<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> So with more reading I've gotten even further, things never mentioned on those howtos: * You must have some means to authenticate to the Kerberos realm for your domain, in my case the MIT Kerberos client for windows 8 I've got Dovecot working as expected authenticating using teh GSSAPI authentication mechanism which is great. Postfix is also talking to SASL Auth daemon but I'm getting some auth errors like this: Jun 25 13:09:46 mail postfix/smtpd[8616]: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () While Thunderbird reports this: Sending of message failed. The Kerberos/GSSAPI ticket was not accepted by the SMTP server mail.domain.net. Please check that you are logged in to the Kerberos/GSSAPI realm. I'm in fact logged in to the realm from what I can see in the MIT Kerberos client interface: I hope the attachment can be seen by the list: <img src="cid:part1.00040708.09000308@gmail.com" alt=""> So, as you can see both smtp/mail.domain.net and imap/mail.domain.net are there, so whatever is causing the issue has to do with SASL but I haven't been able to find any useful debug commands for it apart from testsaslauthd whic yells [root@mail ~]# testsaslauthd -u <a class="moz-txt-link-abbreviated" href="mailto:david@domain.net">david@domain.net</a> -p pass 0: NO "authentication failed" I don't know if I need the /etc/saslauthd.conf file as described on some postfix+LDAP documents I tested that with no luck, here's a sample of what I tried. [root@mail ~]# cat saslauthd.conf ldap_servers: <a class="moz-txt-link-freetext" href="ldap://ipa.domain.net">ldap://ipa.domain.net</a> ldap_search_base: cn=users,cn=accounts,dc=domain,dc=net ldap_filter: (|(uid=%u)(mail=%u)) ldap_bind_dn: uid=david,cn=users,cn=accounts,dc=domain,dc=net ldap_bind_pw: pass Any advise from you will be greatly appreciated. Then again, Thanks In Advance guys. --Regards DavidG <div class="moz-cite-prefix">On 6/25/2014 10:25 AM, Simo Sorce wrote: </div> <blockquote cite="mid:1403709900.11352.9.camel@willson.usersys.redhat.com" type="cite"> <pre wrap="">On Wed, 2014-06-25 at 09:52 -0500, Dave Gonzalez wrote: </pre> <blockquote type="cite"> <pre wrap="">I don't know if the fact that the server is already enrolled as smtp/mail.domain.net make dovecot not request any ticket as imap/mail.domain.net as I don't see any entries for that system on the KDC log </pre> </blockquote> <pre wrap=""> Dovecot does not require any ticket, it's your clients that do, and you showed me no logs of clients. If you are configuring your client to talk to mail.domain.net, then you *must* have a keys for imap/mail.domain.net on your IMAP server. Keys for imap/mail01.example.net will be useless as the client won't be looking for that ticket. When a client is configured to talk to mail.domain.net it will ask the KDC for a ticket for the principal named imap/mail.domain.net. The client also may need to be told what KDC to contact for the domain.net domain if it really is a different domain from your main one. You used example.com and domain.net both, so unless it is a bad substitution, it means you may want to check the documentation for setting up a correct domain_realm section in your krb5.conf (note that modern IPA clients that use SSSD do not need manual configuration as long as you configure the domains list in the ipa server). You can, of course, have multiple keys if you advertise your service under multiple names to different clients. Simo. </pre> </blockquote> </body> </html>