On Mon, Jan 21, 2013 at 09:05:33PM -0500, Eric McCorkle wrote:
> I am trying to set up an LDAP-based alias table, and I want postfix to
> authenticate to LDAP using a Kerberos service principal, or at least
> using the EXTERNAL method (SSL certificate authentication).
I would recommend GSSAPI (Kerberos) if that's an option, over
EXTERNAL, key management is easier.
To use GSSAPI, arrange for a cron job that runs once an hour or so,
and executes
$ kinit -k -t FILE:/some/keytab -c FILE:/some/cred-cache principal
as Wietse points out: make sure the cred-cache is readable by the
"postfix" user ($mail_owner). Then make sure that the KRB5CCNAME
environment variable is set to point at the above credential cache
in the Postfix delivery agent, by setting:
import_environment =
... default value ...
KRB5CCNAME=FILE:/some/cred-cache
Unfortunately, Postfix does not yet support a "+= syntax" in main.cf.
--
Viktor.
