[Freeipa-users] Dovecot imap authentication with IPA/Kerberos

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Mon Jan 30 19:11:07 UTC 2012 

On 01/30/2012 07:42 AM, Dale Macartney wrote:
> 
> Of course Dmitri
> 
> Here you go. I was actually trying to resolve this for an automated
> kickstart process anyway. The details specific to dovecot are in the middle.
> 
> # Connect server to IPA domain (ensure DNS is working correctly
> otherwise this step will fail)
> ipa-client-install -U -p admin -w mysecretpassword
> 
> # install postfix if necessary (installed by default in rhel6)
> yum -y install postfix
> 
> # set postfix to start on boot
> chkconfig postfix on
> 
> # configure postfix with hostname, domain and origin details
> sed -i 's/#myhostname = host.domain.tld/myhostname =
> servername.example.com/g' /etc/postfix/main.cf
> sed -i 's/#mydomain = domain.tld/mydomain = example.com/g'
> /etc/postfix/main.cf
> sed -i 's/#myorigin = $mydomain/myorigin = $mydomain/g' /etc/postfix/main.cf
> 
> # configure postfix to listen on all interfaces
> sed -i 's/#inet_interfaces = all/inet_interfaces = all/g'
> /etc/postfix/main.cf
> sed -i 's/inet_interfaces = localhost/#inet_interfaces = localhost/g'
> /etc/postfix/main.cf
> 
> # apply postfix changes
> service postfix restart
> 
> # Install dovecot
> yum -y install dovecot
> 
> # set dovecot to start on boot
> chkconfig dovecot on
> 
> # set dovecot to listen on imap and imaps only
> sed -i 's/#protocols = imap pop3 lmtp/protocols = imap imaps/g'
> /etc/dovecot/dovecot.conf
> 
> # point dovecot to required mailbox directory (This is the section that
> was previously failing)
> echo "mail_location = mbox:~/mail:INBOX=/var/mail/%u" >>
> /etc/dovecot/dovecot.conf
> 
> # reload dovecot to apply changes
> service dovecot restart
> 
> # Apply working IPtables
> cat > /etc/sysconfig/iptables << EOF
> # Generated by iptables-save v1.4.7 on Tue Jan 10 12:17:41 2012
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [29:4596]
> -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Tue Jan 10 12:17:41 2012
> EOF
> 
> With the above details, I am able to replicate a 100% working IPA
> authenticated mail server, allowing IPA users to retrieve mail via
> imap/imaps.
> 
> I hope this helps.
> 
> 
> Dale
> 
> 
> 
> On 01/30/2012 01:46 PM, Dmitri Pal wrote:
>> On 01/30/2012 07:16 AM, Dale Macartney wrote:
>> >
>>> Hi all
>>>
>>> I'm working on a test lab setup at the moment with RHEL 6.2 running IPA
>>> 2.1 and experimenting with simple mail server setups. .
>>>
>>> I have mail being received base on pam lookups from IPA. The mail server
>>> is tapped into IPA via the ipa-client-install.
>>>
>>> I am using a default install of the dovecot rpm from RHN, and dovecot is
>>> listening via imap/imaps, however all authentication requests fail when
>>> attempting to login via imap..
>>>
>>> I added the necessary keytabs for imap/mail.example.com and
>>> imaps/mail.example.com to /etc/krb5.keytab but this hasn't allowed
>>> authentication.
>>>
>>> has anyone set up dovecot through IPA before? Any recommendations?
>>>
>>>
>> Hi Dale,
> 
>> Will you be so kind to share with the list a little bit more details
> about how to setup Dovecot with IPA? If you can provide step by step
> instructions we would publish them on the FreeIPA wiki.
> 
>> Thank you
>> Dmitri
> 
> 
>>> thanks all
>>>
>>> Dale
>>>
>>>
> 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
>> --
>> Thank you,
>> Dmitri Pal
> 
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
> 
> 
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
> 
> 
> 
> 
> 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


So I am a bit confused here, is this working for you or not? It looked
like you were asking a question to begin with, but then at then end you
are saying it is 100% working?

Just trying to figure out whether you need help,
-Erinn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120130/ec4bc0cc/attachment.sig>

More information about the Freeipa-users mailing list