Fwd: Issue with Postfix and GSSAPI Authentication

Fri, 01 Oct 2021 07:17:52 -0700 

Hello,

I want to set up a Postfix SMTP server with cyrus-sasl in GSSAPI mode. I
have two Samba4 servers in AD mode, and my clients are in windows 10.
I removed the execution of Posfix in chroot to simplify.
I added two keytab in /etc/krb5.keytab smtp/smtptest.domain.fr and host/
smtptest.domain.fr
Currently I can authenticate with windows credentials from a windows client
under Thunderbird with the "normal password" settings.
But if I try to switch from LOGIN to GSSAPI ( in
/etc/postfix/sasl/smtpd.conf ) it doesn't work.
Client side, here is the message I see in Thunderbird ( Sending of the
message failed.The Kerberos/GSSAPI ticket was not accepted by the Outgoing
server (SMTP). Please check that you are logged in to the Kerberos/GSSAPI
realm.)

And here is the output from /var/log/mail.log :

Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]:
master_notify: status 0
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: name_mask: resource
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: name_mask: software
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: connect from
unknown[192.168.128.253]
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]:
match_list_match: unknown: no match
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]:
match_list_match: 192.168.128.253: no match
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]:
match_list_match: unknown: no match
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]:
match_list_match: 192.168.128.253: no match
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]:
smtp_stream_setup: maxtime=300 enable_deadline=0
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]:
match_hostname: smtpd_client_event_limit_exceptions: unknown ~?
127.0.0.0/8
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]:
match_hostaddr: smtpd_client_event_limit_exceptions: 192.168.128.253
~? 127.0.0.0/8
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]:
match_hostname: smtpd_client_event_limit_exceptions: unknown ~?
192.168.128.0/24
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]:
match_hostaddr: smtpd_client_event_limit_exceptions: 192.168.128.253
~? 192.168.128.0/24
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: >
unknown[192.168.128.253]: 220 smtptest.domain.fr ESMTP Postfix
(Debian/GNU)
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]:
xsasl_cyrus_server_create: SASL service=smtp, realm=(null)
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: name_mask: noanonymous
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: <
unknown[192.168.128.253]: EHLO [172.20.4.195]
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]:
match_list_match: unknown: no match
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]:
match_list_match: 192.168.128.253: no match
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: >
unknown[192.168.128.253]: 250-smtptest.domain.fr
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: >
unknown[192.168.128.253]: 250-PIPELINING
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: >
unknown[192.168.128.253]: 250-SIZE 10240000
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: >
unknown[192.168.128.253]: 250-VRFY
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: >
unknown[192.168.128.253]: 250-ETRN
