Postfix + saslauthd SASL With Kerberos (FreeIPA) unable to send mail

Anvar Kuchkartaev anvar at anvartay.com
Tue Oct 3 15:33:21 EEST 2017


I just resolved issue by changing hostname in client configuration. 
Saslauthd cannot authenticate with gssapi if I use secondary kerberos 
principal service alias. I chaned smtp.aegisnet.eu to mx0.aegisnet.eu 
(mx0.aegisnet.eu is primary kerberos principal alias of service name) as 
outgoing server (dovecot instance with imap is working fine with service 
aliases) and saslauthd began to work.


On 03/10/17 13:20, Anvar Kuchkartaev wrote:
> The dovecot instance set up with auth_realms and auth_default_realm 
> variables and it is working well. In saslauthd configurations setting 
> same variables giving configuration parsing error (I think it is not 
> right way to configure kerberos realm in saslauthd). However 
> testsaslauthd working without any problems even if I don't specify 
> realm parameter from command line.
>
>
> On 03/10/17 06:17, Trever L. Adams wrote:
>> On 10/02/2017 07:00 PM, Anvar Kuchkartaev wrote:
>>> Hello I just finished setting up FreeIPA with Dovecot + Postfix + 
>>> Saslauthd. I can easily access to mails using imap via dovecot with 
>>> gssapi authentication and postfix also delivering mails very well. 
>>> But I cannot send email from postfix using gssapi authentication 
>>> (plain and login authentication working fine) because saslauthd is 
>>> not specifying realm when requesting service from freeipa domain.
>>>
>>> warning: SASL authentication failure: GSSAPI Error: Unspecified GSS 
>>> failure.  Minor code may provide more information (No key table 
>>> entry found matching smtp/mx0.aegisnet.eu@)
>>>
>>> right form of request is smtp/mx0.aegisnet.eu at AEGISNET.EU
>>>
>>> I googled alot but couldn't find any solution to solve this problem. 
>>> How to configure saslauthd well that it will use realm to contact 
>>> with freeipa.
>>>
>>> Best Regards...
>>>
>> You may need to consider setting auth_realms and/or auth_default_realm.
>> I saw something similar without such being set.
>>
>> Trever
>>
>>





More information about the dovecot mailing list