I have a Postfix postfix-3.5.8 installation on EL8 which I just recently upgraded from 2.10.1 on EL7.
The installation is configured to authenticate with GSSAPI and accordingly has: import_environment = KRB5_KTNAME=/etc/postfix/smtp.keytab defined in main.cf. The /etc/postfix/smtp.keytab file is of course valid and all of this worked just fine on 2.10.1 on EL7. But now on postfix-3.5.8, smtpd seems to be ignoring the "KRB5_KTNAME=/etc/postfix/smtp.keytab" environment setting and is trying to use the default /etc/krb5.keytab as is reported by strace'ing the smtpd process: 3726845 openat(AT_FDCWD, "/etc/krb5.keytab", O_RDONLY) = -1 EACCES (Permission denied) 3726845 openat(AT_FDCWD, "/etc/krb5.keytab", O_RDONLY) = -1 EACCES (Permission denied) The KRB5_KTNAME environment variable is functional on the version of kerberos installed on the machine however as demonstrated by: # KRB5_KTNAME=/etc/postfix/smtp.keytab klist -k Keytab name: FILE:/etc/postfix/smtp.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 smtp/server.example....@example.com As you can see on the second line of output above that it is indeed using the file location defined by the KRB5_KTNAME env. var. It's almost as if the smtpd executable is clearing the environment before it gets to processing the GSSAPI authentication. That's just a theory though. Any ideas why this would have been working on 2.10.1 but is now not working on 3.5.8? Cheers, b.