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: >
unknown[192.168.128.253]: 250-STARTTLS
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: >
unknown[192.168.128.253]: 250-AUTH GSSAPI
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: >
unknown[192.168.128.253]: 250-AUTH=GSSAPI
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: >
unknown[192.168.128.253]: 250-ENHANCEDSTATUSCODES
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: >
unknown[192.168.128.253]: 250-8BITMIME
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: >
unknown[192.168.128.253]: 250-DSN
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: >
unknown[192.168.128.253]: 250-SMTPUTF8
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: >
unknown[192.168.128.253]: 250 CHUNKING
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: warning:
unknown[192.168.128.253]: request longer than 2048: AUTH GSSAPI
YIIG8AYJKoZIhvcSAQ...
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: <
unknown[192.168.128.253]: AUTH GSSAPI
YIIG8AYJKoZIhvcSAQICAQBuggbfMIIG26ADAgEFoQMCAQ6iBwMFACAAAACjggUCYYIE/jCCBPqgAwIBBaEOGwxBUklBTkUuSU5UUkGiKjAooAMCAQKhITAfGwRzbXRwGxdzbXRwdGVzdC5hbGJlcnR2aWxsZS5mcqOCBLUwggSxoAMCARehAwIBAqKCBKMEggSfLDVrhA0h4uAhD4dLTjNmUF/kLPsdml9HzNKFV4mmZ36ha8iZz8pjYu9zd2AaWjUF6kb0Ii8lx7bf99JkjqTTANfUmfyNuNf0XdGRxNVD0u+7EdFGIR54yfvvxvN3sJQWFpqQhERMNCn6kWh5ZR6txInKbydJx32BgHIu/ZWPHfeGw5/7t6eeCuWMG6Yog2J4kdnYqnMb3gAL0tcR+HA57738B4w97fmPCIfKWAB0WKqObZky9l0+JXUTsza56+zuQbvO8eZ4OHuZNMvaHiAeTgqX/t+QZxrday+OAKPeJA0dyMc2ETj8ulFo4rTvqew0FK2d9dNiMa+q6mFudGkY7+pO1UtHO6gvJkkaEi9xVaPc1r/oIyfE/jb/x+wShn3ZZ6Xzk4cN+9rNMabph4KS97dgtaYbjoDwnzw2yvkq9WxsePqqxJ6MKSNKQHNaIwtJHu5RJPVujf2nwnjet5ctUPWKC/bLemnuMpDASR+HnFVqhA+bayyRkNYeGX4WEgJ42aH3nR/h2G1nXEF9JMSYzkc+2wzb6wPYE+XllZElzN/c2L+sPaNk7YNqgnM+vRGYQlIHUwrqO0Zk8bP3Wq6Mdv67g1KXHXfeeBb25GN9kHJWhVpJ7nQ5p0afhUy7/RQF9rx6uPbN+7eecwONkNp+nMUzA0o8jwAzlp5CGlLOfM6K7AKQ+dl8WL8ZU9e4Pds3Ckp3k6251JhhebvGlY/0ntFxPIOoFg5fSF4OEsYTR46F6/dvZVwilR6S37srq9UT6bk7cDzVerZBZmUAbelnOZmHdA37xFf1nlHJAmlYEfY42xK6e6iCCva+Za/Ii0xmHYPlGyN8cT6A8NgLGlKU3RPX4Qx3SE18526TUPwOE5U/RrX9gjt1OAHf7LkSZ8uK3t7puuoHeWYCESoNqywPrKRsOacfzJEOb98YIzyk8mCWjGNpg9bnJNn+kfOwhD886K1uZrK0nJSlvNdvsc48nmYED4N3aTyVIYowH35ETzXn4Pn6mmphMiQffHd2esOhQtN6GJMGpKdwcj631ay0Y4VAbZMa9nzwZEOmO+NOd/T+45GQVOhnOuE2IKnsrhJeyTIoGadKoEzOn6q/QLq1NWiptk3fujO8JKdjk7G+XItrK5Jbx0Ns+7aFmQhXzTEkRi9BnMuR+DRgYSwQmcgt9fhJIqb0YMCi3rJsqqalhkr1rrqS/IYwLByeicJDLmvXiDjfgUwqWc4ay7qXs9ycljAhOrXPCmzOTqSC2KxKuey7+q+nUqV+wQbL5H+JYQknUQePP8XRHPSF9LnVJO2cAJAwgdm1KjqyqKZXvyOnieH073xqz/bHPZSZqlhXVchRxLU747o77vuQPzZ9/0DsFN1NbAVt4bLiqj8cKFCDcGhHk0tU3F9CqQfu73HnwxtB3OkVVCP5YAf2KDdwop7soMmJ5bAZnmo1aAQyeLtlaTGhSnnBF77Zff9a957gIG17v6Prp7McWkg5+kLfkE7lal5eXLZdpPkcGQ+tWT3/ZvjPwGkjsMFwtKGcB3DM6JNqzry5rEHYG5FDdoPk/BhYh83CFM2aVIOuwEbtbtswJqSCAb4wggG6oAMCAReiggGxBIIBraVyfYfS604p+t8DCIPcDIzWv+hjbl6ZMGDxMg/GJYFS8sj7A//P/ZGabPej+mJIrUDUaktCgTJbzilLz9HkH9PO3UxTNlur3gKZUEiAOeTijyTv0m5qyffTAYyDxlpOBODhq+bdHmKFdMpqpA5udssn79O0L7UX
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]:
xsasl_cyrus_server_first: sasl_method GSSAPI, init_response
