I managed to get it working after coincidentally finding a post in the dovecot mailing list, https://www.dovecot.org/list/dovecot/2010-October/054082.html. It seems that postfix is truncating the GSSAPI token and one must set line_length_limit. Setting it to something high works, however setting it to 2176 as the dovecot mailing list post suggests didn't work for me. The question is how long can a GSSAPI token be?
It's a potential bug though I believe. Shouldn't SASL auth tokens be passed without modification to the SASL backend? On Wed, Aug 22, 2018 at 7:43 PM Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > > > > On Aug 22, 2018, at 1:05 PM, Kacper <kac...@kacper.se> wrote: > > > > I know I should have the keytab in /etc/dovecot but I don't think it > > makes any difference right now, seeing how GSSAPI for imap using > > dovecot works. > > Using which keytab file? What kerberos/GSSAPI-related settings do > you have in the dovecot configuration? If you want help you need > to make it possible for others to see sufficient details of your > configuration. > > > I'm using Thunderbird 59.9.1 on Windows 7 and Samba 4.8.3 as an AD DC/KDC. > > And what does "klist" report on Windows (for relevant service principals)? > What hostname is Thunderbird configured to use? Is this name an alias? > > > #ls -la /etc/dovecot/dovecot.keytab > > -rw-rw-rw-. 1 root root 762 Aug 22 16:44 /etc/dovecot/dovecot.keytab > > You really should have this working mode 0600 with IMAP, and the keytab > file not owned by root. > > > I have the permission set so broad jus to rule out any permission problems. > > Some libraries don't like insecure permissions, though if this works for > IMAP, it should (all else being equal) work equally well for SMTP. > > > I retested it all and added more enctypes. Some result. It's puzzling > > though why IMAP works via GSSAPI but SMTP refuses to. > > Perhaps you're not looking at the right keytab file, or the client > has stale tickets, or is using a different hostname, ... > > > # klist -ek /etc/dovecot/dovecot.keytab > > Keytab name: FILE:/etc/dovecot/dovecot.keytab > > KVNO Principal > > ---- > > -------------------------------------------------------------------------- > > 2 smtp/srv.mydomain.t...@mydomain.test (aes256-cts-hmac-sha1-96) > > 2 smtp/srv.mydomain.t...@mydomain.test (aes128-cts-hmac-sha1-96) > > 2 smtp/srv.mydomain.t...@mydomain.test (arcfour-hmac) > > 2 smtp/srv.mydomain.t...@mydomain.test (des-cbc-md5) > > 2 smtp/srv.mydomain.t...@mydomain.test (des-cbc-crc) > > 2 imap/srv.mydomain.t...@mydomain.test (aes256-cts-hmac-sha1-96) > > 2 imap/srv.mydomain.t...@mydomain.test (aes128-cts-hmac-sha1-96) > > 2 imap/srv.mydomain.t...@mydomain.test (arcfour-hmac) > > 2 imap/srv.mydomain.t...@mydomain.test (des-cbc-md5) > > 2 imap/srv.mydomain.t...@mydomain.test (des-cbc-crc) > > I see new enctypes here, but the same "kvno" (2) as before. Normally, > when keys are changed to add new enctypes the "kvno" changes. I'd > have expected "kvno = 3" here. Are the AES keys new, or were they > present all along? > > Change the IMAP and the SMTP keys in the KDC, drop the DES keys and > re-create the keytab file. Does IMAP still work? If SMTP does not, > is Postfix still using Dovecot authentication? If dovecot still > logs GSSAPI errors, perhaps the problem is on the client side, > run "klist purge" (Windows-specific) and retry after all the changes > above. > > -- > Viktor. >