From: Alex Dehnert Date: Fri, 21 Jul 2023 06:35:02 +0000 (+0000) Subject: Host-independent kerberos keytab X-Git-Url: https://dehnerts.com/gitweb/?a=commitdiff_plain;h=049a6d4b13141a310340f326ad80df424c284155;p=sysconfig%2Fdovecot.git Host-independent kerberos keytab Also of note: default_realm needs to be set to DEHNERTS.COM in krb5.conf, and we may also need to map hostnames to realms. --- diff --git a/.gitignore b/.gitignore index 1a594af..aadd970 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,8 @@ extra-users.passwd imap.keytab olinda.keytab +mail.keytab +mail.keytab.base64 dovecot.pem *.ucf-dist old/ diff --git a/conf.d/10-auth.conf b/conf.d/10-auth.conf index 68aee0e..727dbed 100644 --- a/conf.d/10-auth.conf +++ b/conf.d/10-auth.conf @@ -73,7 +73,10 @@ auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012345 # Kerberos keytab to use for the GSSAPI mechanism. Will use the system # default (usually /etc/krb5.keytab) if not specified. You may need to change # the auth service to run as root to be able to read this file. -auth_krb5_keytab = /etc/dovecot/olinda.keytab +# Should contain an imap/ (for IMAP) and smtp/ (for SMTP, because Postfix +# offloads SASL auth) principal, for whatever the host's IP reverse-resolves +# to. +auth_krb5_keytab = /etc/dovecot/mail.keytab # Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and # ntlm_auth helper.