On Thu, Aug 17, 2017 at 11:24:44AM -0400, Robert Marcano wrote:
> > And let dovecot handle GSSAPI authentication also for Postfix. I
> > have:
> >
> > dovecot.conf:
> > auth_mechanisms = gssapi plain
> > auth_gssapi_hostname = "$ALL"
> > auth_krb5_keytab = /var/spool/keytabs/imap
>
> Thank you very much for the detailed explanation. I will try first with the
> Postfix -> Dovecot authentication. In our case they are always running side
> by side.
You were probably a bit lucky with that question. The number of
people reading this list (and perhaps more generally on planet
Earth) with sufficient knowledge of all the below to answer your
question is rather small, it was a bit of a fluke that I'm involved
in Postfix development, Heimdal development, MIT Kerberos, use
Dovecot, and have had to support the Cyrus SASL code at a previous
employer.
* Postfix internals
* Cyrus SASL internals
* GSSAPI internals
* Dovecot auth interface
Combining all the above makes for a somewhat exotic configuration.
Support for wildcard acceptor principal names is a long-standing
missing feature of Cyrus SASL. Perhaps I should have been more
ambitious in the past to try to get that changed upstream...
--
Viktor.
