On Wed, Aug 22, 2018 at 06:41:31PM +0200, Kacper wrote:

> On Wed, Aug 22, 2018 at 6:30 PM Viktor Dukhovni
> <postfix-us...@dukhovni.org> wrote:
> > Why are you looking in the dovecot logs?  This is a dovecot IMAP error,
> > not a Postfix smtpd(8) error...
> 
> Because you said that you had GSSAPI working using dovecot sasl, so I
> configured postfix to use dovecot instead of cyrus and got the same
> kerberos error. dovecot.log had more in depth logging of sasl errors
> than mailog.

I see.  What keytab file was dovecot using?  That keytab file needs
to include service principals (under the same names as used by
clients) for both smtp and imap.  Dovecot reads its keytab file as
the "dovecot" user (at least on my system), and it needs to have
appropriate ownership and permissions.

What client software are you testing with?  Is the client sending
an appropriate KRB5 mechanism GSS token?  What do you see in the
client's credential cache?  List sufficient detail to show the
service principal name, kvno and enctype.  No need to post session
keys (nor keys from keytab files, just the enctypes are enough).

-- 
        Viktor.

Reply via email to