Greetings. I have been using Postfix with Kerberos without problem for a few years. Our setup uses a DNS alias (CNAME) for the hostname. Let call it smtp.example.com, pointing to the real hostname server.example.com.
With a default MIT Kerberos client configuration, dns_canonicalize_hostname is true. This setting [1] enable the reverse lookup to search the hostname given the alias. The Linux distribution used for our clients machines is changing the default to dns_canonicalize_hostname = false. In order to not fight the distribution defaults, I am testing how to make Postfix work with the alias and DNS canonicalization disabled. Changing dovecot was not difficult, but I have been unable to make Postfix to work in this new setup. I tried testing with an empty keytab for Postfix and the error message was: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Request ticket server smtp/smtp.example....@example.com not found in keytab (ticket kvno 4)) As postfix was looking for that. I added the service smtp/ smtp.example....@example.com to it. The new error message was: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No key table entry found matching smtp/server.example.com@) Notice the service name doesn't include a realm: smtp/server.example.com@ As the realm was empty I then tried with the Postfix setting named smtpd_sasl_local_domain without any change, same error. Dovecot has a setting named auth_gssapi_hostname [2] that allow to change the hostname used for the Kerberos service and it allowed me to make Dovecot work in this new environment. do Postfix has something like that?. What other options for testing do I have? Thanks in advance. [1] https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_ files/krb5_conf.html [2] https://wiki.dovecot.org/Authentication/Kerberos -- Robert Marcano
