On 01/23/13 00:51, Eric McCorkle wrote: > On 01/23/13 00:49, Viktor Dukhovni wrote: >> On Wed, Jan 23, 2013 at 12:33:01AM -0500, Eric McCorkle wrote: >> >>> Which is due ultimately to there not being a kerberos principal >>> available. However, if I add "start_tls = yes" (and set up the >>> certificate files), then I get the same "unable to allocate TLS context" >>> error. >>> >>> This seems to suggest that the process can't get at the certs (or the >>> keytab), but both are readable by the postfix user, and postalias su'ed >>> to postfix seems to work fine. >>> >>> Not sure if it's relevant, but I have the private key and the keytab >>> with permissions set as follows: >>> >>> chown root:hostkey <path to key> >>> chmod 640 <path to key> >>> >>> Where the "hostkey" group includes the postfix user. >> >> This does not work, Postfix daemons don't run with the secondary >> groups of the "postfix" user. To use a client certificate for >> LDAP you must make it readable by the "postfix" user, via: >> >> chown postfix client-key.pem >> chmod 600 client-key.pem >> >> The "root" user can still read if required. >> > > Well, then that would be the cause. I'll check it out, but in the mean > time, thanks for the help! >
Yep, that did it. Thanks.
