Quoting Jaap Winius <jwinius@???>:
> Is it possible to configure an Exim4 server (exim4-daemon-heavy
> 4.72-6 on Debian squeeze) to offer an authenticated SMTP service
> with end-to-end SSL encryption while authenticating the passwords
> with Kerberos?
>
> So far I've added the following to 00_exim4-config_header:
>
> sasl_gssapi:
> driver = cyrus_sasl
> public_name = GSSAPI
> server_realm = EXAMPLE.COM
> server_set_id = $auth1
To finally answer my own question of 2011-04-08, yes you can (I'm
still using MIT Kerberos, but now with Debian wheezy and Exim 4.80),
the section above is correct, and besides a working Kerberos client
(using k5start to regularly renew the host ticket) and a few extra
library packages (one or all three of libsasl2-2, libsasl2-modules and
libsasl2-modules-gssapi-mit), all I was missing was a properly set
environment variable that Exim needs to find its keytab file. I used
the following:
export KRB5_KTNAME="/etc/exim4/exim.keytab"
All I did was append this line to /etc/default/exim4; a text file that
is sourced by /etc/init.d/exim4 every time this script is run. Oh, and
that keytab file is where I saved the keys for
smtp/mail.example.com@??? -- not in the host keytab file,
/etc/krb5.keytab (that's for host/mail.example.com@???).
It works like a charm.
Cheers,
Jaap
PS -- Thanks, Phil, for your reply of 2011-04-08. The configuration
above produces what you described at the time as 'Approach 1', which
is native Kerberos support. Excellent! Every serious SMTP MTA should
be capable of supporting this.