So with more reading I've gotten even further, things never mentioned on those howtos:

* You must have some means to authenticate to the Kerberos realm for your domain, in my case the MIT Kerberos client for windows 8

I've got Dovecot working as expected authenticating using teh GSSAPI authentication mechanism which is great.

Postfix is also talking to SASL Auth daemon but I'm getting some auth errors like this:

Jun 25 13:09:46 mail postfix/smtpd[8616]: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information ()

While Thunderbird reports this:

Sending of message failed.
The Kerberos/GSSAPI ticket was not accepted by the SMTP server Please check that you are logged in to the Kerberos/GSSAPI realm.

I'm in fact logged in to the realm from what I can see in the MIT Kerberos client interface:

I hope the attachment can be seen by the list:

So, as you can see both smtp/ and imap/ are there, so whatever is causing the issue has to do with SASL but I haven't been able to find any useful debug commands for it apart from testsaslauthd whic yells

[root@mail ~]# testsaslauthd -u -p pass
0: NO "authentication failed"

I don't know if I need the /etc/saslauthd.conf file as described on some postfix+LDAP documents I tested that with no luck, here's a sample of what I tried.

[root@mail ~]# cat saslauthd.conf
ldap_servers: ldap://
ldap_search_base: cn=users,cn=accounts,dc=domain,dc=net
ldap_filter: (|(uid=%u)(mail=%u))
ldap_bind_dn: uid=david,cn=users,cn=accounts,dc=domain,dc=net
ldap_bind_pw: pass

Any advise from you will be greatly appreciated.

Then again, Thanks In Advance guys.

--Regards DavidG

On 6/25/2014 10:25 AM, Simo Sorce wrote:
On Wed, 2014-06-25 at 09:52 -0500, Dave Gonzalez wrote:
I don't know if the fact that the server is already enrolled as
smtp/ make dovecot not request any ticket as
imap/ as I don't see any entries for that system on
KDC log
Dovecot does not require any ticket, it's your clients that do, and you
showed me no logs of clients.

If you are configuring your client to talk to, then you
*must* have a keys for imap/ on your IMAP server.
Keys for imap/ will be useless as the client won't be
looking for that ticket.

When a client is configured to talk to it will ask the
KDC for a ticket for the principal named imap/
The client also may need to be told what KDC to contact for the domain if it really is a different domain from your main one.
You used and both, so unless it is a bad
substitution, it means you may want to check the documentation for
setting up a correct domain_realm section in your krb5.conf (note that
modern IPA clients that use SSSD do not need manual configuration as
long as you configure the domains list in the ipa server).

You can, of course, have multiple keys if you advertise your service
under multiple names to different clients.


Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to