Exim Internet Mailer

<-previousnext->

Chapter 39 - The heimdal_gssapi authenticator

The heimdal_gssapi authenticator provides server integration for the Heimdal GSSAPI/Kerberos library, permitting Exim to set a keytab pathname reliably.

server_hostname Use: heimdal_gssapi Type: string Default: see below

This option selects the hostname that is used, with server_service, for constructing the GSS server name, as a GSS_C_NT_HOSTBASED_SERVICE identifier. The default value is $primary_hostname.

server_keytab Use: heimdal_gssapi Type: string Default: unset

If set, then Heimdal will not use the system default keytab (typically /etc/krb5.keytab) but instead the pathname given in this option. The value should be a pathname, with no “file:” prefix.

server_service Use: heimdal_gssapi Type: string Default: smtp

This option specifies the service identifier used, in conjunction with server_hostname, for building the identifier for finding credentials from the keytab.

1. heimdal_gssapi auth variables

Beware that these variables will typically include a realm, thus will appear to be roughly like an email address already. The authzid in $auth2 is not verified, so a malicious client can set it to anything.

The $auth1 field should be safely trustable as a value from the Key Distribution Center. Note that these are not quite email addresses. Each identifier is for a role, and so the left-hand-side may include a role suffix. For instance, “joe/admin@EXAMPLE.ORG”.

  • $auth1: the authentication id, set to the GSS Display Name.

  • $auth2: the authorization id, sent within SASL encapsulation after authentication. If that was empty, this will also be set to the GSS Display Name.

<-previousTable of Contentsnext->