Additional Kerberos (Samba) / GSSAPI auth for intranet users
Hi,
I have a Dovecot (IMAP only) and Postfix (SMTP) based mail server. User names, mailbox settings and password hashes are loaded from a PostgreSQL database. The users use Thunderbird on the desktop and K9mail or Apple Mail on mobile phones. This works fine since a few years.
Now I'd like to introduce Single Sign On with Thunderbird to ease up the deployment of clients systems. (No more manual mail password entry.)
Users log in on a Samba AD domain, e.g.: johndoe@ad.example.internal. The mail addresses (and equally auth user names for Dovecot) are in the format: johndoe@example.org Up to now users have different passwords for AD and mail. These systems are not integrated.
I have two related questions concerning that:
First question: How can I map between these on the Dovecot side? There are no mailboxes or auth users like "johndoe@ad.example.internal". Instead, the public domain (e.g. example.org) is used for the mail system. Up to now the mail server doesn't know anything about the Samba domain and has nothing to do with that.
Second question: Can I allow GSSAPI auth for intranet users only (e.g. 192.168.42.0/24)? My Internet router forwards the IMAP and SMTP ports to the mail server to allow the mobiles phones to connect to it. But it doesn't make sense to offer GSSAPI auth for Internet users from all over the world. Isn't that somewhat risky? All the M$ish AD stuff feels somewhat Mystery Meat like for me...
Thank you very much for all input and help you can provide!
Yours, Reg
On 14/02/2024 05:43 EET r.barclay--- via dovecot <dovecot@dovecot.org> wrote:
Hi,
I have a Dovecot (IMAP only) and Postfix (SMTP) based mail server. User names, mailbox settings and password hashes are loaded from a PostgreSQL database. The users use Thunderbird on the desktop and K9mail or Apple Mail on mobile phones. This works fine since a few years.
Now I'd like to introduce Single Sign On with Thunderbird to ease up the deployment of clients systems. (No more manual mail password entry.)
Users log in on a Samba AD domain, e.g.: johndoe@ad.example.internal. The mail addresses (and equally auth user names for Dovecot) are in the format: johndoe@example.org Up to now users have different passwords for AD and mail. These systems are not integrated.
I have two related questions concerning that:
First question: How can I map between these on the Dovecot side? There are no mailboxes or auth users like "johndoe@ad.example.internal". Instead, the public domain (e.g. example.org) is used for the mail system. Up to now the mail server doesn't know anything about the Samba domain and has nothing to do with that.
Second question: Can I allow GSSAPI auth for intranet users only (e.g. 192.168.42.0/24)? My Internet router forwards the IMAP and SMTP ports to the mail server to allow the mobiles phones to connect to it. But it doesn't make sense to offer GSSAPI auth for Internet users from all over the world. Isn't that somewhat risky? All the M$ish AD stuff feels somewhat Mystery Meat like for me...
Thank you very much for all input and help you can provide!
Yours, Reg
Firstly,
I would run LDAP that can match the auth users and return the correct (internal) identifier for the user. Since you have kerberos available, you can use kerberos to authenticate against your AD.
Secondly,
You got some choices here. You can run an authentication proxy on your internal network, or you can accept GSSAPI from internet, which isn't so unsafe, not sure what risks you perceive here though?
Aki
participants (2)
-
Aki Tuomi
-
r.barclay@habmalnefrage.de