On 2019-06-20 at 14:26 +0200, Frank Richter via Exim-users wrote: > after upgrading to exim-4.92 (EPEL exim-4.92-1.el6.x86_64) our gssapi > authenticator doesn't work any more.
Debugging permissions and interactions and libraries automatically dropping access for setuid programs was such a nightmare for me when using cyrus_sasl for GSSAPI that several years ago I added the `heimdal_gssapi` authenticator to Exim. <https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_heimdalgssapi_authenticator.html> If you've got the Heimdal GSSAPI libraries, or an option to use something which links against those (I'm not familiar with what the EPEL builds enable, sorry) then this is the way to go. Fewer moving parts intricately tied together leads to easier debugging, and better debug logging inside Exim because Exim has more visibility into what's going on. I use GSSAPI for the mail-server for my personal domain so tend to notice when it breaks. Unfortunately, I didn't have spare time before the 4.92 release, so didn't test in time to prevent a regression, but the 6ee110613 commit in git unbreaks the compilation failure for this authenticator. My personal config then runs with: auth_gssapi: driver = heimdal_gssapi public_name = GSSAPI server_hostname = smtp.spodhuis.org server_keytab = /etc/kerberos/tabs/exim.keytab server_set_id = $auth1 server_condition = ${if and{\ {or{\ {eqi{$auth1}{$auth2}}\ {eqi{${sg{$auth1}{@.*}{}}}{$auth2}}\ }}\ {eqi{${domain:$auth1}}{spodhuis.org}}\ }} server_advertise_condition = ${if and{{!def:authenticated_id}{or{\ {INBOUND_SUBMIT_CONDITION}\ {and{{def:tls_cipher}{!match_ip{$sender_host_address}{+relay_for_friends}}}}\ }}} {yes}{no}} You'd probably want to simplify the server_advertise_condition (or remove it) and adjust the spodhuis.org references in server_condition and elsewhere. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
