[Pkg-exim4-users] SMTP AUTH with GSSAPI problems (exim4-4.94.2-7 on bullseye)

Frank Richter frank.richter at hrz.tu-chemnitz.de
Mon Aug 22 15:31:55 BST 2022


I'm porting an MTA with exim from RHEL 7.X (exim-4.94.2) to Debian 11 
bullseye (I'm new to Debian and this list …). No big deal so far, I'm using 
exim4-daemon-heavy 4.94.2-7 with just a large /etc/exim4/exim4.conf

Now I've got a problem to get SMTP AUTH with GSSAPI running. I'm using 
cyrus_sasl authenticator (heimdal_gssapi seems to be not available):

begin authenticators
     driver = cyrus_sasl
     public_name = GSSAPI
     server_set_id = $auth1

I've a separate keytab file: /etc/krb5.keytab.exim (read rights for user 

I had on RHEL – in /etc/sysconfig/exim:

In Debian I added to /etc/default/exim4


Trying to send an e-mail with GSSAPI I get:

rejectlog: 2022-08-22 15:33:02 gssapi authenticator (GSSAPI):  Cyrus SASL 
username fetch problem: generic failure
mainlog: 2022-08-22 15:33:02 gssapi authenticator failed for 
troi.hrz.tu-chemnitz.de [2001:638:911:12c:134:109:142:70]: 535 Incorrect 
authentication data

Starting exim daemon with: KRB5_KTNAME="/etc/krb5.keytab.exim" exim -bd 
works as expected!
So the KRB5_KTNAME from /etc/default/exim4 doesn't get in exim's environment 
when started via systemd.
Can anybody help how to do it right?

Thanks in advance,

Frank Richter
Chemnitz University of Technolgy, Germany

More information about the Pkg-exim4-users mailing list