Postfix+dovecot+Kerberos
Matthias Berndt
I'm currently trying to set up a mail server with dovecot and postfix
and authentication via kerberos. Most of it is set up already, e. g.
dovecot works with SASL authentication and the GSSAPI mechanism
(kerberos, that is), and I can send mail via postfix with SASL and
the "PLAIN" mechanism. I can't get GSSAPI authentication in
postfix to work though. Here is some of my main.cf:
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated reject
smtpd_sasl_authenticated_header = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
And this is a typical log:
May 23 13:14:18 mail postfix/smtpd[23692]: connect from
matthias.ipoque[172.20.0.61]
May 23 13:14:18 mail dovecot: auth(default): gssapi(?): While
processing incoming data: Miscellaneous failure
May 23 13:14:18 mail dovecot: auth(default): gssapi(?): While
processing incoming data: Unknown code krb5 230
May 23 13:14:18 mail postfix/smtpd[23692]: warning:
matthias.ipoque[172.20.0.61]: SASL GSSAPI authentication failed:
May 23 13:14:18 mail postfix/smtpd[23692]: lost connection after AUTH
from matthias.ipoque[172.20.0.61]
May 23 13:14:18 mail postfix/smtpd[23692]: disconnect from
matthias.ipoque[172.20.0.61]
Victor Duchovni
> Hi,
>
> I'm currently trying to set up a mail server with dovecot and postfix
> and authentication via kerberos. Most of it is set up already, e. g.
> dovecot works with SASL authentication and the GSSAPI mechanism
> (kerberos, that is), and I can send mail via postfix with SASL and
> the "PLAIN" mechanism. I can't get GSSAPI authentication in
> postfix to work though. Here is some of my main.cf:
>
> smtpd_sasl_auth_enable = yes
> smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated reject
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth
>
Does dovecot auth support proxying GSSAPI? One gotcha is that SMTP
clients will be trying to authenticate to "smtp/hostname@REALM", but
dovecots keytab likely only contains "imap/hostname@REALM". At the very
least you need both.
I have GSSAPI working with Postfix and Cyrus SASL, where the handshake
is not implemented out of process, so it is a bit easier to understand
the underlying processing.
Another possible trap is that if the authentication works, you don't
want Dovecot to negotiate a GSSAPI security layer, don't know whether
it ever does, or whether it will correctly skip doing that with Postfix.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majo...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Matthias Berndt
> On Thu, May 24, 2007 at 03:26:32PM +0200, Matthias Berndt wrote:
> > Hi,
> >
> > I'm currently trying to set up a mail server with dovecot and postfix
> > and authentication via kerberos. Most of it is set up already, e. g.
> > dovecot works with SASL authentication and the GSSAPI mechanism
> > (kerberos, that is), and I can send mail via postfix with SASL and
> > the "PLAIN" mechanism. I can't get GSSAPI authentication in
> > postfix to work though. Here is some of my main.cf:
> >
> > smtpd_sasl_auth_enable = yes
> > smtpd_recipient_restrictions = permit_mynetworks
> > permit_sasl_authenticated reject
> > smtpd_sasl_authenticated_header = yes
> > smtpd_sasl_type = dovecot
> > smtpd_sasl_path = private/auth
>
> Does dovecot auth support proxying GSSAPI? One gotcha is that SMTP
> clients will be trying to authenticate to "smtp/hostname@REALM", but
> dovecots keytab likely only contains "imap/hostname@REALM". At the very
> least you need both.
both entries, but it wasn't readable by the postfix user. I've adjusted
the ACLs and it works fine now :)