[Freeipa-users] Dovecot imap authentication with IPA/Kerberos

Dale Macartney dale at themacartneyclan.com
Mon Jan 30 19:20:36 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Erinn

I originally asked the question as I was thinking my auth attempts were
failing when using ipa, however this was not the case.

On closer inspection, i found that the authentication was successful yet
dovecot was failing to read a "missing" mailbox.

I found that dovecot was simply missing the mailbox_location directive,
detailed below.

mail_location = mbox:~/mail:INBOX=/var/mail/%u

Once I restarted dovecot with this extra line, the authentication was
again validated. I was then prompted to accept the self-signed
certificate from dovecot and I was able to retrieve the mail as intended.

Does this help clear things up?


Dale



On 01/30/2012 07:11 PM, Erinn Looney-Triggs wrote:
> On 01/30/2012 07:42 AM, Dale Macartney wrote:
>>
>> Of course Dmitri
>>
>> Here you go. I was actually trying to resolve this for an automated
>> kickstart process anyway. The details specific to dovecot are in the
middle.
>>
>> # Connect server to IPA domain (ensure DNS is working correctly
>> otherwise this step will fail)
>> ipa-client-install -U -p admin -w mysecretpassword
>>
>> # install postfix if necessary (installed by default in rhel6)
>> yum -y install postfix
>>
>> # set postfix to start on boot
>> chkconfig postfix on
>>
>> # configure postfix with hostname, domain and origin details
>> sed -i 's/#myhostname = host.domain.tld/myhostname =
>> servername.example.com/g' /etc/postfix/main.cf
>> sed -i 's/#mydomain = domain.tld/mydomain = example.com/g'
>> /etc/postfix/main.cf
>> sed -i 's/#myorigin = $mydomain/myorigin = $mydomain/g'
/etc/postfix/main.cf
>>
>> # configure postfix to listen on all interfaces
>> sed -i 's/#inet_interfaces = all/inet_interfaces = all/g'
>> /etc/postfix/main.cf
>> sed -i 's/inet_interfaces = localhost/#inet_interfaces = localhost/g'
>> /etc/postfix/main.cf
>>
>> # apply postfix changes
>> service postfix restart
>>
>> # Install dovecot
>> yum -y install dovecot
>>
>> # set dovecot to start on boot
>> chkconfig dovecot on
>>
>> # set dovecot to listen on imap and imaps only
>> sed -i 's/#protocols = imap pop3 lmtp/protocols = imap imaps/g'
>> /etc/dovecot/dovecot.conf
>>
>> # point dovecot to required mailbox directory (This is the section that
>> was previously failing)
>> echo "mail_location = mbox:~/mail:INBOX=/var/mail/%u" >>
>> /etc/dovecot/dovecot.conf
>>
>> # reload dovecot to apply changes
>> service dovecot restart
>>
>> # Apply working IPtables
>> cat > /etc/sysconfig/iptables << EOF
>> # Generated by iptables-save v1.4.7 on Tue Jan 10 12:17:41 2012
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [29:4596]
>> -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
>> -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
>> -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -p icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>> COMMIT
>> # Completed on Tue Jan 10 12:17:41 2012
>> EOF
>>
>> With the above details, I am able to replicate a 100% working IPA
>> authenticated mail server, allowing IPA users to retrieve mail via
>> imap/imaps.
>>
>> I hope this helps.
>>
>>
>> Dale
>>
>>
>>
>> On 01/30/2012 01:46 PM, Dmitri Pal wrote:
>>> On 01/30/2012 07:16 AM, Dale Macartney wrote:
>>>>
>>>> Hi all
>>>>
>>>> I'm working on a test lab setup at the moment with RHEL 6.2 running IPA
>>>> 2.1 and experimenting with simple mail server setups. .
>>>>
>>>> I have mail being received base on pam lookups from IPA. The mail server
>>>> is tapped into IPA via the ipa-client-install.
>>>>
>>>> I am using a default install of the dovecot rpm from RHN, and dovecot is
>>>> listening via imap/imaps, however all authentication requests fail when
>>>> attempting to login via imap..
>>>>
>>>> I added the necessary keytabs for imap/mail.example.com and
>>>> imaps/mail.example.com to /etc/krb5.keytab but this hasn't allowed
>>>> authentication.
>>>>
>>>> has anyone set up dovecot through IPA before? Any recommendations?
>>>>
>>>>
>>> Hi Dale,
>>
>>> Will you be so kind to share with the list a little bit more details
>> about how to setup Dovecot with IPA? If you can provide step by step
>> instructions we would publish them on the FreeIPA wiki.
>>
>>> Thank you
>>> Dmitri
>>
>>
>>>> thanks all
>>>>
>>>> Dale
>>>>
>>>>
>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>
>>> Sr. Engineering Manager IPA project,
>>> Red Hat Inc.
>>
>>
>>> -------------------------------
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>>
>>
>>
>>
>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> So I am a bit confused here, is this working for you or not? It looked
> like you were asking a question to begin with, but then at then end you
> are saying it is 100% working?
>
> Just trying to figure out whether you need help,
> -Erinn
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPJu1iAAoJEAJsWS61tB+qpT8P/Rwwf4tiKaJycKs93RoogUDh
xxCOwA5nScV0aTBqDWqQweWR78DPeUXDAP1CtscmeCeyZnVyyh65ZfJHea9YcL0i
o6BedZiZ1nBk3iESZSYnvIZ9Woz4GZwH6S7ZlJgoP8c74+9WwnT6VT6DfwP/8+c4
VYNLJyUNNJHffnCQu24toq4cm4wckKYTrErY6IAVQHgo+lBZMdstnUhWa2q6hRao
kXchqFnj+NXNI5mOoEuG8ROqTVimX+PTLaBlkM1d3bErCweprJrybohVscK4WmDy
wFELxHsO21YsClMI2BEJcjm0t+8U+EnLNGMTAYKTy3jqvdSOdNBCtz+95MoICdFD
7JcJcrGyyp4Njke0dg8Pe3zVwCFYyPEdccT+CLyVGlUcbByOz+JwFfCaAXLaggYa
oQ1Z7Y7LNXEdWl2K9vC3h3kYH7gTItWUYOGUn6MrU6Kzidi2tqZJB8DNqwoH57jc
VMNGyaNA3vH806RwbQKmWd5sUl/pWb2GF/5cMm/u+4CP8mdB6lb7D1m2CyNwSdKv
7YnxOPG0+YfhwbbNOyDfNOr0Ov0ldc5P2JzYzEbzH68UAhvnF1WED135oVP+t6q/
180FDHbml2mlL5iOjJu86pYhBR0OWqOpTaINMsYWOWupMWwpkfoXD275o7rkFv+B
VS0bfEtLNBXsRLMXqeIJ
=d/X7
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 5790 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120130/4b0f6e4c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120130/4b0f6e4c/attachment.sig>

More information about the Freeipa-users mailing list