[Freeipa-users] Postfix and FreeIPA in a secure setup
Anthony Messina
amessina at messinet.com
Fri Mar 8 14:34:18 UTC 2013
On Friday, March 08, 2013 08:09:20 AM Loris Santamaria wrote:
> > 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for
> > authenticated SSO mail sending
>
> Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com".
> On the mail server you should obtain the keytab with ipa-getkeytab and
> save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf :
>
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
> broken_sasl_auth_clients = yes
> smtpd_recipient_restrictions =
> permit_sasl_authenticated,
> permit_mynetworks,
> reject_unauth_destination
>
> Lastly, add to /etc/sasl2/smtpd.conf:
> pwcheck_method: saslauthd
> mech_list: GSSAPI PLAIN LOGIN
>
> Restart postfix and saslauthd and it should work.
You *may* also need to update Postfix's environment:
# Import environment for Kerberos v5 GSSAPI
import_environment =
MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
KRB5_KTNAME=/etc/postfix/smtp.keytab
-A
--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130308/e2d2b966/attachment.sig>
More information about the Freeipa-users
mailing list