On 01/23/13 00:49, Viktor Dukhovni wrote: > On Wed, Jan 23, 2013 at 12:33:01AM -0500, Eric McCorkle wrote: > >> Which is due ultimately to there not being a kerberos principal >> available. However, if I add "start_tls = yes" (and set up the >> certificate files), then I get the same "unable to allocate TLS context" >> error. >> >> This seems to suggest that the process can't get at the certs (or the >> keytab), but both are readable by the postfix user, and postalias su'ed >> to postfix seems to work fine. >> >> Not sure if it's relevant, but I have the private key and the keytab >> with permissions set as follows: >> >> chown root:hostkey <path to key> >> chmod 640 <path to key> >> >> Where the "hostkey" group includes the postfix user. > > This does not work, Postfix daemons don't run with the secondary > groups of the "postfix" user. To use a client certificate for > LDAP you must make it readable by the "postfix" user, via: > > chown postfix client-key.pem > chmod 600 client-key.pem > > The "root" user can still read if required. >
Well, then that would be the cause. I'll check it out, but in the mean time, thanks for the help!
