Package: postfix
Version: 2.5.5-1.1
Severity: important
I'm not sure if this is a feature, bug, or inconvenience.
However I've had to create the following files and folders to get
GSSAPI working. I'm concerned about the security implications of
altering a chroot.
/var/spool/postfix/etc/krb5.conf
/var/spool/postfix/etc/krb5.keytab
/var/spool/postfix/var/tmp
The conf file is needed for the default Realm name, I don't know why
this can't be set using DNS or something.
The tmp folder is used by the library and must exist and be writable.
I used the following for these folders:
drwx--x--x 3 root root 4096 Dec 5 13:39 /var/spool/postfix/var
d-wx------ 2 postfix root 4096 Dec 5 13:41 /var/spool/postfix/var/tmp
I'd certainly appreciate a better solution, like sasl/krb5 proxy.
After all this my setup is still untestable, has anyone got this to
work? I'm concerned about issues with my client, but the error I'm
getting currently is: Wrong principal in request
It's not correct, I'm certainly using the correct principal... AFAICT.
I'm going to look at /var/spool/postfix/etc/hostname for example.
-- System Information:
Debian Release: 5.0.6
APT prefers stable
APT policy: (900, 'stable'), (800, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.35.4-rscloud (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages postfix depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf- 1.5.24 Debian configuration management sy
ii dpkg 1.14.29+b1 Debian package management system
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libdb4.6 4.6.21-11 Berkeley v4.6 Database Libraries [
ii libsasl2-2 2.1.22.dfsg1-23+lenny1 Cyrus SASL - authentication abstra
ii libssl0.9.8 0.9.8g-15+lenny9 SSL shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii netbase 4.34 Basic TCP/IP networking system
ii ssl-cert 1.0.23 simple debconf wrapper for OpenSSL
postfix recommends no packages.
Versions of packages postfix suggests:
ii bsd-mailx [mail-r 8.1.2-0.20071201cvs-3 A simple mail user agent
ii jed [mail-reader] 1:0.99.18+dfsg.1-11 editor for programmers (textmode v
ii libsasl2-modules 2.1.22.dfsg1-23+lenny1 Cyrus SASL - pluggable authenticat
ii mutt [mail-reader 1.5.18-6 text-based mailreader supporting M
pn postfix-cdb <none> (no description available)
pn postfix-ldap <none> (no description available)
pn postfix-mysql <none> (no description available)
pn postfix-pcre <none> (no description available)
pn postfix-pgsql <none> (no description available)
ii procmail 3.22-16 Versatile e-mail processor
pn resolvconf <none> (no description available)
ii sasl2-bin 2.1.22.dfsg1-23+lenny1 Cyrus SASL - administration progra
pn ufw <none> (no description available)
-- debconf information:
postfix/root_address:
postfix/rfc1035_violation: false
postfix/mydomain_warning:
postfix/mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
* postfix/mailname: hades.mikemestnik.net
postfix/tlsmgr_upgrade_warning:
postfix/recipient_delim: +
* postfix/main_mailer_type: Internet Site
postfix/destinations: hades.mikemestnik.net, localhost.mikemestnik.net, , localhost
postfix/retry_upgrade_warning:
postfix/kernel_version_warning:
postfix/not_configured:
postfix/mailbox_limit: 0
postfix/relayhost:
postfix/procmail: true
postfix/bad_recipient_delimiter:
postfix/protocols: all
postfix/chattr: false
Acknowledgement sent
to Mike Mestnik <[email protected]>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <[email protected]>.
(Sun, 05 Dec 2010 14:51:07 GMT) (full text, mbox, link).
Package: postfix
Version: 2.5.5-1.1
Followup-For: Bug #606007
/dev/urandom
-- System Information:
Debian Release: 5.0.6
APT prefers stable
APT policy: (900, 'stable'), (800, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.35.4-rscloud (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages postfix depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf- 1.5.24 Debian configuration management sy
ii dpkg 1.14.29+b1 Debian package management system
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libdb4.6 4.6.21-11 Berkeley v4.6 Database Libraries [
ii libsasl2-2 2.1.22.dfsg1-23+lenny1 Cyrus SASL - authentication abstra
ii libssl0.9.8 0.9.8g-15+lenny9 SSL shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii netbase 4.34 Basic TCP/IP networking system
ii ssl-cert 1.0.23 simple debconf wrapper for OpenSSL
postfix recommends no packages.
