Hi,
I want to set up Postfix for authentication with a relay host using
GSSAPI.
I'm using the configuration proposed in
https://www.mail-archive.com/postfix-users@postfix.org/msg29041.html but
am now looking into using KRB5_CLIENT_KTNAME instead of KRB5CCNAME, as
this would enable me of using /etc/krb5.keytab directly (with the
correct permissions) and getting rid of the CRON job to fetch the TGT.
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = gssapi
smtp_sasl_password_maps = static:empty:empty
import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY
DISPLAY LANG=C POSTLOG_SERVICE POSTLOG_HOSTNAME
KRB5_CLIENT_KTNAME=/etc/postfix-kerberos/krb5.keytab KRB5CCNAME=MEMORY:
header_size_limit = 4096000
Sadly, this always results in the first entry of the keytab being used.
But due to said keytab containing entries for all service principal
names and user principal names, fetching a TGT fails due to the wrong
principal name ( a service principal name instead of the user principal
name ) being used for fetching the TGT (GSSAPI error: No credentials
were supplied, or the credentials were unavailable or inaccessible
(Client 'restrictedkrbhost/test.example.org@ÉXAMPLE.ORG' not found in
Kerberos database).
Do you have any hint on how to make postfix select the proper entry of
the keytab? I would have expected it to honor the username configured in
smtp_sasl_password_maps, but from gdb breakpoints it looks like that is
not passed into libkrb5.
Kind regards,
Michael Braun
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
