Securing mail access with Kerberos and SSL

1
Securing mail access with Kerberos and SSL

• Wolfgang Friebel
• DESY

2
Motivation

• User authentication at our site is based on
  Kerberos
• Nearly all services made Kerberos aware (xdm,
  ftp,...)
• IMAP4 with the UW imapd was not kerberized
• Clear text passwords were sent for imapd auth
• Had to maintain UNIX passwords because of imapd

3
Goals

• Stay with the present imapd server (UW)
• Get rid of clear text passwords by using
• imapd with SSL
• encrypting the communication
• Get rid of UNIX passwords by using
• imapd with Kerberos
• check password against Kerberos or
• sending encrypted data to authenticate

4
Solution 1 Authentication with Kerberos

• Make use of the PAM support on several platforms
• link imapd including the pam library
• Advantages
• no source code modification required
• encrypted UNIX password no longer needed
• Disadvantage
• Passwords go in clear over the line

5
Solution 2 Making imapd Kerberos aware

• imapd / pine comes with client side Kerberos
  support
• server side support added by Michael Matz
• compiled pine and imapd with Kerberos
  authenticator
• Advantage
• no password required with valid token
• Disadvantages
• Clear password transmission without valid token
• no other Kerberos aware clients except pine

6
Solution 3 Accepting SSL connections

• Made imapd SSL aware by replacing the socket read
  and write calls (recipe by Andy Polyakov,
  appro_at_fy.chalmers.se)
• Separate server listening on port 993
• Is known to work at least on Solaris
• Requires a certificate authority
• Advantages
• works with Netscape, Internet explorer
• no longer any clear text passwords
• Disadvantages
• lacking SSL support in pine, wrapper required
• speed, whole session gets encrypted

7
Alternate solutions for SSL support

• Use unmodified imapd and unmodified clients with
  available wrappers, e.g
• stunnel
• bjorb
• wrapssl
• Advantage
• ease of installation
• Disadvantage
• Wrappers (daemons) required on each host

8
Our final solution Kerberos and SSL

• Two running servers
• kerberized imapd on port 143
• SSL aware kerberized imapd on port 993
• Kerberos aware client pine
• SSL aware clients Netscape and Internet Explorer
• pine made SSL aware by Michael Matz (9/99)

9
Conclusions

• Reached our goals
• Kerberized imapd used at Zeuthen since 8/99
• Hamburg will follow, if test phase successful
• SSL aware pine (pinessl or spine) comes next
• Patches available

10
Resources

• imapd with SSL
• http//fy.chalmers.se/appro/ssl_inetd.htm
• pine with SSL
• ftp//ftp.ifh.de/pub/unix/mail/pine4.10-ssl.diff.
  gz
• kerberized imapd
• ftp//ftp.ifh.de/pub/unix/mail/imap-4.6-kerberos.
  diff.tgz
• stunnel
• http//mike.daewoo.com.pl/computer/stunnel
• bjorb http//www.hitachi-ms.co.jp/bjorb/en/