On 2019-06-20 at 14:26 +0200, Frank Richter via Exim-users wrote:
> after upgrading to exim-4.92 (EPEL exim-4.92-1.el6.x86_64) our gssapi
> authenticator doesn't work any more.
Debugging permissions and interactions and libraries automatically
dropping access for setuid programs was such a nightmare for me when
using cyrus_sasl for GSSAPI that several years ago I added the
`heimdal_gssapi` authenticator to Exim.
<
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_heimdalgssapi_authenticator.html>
If you've got the Heimdal GSSAPI libraries, or an option to use
something which links against those (I'm not familiar with what the EPEL
builds enable, sorry) then this is the way to go.
Fewer moving parts intricately tied together leads to easier debugging,
and better debug logging inside Exim because Exim has more visibility
into what's going on.
I use GSSAPI for the mail-server for my personal domain so tend to
notice when it breaks. Unfortunately, I didn't have spare time before
the 4.92 release, so didn't test in time to prevent a regression, but
the 6ee110613 commit in git unbreaks the compilation failure for this
authenticator.
My personal config then runs with:
auth_gssapi:
driver = heimdal_gssapi
public_name = GSSAPI
server_hostname = smtp.spodhuis.org
server_keytab = /etc/kerberos/tabs/exim.keytab
server_set_id = $auth1
server_condition = ${if and{\
{or{\
{eqi{$auth1}{$auth2}}\
{eqi{${sg{$auth1}{@.*}{}}}{$auth2}}\
}}\
{eqi{${domain:$auth1}}{spodhuis.org}}\
}}
server_advertise_condition = ${if and{{!def:authenticated_id}{or{\
{INBOUND_SUBMIT_CONDITION}\
{and{{def:tls_cipher}{!match_ip{$sender_host_address}{+relay_for_friends}}}}\
}}} {yes}{no}}
You'd probably want to simplify the server_advertise_condition (or
remove it) and adjust the spodhuis.org references in server_condition
and elsewhere.
-Phil