Dovecot + GSSAPI


is someone experienced in using dovecot with gssapi support? I’ve tried my best using the howto but I’ve failed.

Ive modfied this line
auth_mechanisms = plain login
in /etc/dovecot/conf.d/10-auth.conf:
auth_mechanisms = plain login gssapi

and I’ve added this lines

auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/dovecot/dovecot.keytab

And of course I’ve created the keytab (like in NFS4 Export) and changed the permissions.


I’ve checked the configuration files. I would expect that it’s enough to put the /modify following lines to /etc/dovecot/conf.d/10-auth.conf

auth_mechanisms = plain login gssapi
auth_krb5_keytab = /etc/dovecot/dovecot.keytab

The problem was located on the client side. The login name has to be the username or the principal but not the mail address.

But SMTP is not working although I’ve created the SMTP service principal and Postfix is configured to use the Dovecot SASL.

EDIT: Seems to be a Thunderbird problem. It’s working with kmail. But I haven’t found a solution for thunderbird yet.

@Univention Would be nice if this options or at the option “auth_mechanisms” could be configured via UCR. The other ones can maybe configured in the local.conf. I can provide a patch if there is a chance for acceptance.

There is a log entry corresponding to this issue:

request longer than 2048: AUTH GSSAPI $censored

Note that Dovecot includes all files in the directory /etc/dovecot/conf.d whose name ends in .conf. If you want to overwrite something, simply create a file in that directory with a name that’s alphabetically at the end of all .conf files (e.g. 99-local.conf or even zz-local.conf) and store your settings there.

1 Like

Yes thank you for the hint. It seems to be working to put it to a new file named 10-myauth.conf.

That works for this particular option as it is defined in 10-auth.conf which sorts earlier than 10-myauth.conf. It won’t work if you want to change something defined in e.g. 20-managesieve.conf.

Personally I prefer to have all of my custom options in a single file in order to keep maintenance cost down; hence my recommendation of something like 99-whatever.conf.

Yes that was the idea behind putting the stuff in local.conf. But that wasn’t working. But interestingly It’s working putting the stuff to 99-myconf.conf although both files should be imported after 10-auth.conf. Strange.

Is there a special principal needed for sieve?

I’ve tried it with sieve/fqdn$. But it’s not working.