On 07/02/2013 12:03 PM, Viktor Dukhovni wrote: > On Tue, Jul 02, 2013 at 11:25:53AM -0400, Erinn Looney-Triggs wrote: > >> However, it still is not working. >> >> Running a debug_peer_list with the verbosity set to 2 against both a >> thunderbird client working with GSSAPI and the postfix client. It >> appears that GSSAPI is not even being tried by the postfix client. It >> negotiates the TLS session, is presented with GSSAPI as an auth option, >> and then it just attempts to send the message (MAIL FROM etc.). Whereas >> the thunderbird client does the GSSAPI negotiation (AUTH GSSAPI etc.). > > The destination needs to appear the smtp_sasl_password_maps database, > even when you're not using a password-based mechanism. This tells > Postfix to use SASL for the destination. > > [smtp.example.com]:587 gssapi:nopassword > > You naturally need to make sure that you've installed the GSSAPI > plugin for SASL and that smtp_sasl_mechanism_filter is set correctly. >
Just for posterity, I put together a set of instructions on how to do this beginning to end here: https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/ Though it uses FreeIPA you can easily just use straight kerberos tools like kadmin. Viktor, thanks again for the help. -Erinn
signature.asc
Description: OpenPGP digital signature
