Re: [exim] SMTP-AUTH, Kerberos and SSL

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Jaap Winius
CC: exim-users
Subject: Re: [exim] SMTP-AUTH, Kerberos and SSL
On 2013-05-23 at 03:00 +0200, Jaap Winius wrote:
> To finally answer my own question of 2011-04-08, yes you can (I'm
> still using MIT Kerberos, but now with Debian wheezy and Exim 4.80),
> the section above is correct, and besides a working Kerberos client
> (using k5start to regularly renew the host ticket) and a few extra
> library packages (one or all three of libsasl2-2, libsasl2-modules and
> libsasl2-modules-gssapi-mit), all I was missing was a properly set
> environment variable that Exim needs to find its keytab file. I used
> the following:
>
>     export KRB5_KTNAME="/etc/exim4/exim.keytab"

>
> All I did was append this line to /etc/default/exim4; a text file that
> is sourced by /etc/init.d/exim4 every time this script is run. Oh, and
> that keytab file is where I saved the keys for
> smtp/mail.example.com@??? -- not in the host keytab file,
> /etc/krb5.keytab (that's for host/mail.example.com@???).
>
> It works like a charm.


I'm glad to hear it, and to get a success report for MIT Kerberos: thank
you.

In the meantime, Heimdal changed their libraries to ignore the
environment variable for setuid programs. So we now have the
`heimdal_gssapi` authentication driver, as of Exim 4.80. If you have a
test environment which you can play with, I'd be interested in knowing
if that driver works with MIT at all, or if the extension truly is
Heimdal-specific.

Regards,
-Phil