The recent addition of auth_gssapi_hostname is a welcome addition, but a little more is needed for multi-homed (or multi-domained) sites.
SSH recently added this enhancement to address this common need: GSSAPIStrictAcceptorCheck Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against. If “yes” then the client must authenticate against the host service on the current hostname. If “no” then the client may authenticate against any service key stored in the machine’s default store. This facility is provided to assist with operation on multi homed machines. The default is “yes”. Note that this option applies only to protocol version 2 GSSAPI connections, and setting it to “no” may only work with recent Kerberos GSSAPI libraries. I've heard that other daemons support multi-names by instead of using gethostname(), obtain the hostname of the interface that the request came in on. Can either approach be looked at for dovecot ? Thanks, -- Richard A Nelson (Rick) cowboy@((linux.)?vnet|us).ibm.com Phone: 1-408-463-5584 Fax: 1-408-463-3873 COBOL Development IBM Silicon Valley Laboratory http://www.ibm.com/software/awdtools/cobol/