[Freeipa-users] Kerberos Auth (GSSAPI) with NATed IPs

Hi list! I'm having a problem where a, in this case, IMAP server (dovecot), configured to do auth via GSSAPI, doesn't authenticate clients coming from the NATed IP it has. Physically it only has a private IP attached (10.1.0.0/8) but it also has a NATed public IP from the internet. The NAT is done on the router/firewall before it get's to the server itself. I've read about extra_addresses on the /etc/krb5.conf file but that doesn't look like it does the trick of making the authentication work. If I somehow force the clients to authenticate to the private IP (via hosts file for example), the auth succeeds. Is this fixable? Thanks!