Single sign-on e-mail with GSSAPI/Kerberos authentication
E-mail security is a sensitive topic that open-source e-mail server and client software address by providing several alternatives for performing authentication and confidentiality. In this article we explore the advantages of using GSSAPI/Kerberos authentication in e-mail systems and how to implement it using open source software.
Advantages of GSSAPI/Kerberos powered e-mail systems
Amongst all available alternatives, GSSAPI/Kerberos authentication can be considered as a favorite for several reasons.
- Convenience : The signle sign on feature of GSSAPI/Kerberos allows client e-mail software to use the logon credentials (TGT) ticket cache to obtain 'Tickets' for the smtp or imap server then authenticate and securely exchange messages. The logon credentials are obtained when the user first logs in the machine. The initial longon will be the only time when the user is asked for his/her password. Once the user is authenticated and logon credentials (TGT) obtained. All programs that use GSSAPI/Kerberos authentication will directly use the logon credentials.
- Security: In typical deployments where non GSSPAI/Kerberos authentication is used, passwords are stored in the host so that the user is not prompted for them each time an e-mail transaction with the server is being carried out. The caching of passwords represents a security vulnerability since any entity with administrative privileges on the machine can obtain the user's password.
- Interoperability: The third advantage of using GSSAPI/Kerberos to secure e-mail transactions is that Kerberos is the standard authentication protocol, supported by most operating systems. Using GSSAPI/Kerberos would allow, for example, the implementation of an open source e-mail system and interface it with a windows AD. Since Windows AD uses Kerberos authentication, the imap/smtp server can be registered as a Kerberos service and e-mail clients would use GSSAPI/Kerberos authentication to perform secure imap/smtp transactions with the server.
How to implement GSSAPI/Kerberos powered e-mail systems
To implement a fully Kerberized e-mail system. Three components need to be considered; IMAP server, SMTP server and e-mail clients. In a previous series of articles we have covered how to setup GSSAPI/Kerberos authentication in each of these components :
| IMAP server | How to setup the CYRUS IMAP server with GSSAPI/Kerberos authentication. |
| SMTP server | How to setup the Postfix SMTP server with GSSAPI/Kerberos authentication. |
| E-mail clients | Major e-mail clients have native support of GSSAPI/Kerberos authentication (e.g. Evolution, Thunderbird). Mutt also can support GSSAPI/Kerberos authentication.. |
| Labels: unix, security, howto |
|