On Wed, Nov 29, 2017 at 12:31:21AM +0100, Anvar Kuchkartaev wrote:
> Hello I configured 2x postfix instances which uses shared disk as mail
> storage and they act as MX server and smtp server at same time. First
> server mx0.example.com and mx1.example.com and smtp.example.com points
> to ip address of both servers. The service principal
> smtp/mx0.example....@example.com controlled by both hosts and saslauthd
> is also configured to use service keytab (entire system is managed by
> freeipa). If I use smtp.example.com (alias of service principal) to
> send emails I am getting following error:
>
> nov 28 23:44:21 mx0.example.com postfix/smtps/smtpd[6110]: GSSAPI
> server step 1
> nov 28 23:44:21 [1]mx0.example.com postfix/smtps/smtpd[6110]: warning:
> SASL authentication failure: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (Request ticket
> server smtp/[2]smtp.example....@example.com found in keytab but does
> not
> match server principal smtp/[3]mx0.example.com@)
> nov 28 23:44:21 [4]mx0.example.com postfix/smtps/smtpd[6110]: warning:
> [[5]xxx.xxx.xxx.xxx]: SASL GSSAPI authentication failed: authentication
> failure
>
> If I use mx0.example.com (primary alias of service principal) I can
> send emails easily. Currently I am using plain auth as workaround to
> send emails. Does anyone have idea to solve/debug this?
The Cyrus SASL library does not support wildcard server credentials
(GSS_C_NO_CREDENTIAL). Instead each SASL service must specify an
explicit service name (service@host) and this must be the name for
which clients obtain tickets. IIRC Postfix passes "smtp@myhostname"
to Cyrus SASL as its service name. Therefore, any given Postfix
instance can only support Kerberos clients that expect to connect
to the hostname that exactly matches the main.cf "myhostname"
setting. The keytab file can of course be shared, and contain
one entry for each Postfix instance hostname.
The "dovecot" SASL backend does not share the same limitation. So
if you configure Postfix to use the "dovecot" SASL backend, you
should be able to support multiple names in a single instance.
My dovecot configuration has:
auth_realms = ...
auth_mechanisms = gssapi plain
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /var/spool/keytabs/imap
That magic "$ALL" token enables wildcard credentials, the
server will accept tickets for any principal name with keys
in the selected keytab file.
--
Viktor.
