I managed to get it working after coincidentally finding a post in the
dovecot mailing list,
https://www.dovecot.org/list/dovecot/2010-October/054082.html.
It seems that postfix is truncating the GSSAPI token and one must set
line_length_limit. Setting it to something high works, however setting
it to 2176 as the dovecot mailing list post suggests didn't work for
me. The question is how long can a GSSAPI token be?

It's a potential bug though I believe. Shouldn't SASL auth tokens be
passed without modification to the SASL backend?
On Wed, Aug 22, 2018 at 7:43 PM Viktor Dukhovni
<postfix-us...@dukhovni.org> wrote:
>
>
>
> > On Aug 22, 2018, at 1:05 PM, Kacper <kac...@kacper.se> wrote:
> >
> > I know I should have the keytab in /etc/dovecot but I don't think it
> > makes any difference right now, seeing how GSSAPI for imap using
> > dovecot works.
>
> Using which keytab file?  What kerberos/GSSAPI-related settings do
> you have in the dovecot configuration?  If you want help you need
> to make it possible for others to see sufficient details of your
> configuration.
>
> > I'm using Thunderbird 59.9.1 on Windows 7 and Samba 4.8.3 as an AD DC/KDC.
>
> And what does "klist" report on Windows (for relevant service principals)?
> What hostname is Thunderbird configured to use?  Is this name an alias?
>
> > #ls -la /etc/dovecot/dovecot.keytab
> > -rw-rw-rw-. 1 root root 762 Aug 22 16:44 /etc/dovecot/dovecot.keytab
>
> You really should have this working mode 0600 with IMAP, and the keytab
> file not owned by root.
>
> > I have the permission set so broad jus to rule out any permission problems.
>
> Some libraries don't like insecure permissions, though if this works for
> IMAP, it should (all else being equal) work equally well for SMTP.
>
> > I retested it all and added more enctypes. Some result. It's puzzling
> > though why IMAP works via GSSAPI but SMTP refuses to.
>
> Perhaps you're not looking at the right keytab file, or the client
> has stale tickets, or is using a different hostname, ...
>
> > # klist -ek /etc/dovecot/dovecot.keytab
> > Keytab name: FILE:/etc/dovecot/dovecot.keytab
> > KVNO Principal
> > ---- 
> > --------------------------------------------------------------------------
> >   2 smtp/srv.mydomain.t...@mydomain.test (aes256-cts-hmac-sha1-96)
> >   2 smtp/srv.mydomain.t...@mydomain.test (aes128-cts-hmac-sha1-96)
> >   2 smtp/srv.mydomain.t...@mydomain.test (arcfour-hmac)
> >   2 smtp/srv.mydomain.t...@mydomain.test (des-cbc-md5)
> >   2 smtp/srv.mydomain.t...@mydomain.test (des-cbc-crc)
> >   2 imap/srv.mydomain.t...@mydomain.test (aes256-cts-hmac-sha1-96)
> >   2 imap/srv.mydomain.t...@mydomain.test (aes128-cts-hmac-sha1-96)
> >   2 imap/srv.mydomain.t...@mydomain.test (arcfour-hmac)
> >   2 imap/srv.mydomain.t...@mydomain.test (des-cbc-md5)
> >   2 imap/srv.mydomain.t...@mydomain.test (des-cbc-crc)
>
> I see new enctypes here, but the same "kvno" (2) as before.  Normally,
> when keys are changed to add new enctypes the "kvno" changes.  I'd
> have expected "kvno = 3" here.  Are the AES keys new, or were they
> present all along?
>
> Change the IMAP and the SMTP keys in the KDC, drop the DES keys and
> re-create the keytab file.  Does IMAP still work?  If SMTP does not,
> is Postfix still using Dovecot authentication?  If dovecot still
> logs GSSAPI errors, perhaps the problem is on the client side,
> run "klist purge" (Windows-specific) and retry after all the changes
> above.
>
> --
>         Viktor.
>

Reply via email to