YIIG8AYJKoZIhvcSAQICAQBuggbfMIIG26ADAgEFoQMCAQ6iBwMFACAAAACjggUCYYIE/jCCBPqgAwIBBaEOGwxBUklBTkUuSU5UUkGiKjAooAMCAQKhITAfGwRzbXRwGxdzbXRwdGVzdC5hbGJlcnR2aWxsZS5mcqOCBLUwggSxoAMCARehAwIBAqKCBKMEggSfLDVrhA0h4uAhD4dLTjNmUF/kLPsdml9HzNKFV4mmZ36ha8iZz8pjYu9zd2AaWjUF6kb0Ii8lx7bf99JkjqTTANfUmfyNuNf0XdGRxNVD0u+7EdFGIR54yfvvxvN3sJQWFpqQhERMNCn6kWh5ZR6txInKbydJx32BgHIu/ZWPHfeGw5/7t6eeCuWMG6Yog2J4kdnYqnMb3gAL0tcR+HA57738B4w97fmPCIfKWAB0WKqObZky9l0+JXUTsza56+zuQbvO8eZ4OHuZNMvaHiAeTgqX/t+QZxrday+OAKPeJA0dyMc2ETj8ulFo4rTvqew0FK2d9dNiMa+q6mFudGkY7+pO1UtHO6gvJkkaEi9xVaPc1r/oIyfE/jb/x+wShn3ZZ6Xzk4cN+9rNMabph4KS97dgtaYbjoDwnzw2yvkq9WxsePqqxJ6MKSNKQHNaIwtJHu5RJPVujf2nwnjet5ctUPWKC/bLemnuMpDASR+HnFVqhA+bayyRkNYeGX4WEgJ42aH3nR/h2G1nXEF9JMSYzkc+2wzb6wPYE+XllZElzN/c2L+sPaNk7YNqgnM+vRGYQlIHUwrqO0Zk8bP3Wq6Mdv67g1KXHXfeeBb25GN9kHJWhVpJ7nQ5p0afhUy7/RQF9rx6uPbN+7eecwONkNp+nMUzA0o8jwAzlp5CGlLOfM6K7AKQ+dl8WL8ZU9e4Pds3Ckp3k6251JhhebvGlY/0ntFxPIOoFg5fSF4OEsYTR46F6/dvZVwilR6S37srq9UT6bk7cDzVerZBZmUAbelnOZmHdA37xFf1nlHJAmlYEfY42xK6e6iCCva+Za/Ii0xmHYPlGyN8cT6A8NgLGlKU3RPX4Qx3SE18526TUPwOE5U/RrX9gjt1OAHf7LkSZ8uK3t7puuoHeWYCESoNqywPrKRsOacfzJEOb98YIzyk8mCWjGNpg9bnJNn+kfOwhD886K1uZrK0nJSlvNdvsc48nmYED4N3aTyVIYowH35ETzXn4Pn6mmphMiQffHd2esOhQtN6GJMGpKdwcj631ay0Y4VAbZMa9nzwZEOmO+NOd/T+45GQVOhnOuE2IKnsrhJeyTIoGadKoEzOn6q/QLq1NWiptk3fujO8JKdjk7G+XItrK5Jbx0Ns+7aFmQhXzTEkRi9BnMuR+DRgYSwQmcgt9fhJIqb0YMCi3rJsqqalhkr1rrqS/IYwLByeicJDLmvXiDjfgUwqWc4ay7qXs9ycljAhOrXPCmzOTqSC2KxKuey7+q+nUqV+wQbL5H+JYQknUQePP8XRHPSF9LnVJO2cAJAwgdm1KjqyqKZXvyOnieH073xqz/bHPZSZqlhXVchRxLU747o77vuQPzZ9/0DsFN1NbAVt4bLiqj8cKFCDcGhHk0tU3F9CqQfu73HnwxtB3OkVVCP5YAf2KDdwop7soMmJ5bAZnmo1aAQyeLtlaTGhSnnBF77Zff9a957gIG17v6Prp7McWkg5+kLfkE7lal5eXLZdpPkcGQ+tWT3/ZvjPwGkjsMFwtKGcB3DM6JNqzry5rEHYG5FDdoPk/BhYh83CFM2aVIOuwEbtbtswJqSCAb4wggG6oAMCAReiggGxBIIBraVyfYfS604p+t8DCIPcDIzWv+hjbl6ZMGDxMg/GJYFS8sj7A//P/ZGabPej+mJIrUDUaktCgTJbzilLz9HkH9PO3UxTNlur3gKZUEiAOeTijyTv0m5qyffTAYyDxlpOBODhq+bdHmKF
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]:
xsasl_cyrus_server_first: decoded initial response `?????*?H???????
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: warning:
SASL authentication failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Success)
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: warning:
unknown[192.168.128.253]: SASL GSSAPI authentication failed:
authentication failure
Oct  1 10:58:35 smtptest postfix/submission/smtpd[61932]: >
unknown[192.168.128.253]: 535 5.7.8 Error: authentication failed:
authentication failure
Oct  1 11:00:16 smtptest postfix/submission/smtpd[61932]: smtp_get: EOF
Oct  1 11:00:16 smtptest postfix/submission/smtpd[61932]:
match_hostname: smtpd_client_event_limit_exceptions: unknown ~?
127.0.0.0/8
Oct  1 11:00:16 smtptest postfix/submission/smtpd[61932]:
match_hostaddr: smtpd_client_event_limit_exceptions: 192.168.128.253
~? 127.0.0.0/8
Oct  1 11:00:16 smtptest postfix/submission/smtpd[61932]:
match_hostname: smtpd_client_event_limit_exceptions: unknown ~?
192.168.128.0/24
Oct  1 11:00:16 smtptest postfix/submission/smtpd[61932]:
match_hostaddr: smtpd_client_event_limit_exceptions: 192.168.128.253
~? 192.168.128.0/24
Oct  1 11:00:16 smtptest postfix/submission/smtpd[61932]: lost
connection after AUTH from unknown[192.168.128.253]
Oct  1 11:00:16 smtptest postfix/submission/smtpd[61932]: disconnect
from unknown[192.168.128.253] ehlo=1 auth=0/1 commands=1/2
Oct  1 11:00:16 smtptest postfix/submission/smtpd[61932]:
master_notify: status 1
Oct  1 11:00:16 smtptest postfix/submission/smtpd[61932]: connection closed
Oct  1 11:01:56 smtptest postfix/submission/smtpd[61932]: idle timeout
-- exiting