Versions of packages postfix suggests:
ii bsd-mailx [mail-r 8.1.2-0.20071201cvs-3 A simple mail user agent
ii jed [mail-reader] 1:0.99.18+dfsg.1-11 editor for programmers (textmode v
pi libsasl2-modules 2.1.22.dfsg1-23+lenny1 Cyrus SASL - pluggable authenticat
ii mutt [mail-reader 1.5.18-6 text-based mailreader supporting M
pn postfix-cdb <none> (no description available)
pn postfix-ldap <none> (no description available)
pn postfix-mysql <none> (no description available)
pn postfix-pcre <none> (no description available)
pn postfix-pgsql <none> (no description available)
ii procmail 3.22-16 Versatile e-mail processor
pn resolvconf <none> (no description available)
ii sasl2-bin 2.1.22.dfsg1-23+lenny1 Cyrus SASL - administration progra
pn ufw <none> (no description available)
-- debconf information excluded
Acknowledgement sent
to Mike Mestnik <[email protected]>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <[email protected]>.
(Sun, 05 Dec 2010 15:24:04 GMT) (full text, mbox, link).
Package: postfix
Version: 2.5.5-1.1
Followup-For: Bug #606007
After clearing out stale key information things started working for
me. I made one file change to my configuration.
/etc/postfix/sasl/smtpd.conf:
mech_list: GSSAPI
This disables all password based authentication, something I'm
intersted in for my site. YMMV.
-- System Information:
Debian Release: 5.0.6
APT prefers stable
APT policy: (900, 'stable'), (800, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.35.4-rscloud (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages postfix depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf- 1.5.24 Debian configuration management sy
ii dpkg 1.14.29+b1 Debian package management system
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libdb4.6 4.6.21-11 Berkeley v4.6 Database Libraries [
ii libsasl2-2 2.1.22.dfsg1-23+lenny1 Cyrus SASL - authentication abstra
ii libssl0.9.8 0.9.8g-15+lenny9 SSL shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii netbase 4.34 Basic TCP/IP networking system
ii ssl-cert 1.0.23 simple debconf wrapper for OpenSSL
postfix recommends no packages.
Versions of packages postfix suggests:
ii bsd-mailx [mail-r 8.1.2-0.20071201cvs-3 A simple mail user agent
ii jed [mail-reader] 1:0.99.18+dfsg.1-11 editor for programmers (textmode v
pi libsasl2-modules 2.1.22.dfsg1-23+lenny1 Cyrus SASL - pluggable authenticat
ii mutt [mail-reader 1.5.18-6 text-based mailreader supporting M
pn postfix-cdb <none> (no description available)
pn postfix-ldap <none> (no description available)
pn postfix-mysql <none> (no description available)
pn postfix-pcre <none> (no description available)
pn postfix-pgsql <none> (no description available)
ii procmail 3.22-16 Versatile e-mail processor
pn resolvconf <none> (no description available)
ii sasl2-bin 2.1.22.dfsg1-23+lenny1 Cyrus SASL - administration progra
pn ufw <none> (no description available)
-- debconf information excluded
I filed a bug against the Ubuntu version of this package here
https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1279116
They suggested raising the issue in the Debian package system as the chroot
comes from the upstream Debian package. And I came across this bug.
I was able to figure out all of the configuration files necessary in the
chroot as I have several other services configured in a similar way, but
the lack of the /var/tmp directory really took some digging to figure out.
Would it be possible to include the creation of such a directory in the
package installation?
Short of that, is there a way to configure the gssapi library to use a
different ___location for the credential cache that does exist in the current
postfix chroot structure?
Acknowledgement sent
to Michael Tokarev <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Postfix Team <[email protected]>.
(Mon, 02 Dec 2024 07:09:02 GMT) (full text, mbox, link).
Subject: Re: Bug#606007: GSSAPI: Modifications to chroot.
Date: Mon, 2 Dec 2024 10:06:46 +0300
Control: retitle -1 [chroot] GSSAPI: Modifications to chroot.
On Wed, 12 Feb 2014 20:21:22 -0500 Craig <[email protected]> wrote:
> I filed a bug against the Ubuntu version of this package here
> https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1279116
>
> They suggested raising the issue in the Debian package system as the chroot
> comes from the upstream Debian package. And I came across this bug.
>
> I was able to figure out all of the configuration files necessary in the
> chroot as I have several other services configured in a similar way, but
> the lack of the /var/tmp directory really took some digging to figure out.
> Would it be possible to include the creation of such a directory in the
> package installation?
The root cause of all this is running postfix chrooted by default in debian,
which has been strongly advised against by the upstream countless number of
times over the years.
I'm marking all such bugs to have [chroot] prefix in the bts.
Thanks,
/mjt
Changed Bug title to '[chroot] GSSAPI: Modifications to chroot.' from 'GSSAPI: Modifications to chroot.'.
Request was from Michael Tokarev <[email protected]>
to [email protected].
(Mon, 02 Dec 2024 07:09:02 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.