On Wed, Aug 22, 2018 at 06:41:31PM +0200, Kacper wrote: > On Wed, Aug 22, 2018 at 6:30 PM Viktor Dukhovni > <postfix-us...@dukhovni.org> wrote: > > Why are you looking in the dovecot logs? This is a dovecot IMAP error, > > not a Postfix smtpd(8) error... > > Because you said that you had GSSAPI working using dovecot sasl, so I > configured postfix to use dovecot instead of cyrus and got the same > kerberos error. dovecot.log had more in depth logging of sasl errors > than mailog.
I see. What keytab file was dovecot using? That keytab file needs to include service principals (under the same names as used by clients) for both smtp and imap. Dovecot reads its keytab file as the "dovecot" user (at least on my system), and it needs to have appropriate ownership and permissions. What client software are you testing with? Is the client sending an appropriate KRB5 mechanism GSS token? What do you see in the client's credential cache? List sufficient detail to show the service principal name, kvno and enctype. No need to post session keys (nor keys from keytab files, just the enctypes are enough). -- Viktor.