Here are some settings :

klist -Kek /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/smtptest.domain...@ari.int (DEPRECATED:arcfour-hmac)
(0x6c72cd7e9a4249b6fa67ca6c4624676e)
   2 smtp/smtptest.domain...@ari.int (DEPRECATED:arcfour-hmac)
(0x6c72cd7e9a4249b6fa67ca6c4624676e)
   2 smtpd/smtptest.domain...@ari.int (DEPRECATED:arcfour-hmac)
(0x6c72cd7e9a4249b6fa67ca6c4624676e)


/etc/default/saslauthd :
START=yes
DESC="SASL Auth. Daemon"
NAME="saslauthd"
MECHANISMS="kerberos5"
MECH_OPTIONS=""
THREADS=1
OPTIONS="-c -m /var/run/saslauthd"


root@smtptest:~# saslfinger -s
saslfinger - postfix Cyrus sasl configuration lun. 20 sept. 2021 09:53:49 CEST
version: 1.0.4
mode: server-side SMTP AUTH

-- basics --
Postfix: 3.5.6
System: Debian GNU/Linux 11 \n \l

-- smtpd is linked to --
        libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2
(0x00007f87cfe08000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = may

-- listing of /usr/lib/sasl2 --
total 16
drwxr-xr-x  2 root root 4096 14 sept. 14:31 .
drwxr-xr-x 54 root root 4096  3 sept. 09:46 ..
-rw-r--r--  1 root root    4 14 sept. 14:31 berkeley_db.active
-rw-r--r--  1 root root    4  7 févr.  2021 berkeley_db.txt

-- listing of /etc/postfix/sasl --
total 12
drwxr-xr-x 2 root root 4096 20 sept. 09:24 .
drwxr-xr-x 5 root root 4096 17 sept. 16:43 ..
-rw-r--r-- 1 root root  160 20 sept. 09:24 smtpd.conf

-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: GSSAPI
keytab: /etc/krb5.keytab
log_level: 7

-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
submission inet n       -       n       -       -       smtpd -v
  -o syslog_name=postfix/submission
  -o smtpd_sasl_auth_enable=yes
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
maildrop  unix  -       n       n       -       -       pipe
  flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}

-- mechanisms on localhost --

-- end of saslfinger output --


on another server I just testedThunderbird for GSSAPI authentication
against GSSAPI Dovecot imap service and it works.

Is anyone has more idea, how could I get more informations to get this
working? I really think I'm not far from the solution.

Thanks

Samuel

Reply via email to