On Wed, Jan 23, 2013 at 12:33:01AM -0500, Eric McCorkle wrote:
> Which is due ultimately to there not being a kerberos principal
> available. However, if I add "start_tls = yes" (and set up the
> certificate files), then I get the same "unable to allocate TLS context"
> error.
>
> This seems to suggest that the process can't get at the certs (or the
> keytab), but both are readable by the postfix user, and postalias su'ed
> to postfix seems to work fine.
>
> Not sure if it's relevant, but I have the private key and the keytab
> with permissions set as follows:
>
> chown root:hostkey <path to key>
> chmod 640 <path to key>
>
> Where the "hostkey" group includes the postfix user.
This does not work, Postfix daemons don't run with the secondary
groups of the "postfix" user. To use a client certificate for
LDAP you must make it readable by the "postfix" user, via:
chown postfix client-key.pem
chmod 600 client-key.pem
The "root" user can still read if required.
--
Viktor.
