about this too. I'll ask Sun's sendmail
    > > > contact.

    >
    > Nicolas, any results?


    I followed up on March 19th on the list. I seem to recall my e-mails to
    you bouncing, so see the list archives.

  13. Re: sendmail as MSA and client side GSSAPI

    On Mon, Apr 07, 2008 at 01:48:31PM -0500, Nicolas Williams wrote:
    > I followed up on March 19th on the list. I seem to recall my e-mails to
    > you bouncing, so see the list archives.


    Right, because your sender address is obfuscated. Guess what: when I
    post my reply including the non-obfuscated form of your address then all
    will be able to see it. Please don't obfuscate your sender address.

  14. Re: sendmail as MSA and client side GSSAPI

    Nicolas Williams wrote:
    > > > > >
    > > > > > > Now how do I enable GSSAPI authentication for local users? What should
    > > > > > > I put into the /etc/mail/authinfo file so that each local user who has
    > > > > > > a Kerberos ticket could authenticate herself to the mailhub?
    > > > > >
    > > > > > > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail.
    > > > > >
    > > > > > Am I asking something extraordinary?
    > > > > >
    > > > > > fetchmail works fine as GSSAPI client, so there is no more need to
    > > > > > store a password in the config for receiving mail. I wish we could do
    > > > > > the same for sending.

    > >
    > > > > Actually, I want to know about this too. I'll ask Sun's sendmail
    > > > > contact.

    > >
    > > Nicolas, any results?


    > I followed up on March 19th on the list. I seem to recall my e-mails to
    > you bouncing, so see the list archives.


    Sorry, what list? I posted the question to the Usenet newsgroup
    comp.protocols.kerberos, so I expected a reply there.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  15. Re: sendmail as MSA and client side GSSAPI

    Nicolas Williams wrote:
    > > I followed up on March 19th on the list. I seem to recall my e-mails to
    > > you bouncing, so see the list archives.


    > Right, because your sender address is obfuscated. Guess what: when I
    > post my reply including the non-obfuscated form of your address then all
    > will be able to see it.


    Why would you want to post a reply including the non-obfuscated address?
    You don't need my address to post to Usenet.

    > Please don't obfuscate your sender address.


    In today's Usenet you have to obfuscate the address because of the
    address collecting robots. Should someone want to reply by private
    mail, the obfuscation algorithm is pretty obvious to the human eye.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  16. Re: sendmail as MSA and client side GSSAPI

    On Apr 7, 2008, at 21:49, Victor Sudakov wrote:
    > Sorry, what list? I posted the question to the Usenet newsgroup
    > comp.protocols.kerberos, so I expected a reply there.


    There's a bidirectional relay between the kerberos@mit mailing list
    and the c.p.k newsgroup.

    The mailing list archive is at http://mailman.mit.edu/pipermail/kerberos/

  17. Re: sendmail as MSA and client side GSSAPI

    On Tue, Apr 08, 2008 at 01:49:02AM +0000, Victor Sudakov wrote:
    > Nicolas Williams wrote:
    > > I followed up on March 19th on the list. I seem to recall my e-mails to
    > > you bouncing, so see the list archives.

    >
    > Sorry, what list? I posted the question to the Usenet newsgroup
    > comp.protocols.kerberos, so I expected a reply there.


    Bah, I forgot about comp.protocols.kerberos (it's bidirectionally
    gatewayed to kerberos@mit.edu). Is the gateway having trouble again?

    Anyways, the list archives are here:

    http://mailman.mit.edu/mailman/listinfo/kerberos

  18. Re: sendmail as MSA and client side GSSAPI

    Nicolas Williams wrote:
    > > > I followed up on March 19th on the list. I seem to recall my e-mails to
    > > > you bouncing, so see the list archives.

    > >
    > > Sorry, what list? I posted the question to the Usenet newsgroup
    > > comp.protocols.kerberos, so I expected a reply there.


    > Bah, I forgot about comp.protocols.kerberos (it's bidirectionally
    > gatewayed to kerberos@mit.edu). Is the gateway having trouble again?


    > Anyways, the list archives are here:


    > http://mailman.mit.edu/mailman/listinfo/kerberos


    In http://mailman.mit.edu/pipermail/ker...ch/013358.html
    you were going to ask the Sun's sendmail contact about GSSAPI.
    There is nothing in the list archives whether you have asked them and
    what they answered.

    When you say "I followed up on March 19th" I think this is not the
    followup I was eagerly waiting for.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

+ Reply to Thread