Kerberos is the primary authentication mechanism in Windows Active Directory. Within the AXIGEN Mail Server, it is used as an authentication method through GSSAPI (Generic Security Services Application Programing Interface). In order to enable Kerberos authentication for your installed AXIGEN Mail Server, please follow the steps described below.

1. Create an account named "axigen_SERVICE" in Active Directory corresponding to each service you want to authenticate on from AXIGEN. Three accounts will be used for all AXIGEN supported services: axigen_smtp, axigen_imap, and axigen_pop.

2. Export the keys using the KTPASS utility:

1. Generate a key for the SMTP service:
ktpass -princ smtp/axigen.hostname@REALM -mapuser axigen_smtp -pass PASSWORD -out axigen-smtp.keytab
2. Generate a key for the IMAP service:
ktpass -princ imap/axigen.hostname@REALM -mapuser axigen_imap -pass PASSWORD -out axigen-imap.keytab
3. Generate keys for the POP3 service:
ktpass -princ pop/axigen.hostname@REALM -mapuser axigen_pop -pass PASSWORD -out axigen-pop.keytab

In all commands shown above you must replace:
axigen.hostname
- with the domain AXIGEN users should use to login to REALM
- with the Kerberos realm, particularly for Active Directory, with the domain name for which you want to authenticate
PASSWORD
- with the password for the corresponding "axigen_SERVICE" account, which you have previously created.

Please note that the AXIGEN Mail Server IP address must reverse point to the same hostname you have specified above as "axigen.hostname".

3. Copy the exported key files on the AXIGEN machine in the /etc directory and merge them using the 'ktutil' application. Simply type 'ktutil' and issue the following commands in the application's subshell:

• load the needed keytab files, according to the services you want to use GSSAPI authentication with:
rkt /etc/axigen-smtp.keytab
rkt /etc/axigen-imap.keytab
rkt /etc/axigen-pop.keytab
• write the new /etc/krb5.keytab file:
wkt /etc/krb5.keytab
• exit the ktutil shell:
quit

At this moment, all necessary keys will be saved in the /etc/krb5.keytab file.

Prerequisites and Settings for Each Active Directory User Defined for AXIGEN

The AXIGEN Mail Server domain name must be the same as the full Active Directory domain name. Also, the accounts for which you want to use Kerberos authentication must be created within the AXIGEN Mail Server.

Example

The example below shows how to set up the Windows version of the Mozilla Thunderbird email client to use Kerberos authentication with in an Active Directory environment:

1. Open the 'Account Settings' window from 'Tools' -> 'Account Settings...'.
2. Click 'Add Account'. This will open the 'Account Wizard'.
3. Select 'Email account' as the type of account to be created, then press 'Next'.
4. Fill in your name and e-mail address and press 'Next'.
5. In the next screen, select 'IMAP' or 'POP' incoming server types, according to your network policy. Set the 'incoming server' box to AXIGEN's fully qualified host name or the AXIGEN machine IP address.
6. Press 'Next' and fill in the user account name as stored in AXIGEN. In the last screen, fill in the account name, then press 'Next', review the settings and press 'Finish'.
7. Go to the 'Server settings' section of the newly created account and check the 'Use secure authentication' option. Also, if AXIGEN is configured to relay emails from authenticated users only and if you have created a keytab corresponding to the 'smtp' service (as shown above), add the AXIGEN hostname in the 'Outgoing server (SMTP)' section, selecting the 'Username and password' checkbox from the 'Security and authentication' section.
8. Click the 'OK' button from the 'Account settings' window.