Viktor, Hello Thanks for your mail. Do you test the configuration using mail clients like Thunderbird or something like that? If not, what do you actually use in order to test the configuration?
Kind Regards Ali Majdzadeh Kohbanani 2009/10/28 Victor Duchovni <victor.ducho...@morganstanley.com> > On Wed, Oct 28, 2009 at 05:11:33PM +0330, Ali Majdzadeh wrote: > > > ehlo example.com > > auth gssapi base 64 encoded userid > > The GSSAPI handshake does not work this way. > > > When I monitor the logs, I see the following failure messages: > > warning: SASL authentication failure: GSSAPI Error: Invalid token was > > supplied (No error) > > What does the above line mean? Where do I go wrong in the process? > > A base64 encoded username is not a valid GSSAPI token. Test with an > actual GSSAPI client. FWIW, Postfix works just fine with GSSAPI here. > > As in your configuration, the server uses a keytab and KRB5_KTNAME is > set in the server environment (import_environment=...). The server > keytab belongs to the "postfix" ($mail_owner) user. > > In our case the client (sending) system also has a keytab, but it is not > used directly, rather a cron job runs periodically, and uses "kinit -t" > to refresh the client credential cache. The client main.cf also has > "import_environment=..." with a setting for KRB5_CCNAME. > > -- > Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. >
