[Freeipa-users] Postfix and FreeIPA in a secure setup
Dale Macartney
dale at themacartneyclan.com
Fri Mar 8 14:18:54 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/08/2013 12:39 PM, Loris Santamaria wrote:
> I can help you with items #1 and #2:
>
> El vie, 08-03-2013 a las 08:56 +0000, Dale Macartney escribió:
>> Hi all
>>
>> I've been reading through threads and threads of mailing lists and
>> google search results on this but most of the documentation isn't very
>> specific and is just vague enough for me not to make any progress.
>>
>> Would anyone be able to assist with the following setup of Postfix?
>>
>> Criteria is as follows
>>
>> 1. Alias list comes from IPA via LDAPS to verify a legitimate mail user
>> (specific attribute or group membership might be required here as all
>> ipa users now have an email address value.)
>
> There are many ways to solve this, this is using the virtual transport.
> In /etc/postfix/main.cf:
>
> virtual_alias_domains = mydomain.com
> virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf
>
> In /etc/postfix/ldap_aliases.cf:
>
> server_host = myipa1, myipa2
> search_base = cn=accounts,dc=mydomain,dc=com
> query_filter = (mail=%s)
> result_attribute = uid
> bind = no
>
> After editing /etc/postfix/ldap_aliases.cf you should run
> "postmap /etc/postfix/ldap_aliases.cf". Not using LDAPS here, but you
> should be able to reading "man 5 ldap_table"
Now that worked like a charm, thanks very much. Will work on ldaps
support and see if its possible.
>
>> 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for
>> authenticated SSO mail sending
>
> Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com".
> On the mail server you should obtain the keytab with ipa-getkeytab and
> save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf :
>
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
> broken_sasl_auth_clients = yes
> smtpd_recipient_restrictions =
> permit_sasl_authenticated,
> permit_mynetworks,
> reject_unauth_destination
>
> Lastly, add to /etc/sasl2/smtpd.conf:
> pwcheck_method: saslauthd
> mech_list: GSSAPI PLAIN LOGIN
>
> Restart postfix and saslauthd and it should work.
Getting the below output in logs when attempting to auth via gssapi on
port 25 (is gssapi supported on port 25? could this be the cause?) Is
there any way to verify sasl auth remotely from a client other than in
postfix?
I am using an ipa workstation and SSO with dovecot works fine so I know
the users tickets are valid.
==> /var/log/maillog <==
Mar 8 14:15:02 mail03 postfix/smtpd[6226]: connect from unknown[10.0.1.101]
Mar 8 14:15:02 mail03 postfix/smtpd[6226]: warning: SASL authentication
failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more information ()
Mar 8 14:15:02 mail03 postfix/smtpd[6226]: warning:
unknown[10.0.1.101]: SASL GSSAPI authentication failed: generic failure
Mar 8 14:15:02 mail03 postfix/smtpd[6226]: disconnect from
unknown[10.0.1.101]
>
>
>> 3. Mail sending permission based on an LDAPS group membership, to
>> prevent unauthorised sending of mail from unknown users.
>
> Never done that but there is the definitive documentation:
> http://www.postfix.org/RESTRICTION_CLASS_README.html
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJROfNMAAoJEAJsWS61tB+qPHUQAMFbaCnEJEfIwU7znQkM6Wvc
LKGnra14CZ9Xq1kAWD4xGdzGVwBjOJ4bZ/DqCSvEBY6lRP7a/fh66TiU+DGBIxTX
SpIFN2oKz/iuFOTMK1GQQRx99mYZuHGlB5vE0ibxW0J7U/y6A+mCvraRYhhvYA4a
RzVH0wi5OZhyBhwHjbS5GtI/pzMutyV/vpElUQLT7X1YpwyuxUWgGX5Zbuuj60F6
KB56cXcpiMmbB8LAgQBPcYqz4co2KRurZ4pZxabGIH0RLI3Luy2gUnbmBgz/sFMv
tlCSYr/QrZlZY4imSm7jLe5KP9/EILJ+FJPZnzzFDJ71Hgq45jWtjDO/BqV4gM4E
aY26lZXfjtpuSBY2BLUqZC/o9mrvDPCCNLUF/dcCVM9++pvDObxjAxbNcydhknvA
KC9IwMsbwZnDnXGratn/mv8MlHzQc2Stf2UEhXzDdXq+9rQBNg+LdPZCqJMCwuGf
+WepTmCCrr53eUoCsb4acE5RVV7Tn+UV9jAZ/aHoc8zvPtSn5ZMEEIMEKqC9ISAK
NVG/iWKunisf433IvBqcNgKwKg/tGdik9wOyjWEb1YaTMurHGGz/bHaEuh4PBQjF
BqC7yuMMXbJjR27o8Trjr65cwRVPZqYaz/8LdalS7s5XLm3YsE++n/DDp2MDveCB
6SmL3vbCXJxNfiktJhAV
=C+Xz
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list