Stephen Ingram: > On Fri, Apr 6, 2012 at 10:15 AM, Viktor Dukhovni > <postfix-us...@dukhovni.org> wrote: > > ...snip... > > > > > The cron solution is much simpler and more robust. There is no > > supervisor process running, no need for the child to not exit, no > > need to instrument postfix start-up by wrapping in kstart, ... > > > > Instead, there is a credential-cache on the system that is always > > unexpired, whether Postfix is still running or not. I used > > > > smtp/<hostfqdn>@DEFAULT_REALM > > > > The "kinit -k" used the same keytab as the SMTP server uses to > > authenticate inbound connections. > > > > All Postfix needed to do was to augment the import_environment > > for the delivery_agent: > > > > main.cf: > > krb5_import_environment = > > # Postfix defaults, drop XAUTHORITY and DISPLAY if > > # if you never use X11 graphical debuggers. > > # Never leave out LANG=C, the default en_US.UTF8 on many > > # systems breaks sorting, ... > > # > > # Don't try to be clever and use "$import_environment" here, > > # it won't work: the expansion in master.cf will loop! > > # > > MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY > > LANG=C > > # > > # Added for Kerberos, strictly only one of these is needed > > # on the server and the other on the client, but its is > > # simpler to set both. > > # > > KRB5_KTNAME=FILE:/var/spool/keytabs/smtp > > KRB5CCNAME=FILE:/var/spool/tickets/smtp > > I thought this was working for me, but only due to a manual keytab I > had setup as user postfix (default /tmp/krb5cc_89) for testing. For > some reason postfix is not importing the two kerberos variables. > postconf only reports environment as the first line of variables > ending with LANG=C which can also be obtained by leaving the > import_environment out altogether: > > [root@smtp1 postfix]# postconf | grep environment > export_environment = TZ MAIL_CONFIG LANG > import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY > DISPLAY LANG=C
You run postconf by hand. Therefore it shows main.cf settings. That is to be expected when "import_environment=$krb5_import..." is specified only for processes that are started from master.cf. > Jul 3 21:50:28 smtp1 postfix/lmtp[19834]: warning: SASL > authentication failure: GSSAPI Error: Unspecified GSS failure. Minor > code may provide more information (Credentials cache file > '/tmp/krb5cc_89' not found) > > I've read some old posts that say postfix is incapable of importing > the filename with the variable. Is that true? I'm using 2.6.6 that > comes with Redhat. The keytabs and tickets files are outside /var/spool/postfix. It is to be expected that such files will not be found when CHROOT turned on in master.cf. Also, UNIX file permissions or SeLinux etc. policies may prevent Postfix daemons from accessing those files. Wietse