I have been trying to get GSSAPI to work with postfix's smtp client. Essentially, what I already have is a postfix server that works with GSSAPI already (tested via thunderbird), and I want postfix to use this server as a relay.
I have found a couple of references: http://permalink.gmane.org/gmane.mail.postfix.user/214560 https://groups.google.com/forum/#!msg/mailing.postfix.users/IiOwDMqklVE/aJ8nNUgpgP4J Which essentially say, grab a keytab, setup cron to pull a ticket via said keytab, set the import_environment to include KRB5CCNAME pointing to the cache and voilĂ it should work. Except, of course, for me it doesn't. I am unsure whether this is operator error or some oddity with my setup, probably the former but the latter is a small possibility. So here is what I have: Two RHEL 6.4 hosts running identical versions of postfix 2.6.6. Server: Server is tested and working with GSSAPI auth from any external source. The only oddity perhaps, is that TLS is required for auth, which I believe the smtp client should support. Client: relayhost = smtp.myserver.com smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_session_cache_database = btree:${data_directory}/smtp_tls_session_cache smtp_tls_security_level = may import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ LANG=C KRB5CCNAME=${data_directory}/kerberos/cache A cronjob that is working and confirmed on the client: @reboot kinit -c /var/lib/postfix/cache -k -t /etc/keytabs/smtp.keytab SMTP/$(uname -n) * 0-23/4 * * * kinit -c /var/lib/postfix/cache -k -t /etc/keytabs/smtp.keytab SMTP/$(uname -n) I have tried relocating the cache to /var/spool/postfix/kerberos without it making a difference. SELinux is in fact on, however there are no denial alerts and setting it to permissive doesn't solve the problem. All messages relayed from client to server are rejected since no auth is performed. There has to be something I am missing here. Suggestions? -Erinn
signature.asc
Description: OpenPGP digital signature
