• GSSAPI email system

GSSAPI-enabled Email system

(just some notes, not necessarily complete; primarily focused on GSSAPI-related issues, consult other guides for basic cyrus and postfix configuration)

components

• NetBSD
• cyrus-sasl and cy2-gssapi
• postfix (SASL-enabled)
• cyrus-imapd (Kerberos V and GSSAPI enabled)
• cyrus-saslauthd (for good measure) (Kerberos V and GSSAPI enabled)

steps

• install NetBSD (X11 sets not required)
• (various post-install tasks)

• basic kerberos/hesiod setup (see NewHost)

• checkout latest pkgsrc branch

• PKG_OPTIONS.cyrus-saslauthd+= kerberos gssapi

• PKG_OPTIONS.cyrus-imapd+= kerberos gssapi

• build aformentioned packages
• configure rc.conf:

saslauthd=YES
saslauthd_flags="-a kerberos5"
cyrus=YES

• service principal: imap/tatooine.kollasch.net@KOLLASCH.NET

• ...

• cm user.jakllsch in cyradmin

Postfix + SASL + GSSAPI

• PKG_OPTIONS.postfix+= sasl tls pcre

• service principal: smtp/tatooine.kollasch.net@KOLLASCH.NET

• mailbox_transport = lmtp:unix:/var/imap/socket/lmtp

• add postfix user to mail group (basically get it so postfix can open the socket)

/usr/pkg/lib/sasl2/smtpd.conf:

pwcheck_method: gssapi saslauthd
keytab: /usr/pkg/etc/smtpd.krb5.keytab

add to master.cf:

submission   inet    n       -       n       -       -       smtpd
  -o smtpd_sasl_local_domain=KOLLASCH.NET
  -o smtpd_etrn_restrictions=reject
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

(some of this may not be necessary) (TLS/SSL could also be enforced here)

Client Configuration

Mutt

Sending

This is as simple as configuring Mutt to send mail via an msmtp configured with GSASL and GSSAPI support.

.msmtprc:

logfile ~/.msmtp.log

account tatooine
host tatooine.kollasch.net
from jakllsch@test.kollasch.net
port 587
auth gssapi
user jakllsch@KOLLASCH.NET

account default : tatooine

Receiving

Make sure Mutt has been compiled against cyrus-sasl. Also required is cy2-gssapi.

set imap_user=jakllsch
set spoolfile=imap://tatooine.kollasch.net/INBOX

Mozilla Thunderbird

(requires version 1.5 or higher)

Append this: user_pref("network.auth.use-sspi", false); to your profile's pref.js. This is so that MIT Kerberos for Windows is used instead of Microsoft's Kerberos implementation.

To Do

• Fix pkgsrc gsasl to use Heimdal rather than GNU libgss for it's GSSAPI support.