On Fri, Apr 6, 2012 at 10:15 AM, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
...snip... > > The cron solution is much simpler and more robust. There is no > supervisor process running, no need for the child to not exit, no > need to instrument postfix start-up by wrapping in kstart, ... > > Instead, there is a credential-cache on the system that is always > unexpired, whether Postfix is still running or not. I used > > smtp/<hostfqdn>@DEFAULT_REALM > > The "kinit -k" used the same keytab as the SMTP server uses to > authenticate inbound connections. > > All Postfix needed to do was to augment the import_environment > for the delivery_agent: > > main.cf: > krb5_import_environment = > # Postfix defaults, drop XAUTHORITY and DISPLAY if > # if you never use X11 graphical debuggers. > # Never leave out LANG=C, the default en_US.UTF8 on many > # systems breaks sorting, ... > # > # Don't try to be clever and use "$import_environment" here, > # it won't work: the expansion in master.cf will loop! > # > MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY > LANG=C > # > # Added for Kerberos, strictly only one of these is needed > # on the server and the other on the client, but its is > # simpler to set both. > # > KRB5_KTNAME=FILE:/var/spool/keytabs/smtp > KRB5CCNAME=FILE:/var/spool/tickets/smtp I thought this was working for me, but only due to a manual keytab I had setup as user postfix (default /tmp/krb5cc_89) for testing. For some reason postfix is not importing the two kerberos variables. postconf only reports environment as the first line of variables ending with LANG=C which can also be obtained by leaving the import_environment out altogether: [root@smtp1 postfix]# postconf | grep environment export_environment = TZ MAIL_CONFIG LANG import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C More importantly, the logs also show that postfix is looking for /tmp/krb5cc_89: Jul 3 21:50:28 smtp1 postfix/lmtp[19834]: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_89' not found) I've read some old posts that say postfix is incapable of importing the filename with the variable. Is that true? I'm using 2.6.6 that comes with Redhat. > master.cf: > smtp inet ... smtpd > -o import_environment=$krb5_import_environment > smtp unix ... smtp > -o import_environment=$krb5_import_environment I also replicated this for lmtp. Is that correct? > where the auto-refreshed ticket was naturally in /var/spool/tickets/smtp. > The corresponding keytab file is in /var/spool/keytabs/smtp. The > cron-job simply runs > > kinit -c /var/spool/tickets/smtp -k -t /var/spool/keytabs/smtp > smtp/$(uname -n) I am using the cron job as you suggested running as user postfix. Do group permissions matter on these files (keytab,cached tickets) as cron places them as postfix:postfix while most postfix files seem to be postfix:root? Steve
