On Sat, Mar 01, 2025 at 08:28:08AM +0100, michael-dev via Postfix-users wrote:
> I want to set up Postfix for authentication with a relay host using GSSAPI. > > I'm using the configuration proposed in > https://www.mail-archive.com/postfix-users@postfix.org/msg29041.html but am > now looking into using KRB5_CLIENT_KTNAME instead of KRB5CCNAME, as this > would enable me of using /etc/krb5.keytab directly (with the correct > permissions) and getting rid of the CRON job to fetch the TGT. That's a mistake to avoid. With the cron job, each mail delivery just reuses extant tickets, and does not need to contact the KDC in real time. Adding latency to mail delivery, and a real-time requirement for the KDC to be up when sending mail (which might even want to report a KDC failure). I've not used KRB5_CLIENT_KTNAME, but I'm guessing that's a newish environment variable that's analogous to KRB5_KTNAME. > Sadly, this always results in the first entry of the keytab being used. Setting a specific principla name would need to be a user configurable Cyrus SASL property. Or some additional environment variable in the underlying Kerberos implementation, Postfix plays no role here. I am not aware of any Cyrus configuration that does that. If Cyrus SASL does not pass an explicit username to GSSAPI, you might have some luck with the "USER" environment variable, but you really should not use a keytab, or (bad advice) use a keytab with just a single correct entry. > Do you have any hint on how to make postfix select the proper entry of the > keytab? Use the KRB5CCNAME approach. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
