On 07/01/2013 04:13 PM, Viktor Dukhovni wrote:
> On Mon, Jul 01, 2013 at 03:18:03PM -0400, Erinn Looney-Triggs wrote:
>
>> relayhost = smtp.myserver.com
>> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
>> smtp_tls_session_cache_database =
>> btree:${data_directory}/smtp_tls_session_cache
>> smtp_tls_security_level = may
>> import_environment =
>> MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ LANG=C
>> KRB5CCNAME=${data_directory}/kerberos/cache
>
> This sets the ticket cache to "/var/lib/postfix/kerberos/cache"
>
> Keep in mind that credential caches have a type, which should not
> generally be left out, use:
>
> KRB5CCNAME=FILE:${data_directory}/krb5_ccache
>
>> A cronjob that is working and confirmed on the client:
>> @reboot kinit -c /var/lib/postfix/cache -k -t /etc/keytabs/smtp.keytab
>> SMTP/$(uname -n)
>> * 0-23/4 * * * kinit -c /var/lib/postfix/cache -k -t
>> /etc/keytabs/smtp.keytab SMTP/$(uname -n)
>
> This places tickets in "/var/lib/postfix/cache", which is different
> from your environment, use:
>
> * 0-23/4 * * * kinit -c FILE:/var/lib/postfix/krb5_ccache -k -t
> /etc/keytabs/smtp.keytab smtp/$(uname -n)
>
> The GSSAPI service name for SMTP is "smtp" (just like in /etc/services)
> not "SMTP". The principal in the keytab must also be lower case.
>
>> I have tried relocating the cache to /var/spool/postfix/kerberos without
>> it making a difference.
>
> Postfix reads the credential cache as "postfix". Do the cron jobs run
> as "postfix" or as "root"?
>
>> There has to be something I am missing here. Suggestions?
>
> Multiple problems.
>
> - Missing ccache type
> - Inconsistent ccache name
> - Possibly wrong ccache owner
> - Wrong service name in keytab
> Viktor, Thanks a lot, that fixed up a few things. I added the ccache type in. Spotting those ccache name differences was big. Changed smtp to lowercase for the keytab, which it already was on the server so, uh yeah. The cron job was already running as postfix so things were fine there. However, it still is not working. Running a debug_peer_list with the verbosity set to 2 against both a thunderbird client working with GSSAPI and the postfix client. It appears that GSSAPI is not even being tried by the postfix client. It negotiates the TLS session, is presented with GSSAPI as an auth option, and then it just attempts to send the message (MAIL FROM etc.). Whereas the thunderbird client does the GSSAPI negotiation (AUTH GSSAPI etc.). I keep looking for some setting that I may have flipped somewhere. smtp_sasl_auth_enable looked promising, however, it doesn't appear to be applicable in the case. Thanks again for the help, and let me know if you have other thoughts, -Erinn
signature.asc
Description: OpenPGP digital signature
