You want to take advantage of your MIT Kerberos-5 infrastructure for authentication to your mail server.
Use a mail client that supports GSSAPI Kerberos authentication
via the IMAP
AUTHENTICATE
command, such as
mutt or pine.
If you have set up an IMAP server using imapd , and a Kerberos realm [Recipe 4.11], then most of the work is done: the Red Hat imapd comes with Kerberos support already built in and enabled. All that remains is to add Kerberos principals for the mail service on the server host.
If your username is homer and the mail server is marge, then:
marge# kadmin -p homer/admin Authenticating as principal homer/admin@DOGOOD.ORG with password. Enter password:********
kadmin:ank -randkey -policy hosts imap/marge.dogood.org
Principal "imap/marge.dogood.org@DOGOOD.ORG" created. kadmin:ktadd -k /etc/krb5.keytab imap/marge.dogood.org
Entry for principal imap/marge.dogood.org@DOGOOD.ORG with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/ krb5.keytab. kadmin:quit
Now on any host in the Kerberos realm, your compatible mail client should automatically use your Kerberos credentials, if available:
$ kinit
Password for pat@DOGOOD.ORG: ********
$ klist
Ticket cache: FILE:/tmp/krb5cc_503
Default principal: pat@DOGOOD.ORG
Valid starting Expires Service principal
03/05/03 03:48:35 03/05/03 13:48:35 krbtgt/DOGOOD.ORG@DOGOOD.ORG
Then connect with your mail client, such as mutt: [Recipe 8.12]
$ MAIL=imap://pat@marge.dogood.org/ mutt
or pine: [Recipe 8.11]
$ pine -inbox-path='{pat@marge.dogood.org/imap}'
If it works correctly, you will be connected to your mailbox without being asked for a password, and you’ll have acquired a Kerberos ticket for IMAP on the mail server:
$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: pat@DOGOOD.ORG Valid starting Expires Service principal 03/07/03 14:44:40 03/08/03 00:44:40 krbtgt/DOGOOD.ORG@DOGOOD.ORG 03/07/03 14:44:48 03/08/03 00:44:40 imap/marge.dogood.org@DOGOOD.ORG
This technique works for
POP as well. With
pine, use Kerberos service
principal
pop/marge.dogood.org@DOGOOD.ORG and a mailbox path
ending in /pop. With mutt,
however, we were unable to make this work in our Red Hat 8.0 system.
There is some confusion about whether the Kerberos principal is
pop/... or pop-3/...; also, the actual
AUTH
GSSAPI data
transmitted by the client appears to be truncated, causing
authentication failure. We assume this is a bug that will be fixed
eventually.
For debugging, remember to examine the KDC syslog messages for clues.
mutt(1), pine(1). See SSL for Securing Mail, regarding the relationship between SSL and different forms of user authentication.
The Kerberos FAQ has more about GSSAPI: http://www.faqs.org/faqs/kerberos-faq/general/section-84.html.
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.