<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> Alexander, thank you very much for your config sample, I took some time and compared to mine and they're pretty much the same, I want to move mailboxes to Maildir style because the system I'm planning to migrate to this IPA deployment does use Maildir style mailboxes. Thanks and cheers. <div class="moz-cite-prefix">On 6/25/2014 10:54 AM, Alexander Bokovoy wrote: </div> <blockquote cite="mid:20140625155448.GJ7233@redhat.com" type="cite">On Sun, 22 Jun 2014, Dave Gonzalez wrote: <blockquote type="cite">Hello there everyone David here, I'm big time Red Hat fan, I work for a company where we have a small 20+ people directory, I'm currently using Samba4 to offer authentication to Openfire, Postfix, Dovecot (using GroupOffice); but I want to switch ebcause samba is a hassle to setup and whenever replication breaks it's nearly impossible to rebuild, anyways, My current environment is Proxmox VE 3 as virtualization platform and many CentOS/RedHat Servers holding my services. Please excuse me if this was already answered but after I went trhough the archives I coulnd't find anyone facing the same issue, please bear with me as I'm a newbie to FreeIPA and LDAP. I know I'm missing something or doing it wrong but after a week struggling with this setup I decided to call for the help of the experts. My environment: FreeIPA Server CentOS 6.5 x86_64 Mail Server CentOS 6.5 postfix-2.6.6-6.el6_5.x86_64 dovecot-2.0.9-7.el6.x86_64 ipa-python-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.9.2-129.el6_5.4.x86_64 libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 I've followed these posts from Dale McCartney, whom I've also read his posts around here <a class="moz-txt-link-freetext" href="https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/">https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/</a> <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Dovecot_Integration">http://www.freeipa.org/page/Dovecot_Integration</a> None of them seem to work at the moment when using Thunderbird with the server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also reports that <quote> "The kerberos/GSSAPI ticket was not accepted by the IMAP server <a class="moz-txt-link-abbreviated" href="mailto:david@domain.com">david@domain.com</a>. Please chack that you're logged in to the Kerberos/GSSAPI realm" </quote> with Dovecot I'm getting this <code> Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth attempts): rip=1.1.1.1, lip=217.1.2.3 </code> I tried manual telnet and use a authenticate gssapi which retuns "+" which means module is indeed loading and the server is gssapi ready for the challenge. If anyone of you could point me into the right direction I'd really value that. </blockquote> Following configuration works for me (generated with 'dovecot -n' from my actual config files): # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.14.4-200.fc20.x86_64 x86_64 Fedora release 20 (Heisenbug) auth_default_realm = VDA.LI auth_krb5_keytab = /etc/dovecot/dovecot.keytab auth_mechanisms = gssapi auth_realms = VDA.LI base_dir = /var/run/dovecot/ mail_location = maildir:~/Maildir mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } userdb { driver = passwd } ssl = required ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem The /etc/dovecot/dovecot.keytab contains the keytab, obtained with # kinit admin # ipa-getkeytab -s `hostname` -p imap/`hostname` -k /etc/dovecot/dovecot.keytab # chown dovecot /etc/dovecot/dovecot.keytab </blockquote> </body> </html>