[Freeipa-users] Postfix and FreeIPA in a secure setup
Dale Macartney
dale at themacartneyclan.com
Fri Mar 8 14:58:24 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/08/2013 02:34 PM, Anthony Messina wrote:
> On Friday, March 08, 2013 08:09:20 AM Loris Santamaria wrote:
>>> 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for
>>> authenticated SSO mail sending
>>
>> Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com".
>> On the mail server you should obtain the keytab with ipa-getkeytab and
>> save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf :
>>
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_security_options = noanonymous
>> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
>> broken_sasl_auth_clients = yes
>> smtpd_recipient_restrictions =
>> permit_sasl_authenticated,
>> permit_mynetworks,
>> reject_unauth_destination
>>
>> Lastly, add to /etc/sasl2/smtpd.conf:
>> pwcheck_method: saslauthd
>> mech_list: GSSAPI PLAIN LOGIN
>>
>> Restart postfix and saslauthd and it should work.
>
> You *may* also need to update Postfix's environment:
>
> # Import environment for Kerberos v5 GSSAPI
> import_environment =
> MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
> KRB5_KTNAME=/etc/postfix/smtp.keytab
>
> -A
Thanks Anthony, that was actually going to be my next question as I
prefer to keep service specific keytabs.
Dale
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJROfyPAAoJEAJsWS61tB+qG8MP/2MMt+BQWcOKe4jvxeQJrOBi
xYzPnh5OtrUoEMtgvKdghQHdI/okxDjxgoZwCzThupGnzyZ+bQa08m+l7njcPCwo
byQJwyab19PY4qXQxx6yledRd0qG5+854YYXBZ35ZslTd7eOalIPwczW0qyb4Qv6
OqOe6a9H9xGt+cKzAWE/B8TXiWR7Td2hlRdX7hUWh1/0ghRRR0lFR9HQsCHx6fm5
EFTpIqKqxksO+7hk17ZyOoyOo0aV51l8Ns3QzK3d7GMKZ89uuBQEBI6ChNdAG942
ncSKgAgshgrVzozhX4qhIDqOiQc52D9X8EU03OSRcniEDNsNz2yz0ZtQiLQYDiwT
41re5rmq/yu7PmOK+AGKCZA5MQjwf9yMz2GJz5vwIhcjcLIYO2vftI+luKCylVXt
p5c/UcEcaNKyIjOMBM8GlBSGt3KXW/XAMD2kpq6sPjHDsjvPlLa1AvJFPl5tMJrd
hMKGs+YTwr96TOlbN/8a3WCTZWL61WqXAAlO192xJKsXavadmSIODXXUCkeVfK9i
Um1WhQmg7fCAvIq7/zDzdDuB2BQ2B01dVCSCdMNmpChV8h2XYIEQ+J7ZoYvfwD+Q
pubvgNwe4+z+OR6d9rf2ZUujHJodmjkojdzDfV2+QQAUelkdWyYzHwHXdjuQpzwi
hVujreS8h7MA6LJVdj3Y
=TVUW
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130308/2c10fa32/attachment.htm>
More information about the Freeipa-users
mailing list