<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> Hi again martin, Followed your advise with no luck either, I tried testsaslauthd -u <a class="moz-txt-link-abbreviated" href="mailto:david@domain.com">david@domain.com</a> -p pass saslauthd[18405] :rel_accept_lock : released accept lock saslauthd[18407] :get_accept_lock : acquired accept lock saslauthd[18405] :do_auth : auth failure: [<a class="moz-txt-link-abbreviated" href="mailto:user=david@domain.com">user=david@domain.com</a>] [service=imap] [realm=] [mech=ldap] [reason=Unknown] saslauthd[18405] :do_request : response: NO 0: NO "authentication failed" Postfix doesn't even how any autrhentication attempts, but what I see as a weird things is that "service=imap" I appreciate your help and prompt response, I've tried with ldap_table instructions from postfix site but no joy, also it's important to mention to all that this is a brand new install of CentOS so no tweaks or any weird thing. Thanks everyone. <div class="moz-cite-prefix">On 6/23/2014 8:12 AM, Martin Boese wrote: </div> <blockquote cite="mid:20140623141202.2ddf7cac@ita-bones-t530" type="cite"> <pre wrap="">On Sun, 22 Jun 2014 11:41:36 -0500 Dave Gonzalez <a class="moz-txt-link-rfc2396E" href="mailto:dgonzalezh@gmail.com"><dgonzalezh@gmail.com></a> wrote: </pre> <blockquote type="cite"> <pre wrap="">Hello there everyone David here, I'm big time Red Hat fan, I work for a company where we have a small 20+ people directory, I'm currently using Samba4 to offer authentication to Openfire, Postfix, Dovecot (using GroupOffice); but I want to switch ebcause samba is a hassle to setup and whenever replication breaks it's nearly impossible to rebuild, anyways, My current environment is Proxmox VE 3 as virtualization platform and many CentOS/RedHat Servers holding my services. Please excuse me if this was already answered but after I went trhough the archives I coulnd't find anyone facing the same issue, please bear with me as I'm a newbie to FreeIPA and LDAP. I know I'm missing something or doing it wrong but after a week struggling with this setup I decided to call for the help of the experts. My environment: FreeIPA Server CentOS 6.5 x86_64 Mail Server CentOS 6.5 postfix-2.6.6-6.el6_5.x86_64 dovecot-2.0.9-7.el6.x86_64 ipa-python-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.9.2-129.el6_5.4.x86_64 libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 I've followed these posts from Dale McCartney, whom I've also read his posts around here <a class="moz-txt-link-freetext" href="https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/">https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/</a> <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Dovecot_Integration">http://www.freeipa.org/page/Dovecot_Integration</a> None of them seem to work at the moment when using Thunderbird with the server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also reports that <quote> "The kerberos/GSSAPI ticket was not accepted by the IMAP server <a class="moz-txt-link-abbreviated" href="mailto:david@domain.com">david@domain.com</a>. Please chack that you're logged in to the Kerberos/GSSAPI realm" </quote> with Dovecot I'm getting this <code> Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth attempts): rip=1.1.1.1, lip=217.1.2.3 </code> I tried manual telnet and use a authenticate gssapi which retuns "+" which means module is indeed loading and the server is gssapi ready for the challenge. If anyone of you could point me into the right direction I'd really value that. Thanks --- Regards David G. </pre> </blockquote> <pre wrap=""> I think the right direction is to just use LDAP for these things.. Here's my LDAP+SASL on debian for Postfix. Seems like Dovecot can also authenticate against SASL. Create an unprivileged user for ldap-bind ** /etc/postfix/main.cf ...snip... smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd smtpd_sasl_local_domain = yourdomain.com ...add to: smtpd_recipient_restrictions = permit_sasl_authenticated ** /etc/postfix/sasl/smtpd.conf pwcheck_method: saslauthd mech_list: PLAIN LOGIN ** /etc/saslauth.conf ldap_servers: <a class="moz-txt-link-freetext" href="ldap://your.ipa.server">ldap://your.ipa.server</a> ldap_search_base: cn=users,cn=accounts,dc=yourdomain,dc=com ldap_filter: (|(uid=%u)(mail=%u)) ldap_bind_dn:uid=your-unpriviledged-user,cn=users,cn=accounts,dc=yourdomain,dc=com ldap_bind_pw: password-of-the-user Martin </pre> </blockquote> </body> </html>