Dovecot SASL and GSSAPI (IPA)

Manuel Delgado manuel.delgado at ucr.ac.cr
Mon Dec 14 15:10:05 UTC 2015 

Hi Ranbir

This is more a postfix question but I have done this configs before in a
BETA-Lab and it's a real pain. I'll be glad to help if I can.

I my environment I had postfix directly authenticating SASL with the IPA
server (FreeIPA) using Cyrus SASL libs. In IPA the service most be
registered with principal smtp/HOSTNAME.

##
# /etc/postfix/sasl/smtpd.conf
##
pwcheck_method: saslauthd
mech_list: GSSAPI PLAIN LOGIN


##
# /etc/default/saslauthd
##
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="kerberos5"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Regards,

Manuel Delgado

-----------------------------------------------------------
*Usuario Linux* *#520940 <http://counter.li.org/>*

Mag. Computación e Informática
Universidad de Costa Rica
Centro de Informática



On Sun, Dec 13, 2015 at 11:21 AM, Ranbir <m3freak at thesandhufamily.ca> wrote:

> Hi Everyone,
>
> I'm currently using dovecot SASL in postfix and passwd-file in dovecot
> for authenticating my users. I want to switch to using IPA instead.
>
> I have both the postfix (mailman01) and dovecot (mailman02) servers
> joined to the IPA domain. I have GSSAPI working in dovecot for IMAP.
> But, the SASL GSSAPI authentication in postfix fails with this error:
>
> warning: unknown[10.200.5.100]: SASL GSSAPI authentication failed:
>
> This is what dovecot logs:
>
> Dec 12 22:31:54 mailman02 dovecot: auth: Debug: auth client connected
> (pid=0)
> Dec 12 22:31:54 mailman02 dovecot: auth: Debug: client in: AUTH 1
>  GSSAPI  service=smtp    nologin lip=10.200.9.14 rip=10.200.5.100
> secured resp=<hidden>
> Dec 12 22:31:54 mailman02 dovecot: auth: Debug: gssapi(?,10.200.5.100):
> Obtaining credentials for smtp at mailman02.theinside.rnr
> Dec 12 22:31:54 mailman02 dovecot: auth: gssapi(?,10.200.5.100): While
> processing incoming data: Unspecified GSS failure.  Minor code may provide
> more information
> Dec 12 22:31:54 mailman02 dovecot: auth: gssapi(?,10.200.5.100): While
> processing incoming data: Wrong principal in request
> Dec 12 22:31:56 mailman02 dovecot: auth: Debug: client passdb out: FAIL 1
>
> I've tried changing the "smtpd_sasl_local_domain" in postfix's main.cf
> file to "mailman02.theinside.rnr", but I get the same errors in dovecot
> and postfix.  Right now the config in postfix looks like this:
>
> import_environment="KRB5_KTNAME=/etc/postfix/smtp.keytab"
> smtpd_sasl_local_domain = mailman01.theoutside.rnr
>
> Does what I'm trying to do make sense? If so, how do I fix it? Do I
> have to stop using dovecot sasl in postfix and switch to cyrus sasl?
>
>
> --
> Ranbir
>

More information about the dovecot mailing list