Hello,
the listing of “lib/sasl2 total 16” does not seem to contain the GSSAPI
and GS2 .so plugins (but does not show either the opposite). You do
not state, whether "telnet host 25\nEHLO xx" prints GSSAPI as AUTH
mechanism. This shall be independent of whether postfix consumes the
Kerberos tickets or not.
I propose you run postfix under strace and make sure that it has read
the keytab files and has the rights to read them.
If you have configured other services with GSSAPI, e.g. IMAP, but have
problems with Postfix, you should ask at the postfix mailing lists.
Greetings
Дилян
On Mon, 2021-09-20 at 04:08 -0400, sr42354@xxxxxxxxx wrote:
> Hello,
>
> I want to set up a Postfix SMTP server with cyrus-sasl in GSSAPI
> mode. I have two Samba4 servers in AD mode, and my clients are in
> windows 10.
> I removed the execution of Posfix in chroot to simplify.
> I added two keytab in /etc/krb5.keytab smtp/smtptest.domain.fr and
> host/smtptest.domain.fr
> Currently I can authenticate with windows credentials from a windows
> client under Thunderbird with the "normal password" settings.
> But if I try to switch from LOGIN to GSSAPI ( in
> /etc/postfix/sasl/smtpd.conf ) it doesn't work, here is the message
> in Thunderbird ( Sending of the message failed.
> The Kerberos/GSSAPI ticket was not accepted by the Outgoing server
> (SMTP). Please check that you are logged in to the Kerberos/GSSAPI
> realm.)
>
> Here are some settings :
>
> klist -k -t /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- ------------------- --------------------------------------------
> ----------
> 2 16/09/2021 16:00:44 host/smtptest.domain.fr@xxxxxxx
> 2 16/09/2021 16:28:14 smtp/smtptest.domain.fr@xxxxxxx
> 2 20/09/2021 09:19:41 smtpd/smtptest.domain.fr@xxxxxxx
>
> /etc/default/saslauthd :
> START=yes
> DESC="SASL Auth. Daemon"
> NAME="saslauthd"
> MECHANISMS="kerberos5"
> MECH_OPTIONS=""
> THREADS=1
> OPTIONS="-c -m /var/run/saslauthd"
>
> root@smtptest:~# saslfinger -s
> saslfinger - postfix Cyrus sasl configuration lun. 20 sept. 2021
> 09:53:49 CEST
> version: 1.0.4
> mode: server-side SMTP AUTH
>
> -- basics --
> Postfix: 3.5.6
> System: Debian GNU/Linux 11 \n \l
>
> -- smtpd is linked to --
> libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2
> (0x00007f87cfe08000)
>
> -- active SMTP AUTH and TLS parameters for smtpd --
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_tls_security_level = may
>
> -- listing of /usr/lib/sasl2 --
> total 16
> drwxr-xr-x 2 root root 4096 14 sept. 14:31 .
> drwxr-xr-x 54 root root 4096 3 sept. 09:46 ..
> -rw-r--r-- 1 root root 4 14 sept. 14:31 berkeley_db.active
> -rw-r--r-- 1 root root 4 7 févr. 2021 berkeley_db.txt
>
> -- listing of /etc/postfix/sasl --
> total 12
> drwxr-xr-x 2 root root 4096 20 sept. 09:24 .
> drwxr-xr-x 5 root root 4096 17 sept. 16:43 ..
> -rw-r--r-- 1 root root 160 20 sept. 09:24 smtpd.conf
>
> -- content of /etc/postfix/sasl/smtpd.conf --
> pwcheck_method: saslauthd
> mech_list: GSSAPI
> keytab: /etc/krb5.keytab
> log_level: 7
>
> -- active services in /etc/postfix/master.cf --
> # service type private unpriv chroot wakeup maxproc command +
> args
> # (yes) (yes) (no) (never) (100)
> submission inet n - n - - smtpd -v
> -o syslog_name=postfix/submission
> -o smtpd_sasl_auth_enable=yes
> pickup unix n - y 60 1 pickup
> cleanup unix n - y - 0 cleanup
> qmgr unix n - n 300 1 qmgr
> tlsmgr unix - - y 1000? 1 tlsmgr
> rewrite unix - - y - - trivial-
> rewrite
> bounce unix - - y - 0 bounce
> defer unix - - y - 0 bounce
> trace unix - - y - 0 bounce
> verify unix - - y - 1 verify
> flush unix n - y 1000? 0 flush
> proxymap unix - - n - - proxymap
> proxywrite unix - - n - 1 proxymap
> smtp unix - - n - - smtp
> relay unix - - y - - smtp
> -o syslog_name=postfix/$service_name
> showq unix n - y - - showq
> error unix - - y - - error
> retry unix - - y - - error
> discard unix - - y - - discard
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - y - - lmtp
> anvil unix - - y - 1 anvil
> scache unix - - y - 1 scache
> postlog unix-dgram n - n - 1 postlogd
> maildrop unix - n n - - pipe
> flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
> uucp unix - n n - - pipe
> flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
> ($recipient)
> ifmail unix - n n - - pipe
> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop
> ($recipient)
> bsmtp unix - n n - - pipe
> flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
> $recipient
> scalemail-backend unix - n n - 2 pipe
> flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
> ${nexthop} ${user} ${extension}
> mailman unix - n n - - pipe
> flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
> ${nexthop} ${user}
>
> -- mechanisms on localhost --
>
> -- end of saslfinger output --
>
> If anyone can help me....
> Thanks in advance.
> Samuel
>
> Cyrus / SASL / seediscussions +participants
> +delivery optionsPermalink
------------------------------------------
Cyrus: SASL
Permalink: https://cyrus.topicbox.com/groups/sasl/T1e24816c0d686c81-M4ac7c620fe9cae56bdb15e70
Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription
