[Freeipa-users] Postfix and FreeIPA in a secure setup
Loris Santamaria
loris at lgs.com.ve
Fri Mar 8 12:39:20 UTC 2013
I can help you with items #1 and #2:
El vie, 08-03-2013 a las 08:56 +0000, Dale Macartney escribió:
> Hi all
>
> I've been reading through threads and threads of mailing lists and
> google search results on this but most of the documentation isn't very
> specific and is just vague enough for me not to make any progress.
>
> Would anyone be able to assist with the following setup of Postfix?
>
> Criteria is as follows
>
> 1. Alias list comes from IPA via LDAPS to verify a legitimate mail user
> (specific attribute or group membership might be required here as all
> ipa users now have an email address value.)
There are many ways to solve this, this is using the virtual transport.
In /etc/postfix/main.cf:
virtual_alias_domains = mydomain.com
virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf
In /etc/postfix/ldap_aliases.cf:
server_host = myipa1, myipa2
search_base = cn=accounts,dc=mydomain,dc=com
query_filter = (mail=%s)
result_attribute = uid
bind = no
After editing /etc/postfix/ldap_aliases.cf you should run
"postmap /etc/postfix/ldap_aliases.cf". Not using LDAPS here, but you
should be able to reading "man 5 ldap_table"
> 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for
> authenticated SSO mail sending
Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com".
On the mail server you should obtain the keytab with ipa-getkeytab and
save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf :
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
Lastly, add to /etc/sasl2/smtpd.conf:
pwcheck_method: saslauthd
mech_list: GSSAPI PLAIN LOGIN
Restart postfix and saslauthd and it should work.
> 3. Mail sending permission based on an LDAPS group membership, to
> prevent unauthorised sending of mail from unknown users.
Never done that but there is the definitive documentation:
http://www.postfix.org/RESTRICTION_CLASS_README.html
--
Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve
Links Global Services, C.A. http://www.lgs.com.ve
Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6173 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130308/607f8621/attachment.bin>
More information about the Freeipa-users
mailing list