list members,
i am setting up submission behind haproxy and want to use kerberos
authentication via SASL. i have setup saslauthd, configured postfix and
submission and generated the keytab. because i want load balancing, the
keytab has to match the name of the VIP on haproxy, not the individual
hosts load balanced behind haproxy. usually there is a config tweak to
specify a kerberos principal that differs from the expected
smtp/host.domain.tld@REALM principal, and i cannot find that tweak.
the haproxy VIP submission.bpk2.com and the hostname is mail.bpk2.com.
i want to specify that submission should use the naming convention i
want, and not the expected principal. how do i set this in the configs?
keytab contents via `klist -Kket submission.keytab`:
Keytab name: FILE:submission.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
3 10/30/2023 12:15:45 smtp/submission.bpk2....@bpk2.com
(aes256-cts-hmac-sha1-96) (0x0...)
thunderbird reports:
Sending of the message failed.
The Kerberos/GSSAPI ticket was not accepted by the Outgoing server
(SMTP) submission.bpk2.com. Please check that you are logged in to the
Kerberos/GSSAPI realm.
logs show:
Oct 30 19:57:11 mail postfix/submission/smtpd[22457]: warning: SASL
authentication failure: GSSAPI Error: No credentials were supplied, or
the credentials were unavailable or inaccessible (No key table entry
found matching smtp/mail.bpk2.com@)
Oct 30 19:57:11 mail postfix/submission/smtpd[22457]: warning:
submission.bpk2.com[192.168.120.7]: SASL GSSAPI authentication failed:
generic failure
config output using `LANG=C comm -23 <(postconf -n) <(postconf -d)`:
postconf: warning: inet_protocols: disabling IPv6 name/address support:
Address family not supported by protocol
alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
broken_sasl_auth_clients = yes
compatibility_level = 3.7
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
export_environment = TZ MAIL_CONFIG LANG KRB5_KTNAME
import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY
DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/submission.keytab
inet_interfaces = $myhostname,localhost
inet_protocols = ipv4
local_recipient_maps = $alias_maps, ldap:/etc/postfix/ldap-users.cf
mailbox_transport = lmtp:inet:lmtp.bpk2.com:24
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
milter_connect_macros = j {daemon_name} v {if_name} _
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = bpk2.com
mynetworks = 192.168.1.0/24, 192.168.24.0/24, 192.168.88.0/24,
192.168.152.0/24, 192.168.184.0/24, 192.168.216.0/24, 192.168.248.0/24
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org, b.barracudacentral.org,
bl.spamcop.net
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_upstream_proxy_protocol = haproxy
readme_directory = /usr/share/doc/postfix/README_FILES
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_security_level = may
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
smtpd_milters = unix:/run/spamass-milter/spamass-milter.sock
inet:localhost:7357
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_unknown_recipient_domain
smtpd_sasl_local_domain = $mydomain
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_security_level = may
strict_rfc821_envelopes = yes
virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf
thanks in advance,
brendan
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
