Can't send e-mail from mailclient with GSSAPI/Kerberos authentication

[bubnov-pi]

Hi all. My problem is very close to http://forum.zentyal.org/index.php/topic,12388.msg50950.html#msg50950 but have some differences

I have virtual maildomain 'test.ru' on zentyal 3.0 server.
Authorization domain (kerberos realm) is 'test.lan'.
Workstations and users are members of "Windows domain" 'test.lan'.
On workstations configured Thunderbird as default mail client with Kerberos / GSSAPI authorization.
Because authorization credentials are 'user@TEST.LAN', and mailaddresses are 'user@test.ru', I became some authorisation errors:
First from dovecot, when user try to recieve mail:

Code: [Select]

Jun 28 16:01:40 zent dovecot: auth: Error: userdb(user@TEST.LAN,192.168.122.29): user not found from userdb ldap
Jun 28 16:01:40 zent dovecot: imap: Error: Authenticated user not found from userdb, auth lookup id=2933784577 (client-pid=24627 client-id=1)
Jun 28 16:01:40 zent dovecot: imap-login: Internal login failure (pid=24627 id=1) (auth failed, 1 attempts): user=<user@TEST.LAN>, method=GSSAPI, rip=192.168.122.29, lip=192.168.122.101, mpid=24631, TLS
This error can be fixed by modifying rule in 'dovecot-ldap.conf' file to:

Code: [Select]

user_filter = (&(objectClass=CourierMailAccount)(|(uid=%n)(mail=%u)))But the second error occurs at sending emails, from postfix:

Code: [Select]

Jun 28 16:10:51 zent postfix/smtpd[24798]: connect from linux-7r77.test.lan[192.168.122.29]
Jun 28 16:10:51 zent postfix/smtpd[24798]: NOQUEUE: reject: RCPT from linux-7r77.test.lan[192.168.122.29]: 553 5.7.1 <user@test.ru>: Sender address rejected: not owned by user user@TEST.LAN; from=<user@test.ru> to=<mailuser@test.lan> proto=ESMTP helo=<[192.168.122.29]>
Jun 28 16:10:54 zent postfix/smtpd[24798]: disconnect from linux-7r77.test.lan[192.168.122.29]
And I can't find some way to solve it other than comment 'smtpd_sender_restrictions' rule, as in thread, pointed in first line of this post, so any authenticated user can send message "from" any e-mail address, and it is not so fine 

Is this behavior of Zentyal server normal or erroneous? Have somebody any suggestions for more accurate solving this situation?

P.S.: Described situation is on just-installed (from "zentyal-3.0-2-i386.iso" disc) for test system; Current core version: 3.0.21, with all actual updates. Active modules: Network, Firewall, Antivirus, DHCP, DNS, Backup, Events, Logs, Mail Filter, Monitoring, NTP, VPN, Users and Groups, Web Server, FTP, Mail, File Sharing, HTTP Proxy, Webmail, Printer Sharing. I explore Zentyal as alternative to our old solution with different authentication databases/user accounts on different physical servers (fileserver, mailserver and proxy/web/GW). The first task is to transfer e-mail and central authorization roles to new platform, and I can't name my internal domain same as external, because users have access to external web-platform, that name is exact as our maildomain.

[christian]

Although I'm not using 3.0 but 2.2 and therefore might be wrong with my analysis, I'm a bit puzzled with what you describe.

Indeed you can modify default Dovecot behaviour to permit authentication with user's account rather than mail address. I wonder how kerberos would react if providing mail address as "user name" in Thunderbird config but as long as you provide valid ticket, I don't see why it would not work.

Same kind of remark with SMTP: using Thunderbird, you can manually configure "user name" to be used for Kerberos authentication. I don't think it has to tightly match mail address.

If for some reason you have to stick with user's account, then you should try modifying main.cf which embeds

Code: [Select]

senderlogin_query_filter = (&(mail=%s)(objectClass=CourierMailAccount))
You can verify this is the ldap search used here by increasing LDAP log level.

[bubnov-pi]

No, if I try to change username for IMAP or SMTP to something different from 'user@TEST.LAN', occurs Kerberos rejection, because user's valid tiket is in Kerberos rearm (TEST.LAN).
I try to change senderlogin_query_filter to use 'uid=%u', like in dovecot, but with no result change.

[bubnov-pi]

And yes, if user provides password, with own e-mail as loginname, all works fine, but I need "one point authorization"

[christian]

I understand although, at least to me, "single authentication" is more a nice to have than a must, especially if there is not very tight control on workstation and sleep mode after short period of time.