OK, gentlemen.
I have found the source of problem. It appears to be very unexpectedly.
My testing stand was deployed on a OpenVZ-bazed virtual machine with Venet interface on board. Here are references to OpenVZ documentation: http://wiki.openvz.org/Virtual_network_device http://wiki.openvz.org/Differences_between_venet_and_veth
By design venet interface coressponds to a loopback interface with one or more aliases and very foxy routing rules. For example, in Debian it looks like this:
************** ifconfig output **************** lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:956 errors:0 dropped:0 overruns:0 frame:0 TX packets:956 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:134666 (131.5 KiB) TX bytes:134666 (131.5 KiB)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 RX packets:160164 errors:0 dropped:0 overruns:0 frame:0 TX packets:106318 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:155480098 (148.2 MiB) TX bytes:17449831 (16.6 MiB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:192.168.9.36 P-t-P:192.168.9.36 Bcast:0.0.0.0 Mask:255.255.255.255 UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
In config file it looks like this:
*********** /etc/network/interfaces ********* # Auto generated lo interface auto lo iface lo inet loopback
# Auto generated venet0 interface auto venet0 iface venet0 inet manual up ifconfig venet0 up up ifconfig venet0 0 up route add default dev venet0 down route del default dev venet0 down ifconfig venet0 down
iface venet0 inet6 manual
auto venet0:0 iface venet0:0 inet static address 192.168.9.36 netmask 255.255.255.255
For most cases such type of emulation works fine. But this time either krb5 libs, or dovecot, or someone else could not correctly define hostname. So, someone of them (I beleive than krb5 libs) was unable to compare proper IP with the proper stanza in keytab. And neither explicit "listen" nor "auth_gssapi_hostname" directives became helpful.
So, I changed equipped emulated interface from "Venet" to more "brute" Veth, and everything flies up.
Thank you all very much for such an interesting discussion. I shall describe this situation in my howto's and known issues archive, for others.
In other words, my trouble is totally OpenVZ-specific. So, I may pretend to be the first who bumped into it.
And then, there is a second question.
Can there be a way to continue using this crafty venet interface, but force krb5 libs to look up for desired IP ?
Respectfully, Stanislav Klinkov.