[Freeipa-users] postfix ipa
Sumit Bose
sbose at redhat.com
Fri Nov 29 11:22:58 UTC 2013
On Fri, Nov 29, 2013 at 12:03:58PM +0100, Martin Kosek wrote:
> On 11/29/2013 11:27 AM, Natxo Asenjo wrote:
> > hi,
> >
> > just came accross Erinn Looney-Triggs's excellent writeup on using
> > kerberos voor relaying e-mail
> > (https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/)
> > and have a question.
> >
> > Would it not be possibly easier to just use the host's keytab
> > (/etc/krb5.keytab) instead of just deploying a new service principal
> > to every smtp client?
> >
> > I ask this because I am in the point of deploying something similar
> > and would rather not need to have to deploy another set of keytabs
> > everywhere unless this is a security malpractice, of course.
> >
> > TIA,
> > --
> > Groeten,
> > natxo
>
> Easier? Yes. More secure? Probably not.
>
> Kerberos experts may correct me, but from my POV, it is better to separate
> these privileges. It postfix works on host/`hostname`@REALM, it could act as a
> host identity. For example, attacker could change host's SSH public keys in
> FreeIPA host entry in LDAP if it takes control over the mail service. Or it
> could unenroll the host entirely from FreeIPA.
>
> If it run's on own keytab and thus an own identity, it can only act on behalf it.
yes, reusing keytabs is like giving all users the same password and
making them aware of it.
bye,
Sumit
>
> Martin
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list