[Freeipa-users] Postfix and FreeIPA in a secure setup

Dale Macartney dale at themacartneyclan.com
Wed Mar 13 10:47:44 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 03/12/2013 02:05 PM, Anthony Messina wrote:
> On Tuesday, March 12, 2013 08:53:59 AM Anthony Messina wrote:
>> On Tuesday, March 12, 2013 01:50:47 PM Dale Macartney wrote:
>>> > # Import environment for Kerberos v5 GSSAPI
>>> >
>>> > import_environment =
>>> >
>>> > MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY
>>>
>>> LANG=C
>>>
>>> > KRB5_KTNAME=/etc/postfix/smtp.keytab
>>>
>>>
>>> Anthony, where were you declaring the above? In Squid, I've added the
>>> keytab to the service startup script. Presumably it would be somewhere
>>> similar?>
>>>
>>>
>>> Dale
>>
>> In /etc/postfix/main.cf
>
> Sorry, I sent too fast. from man (5) postconf:
>
> import_environment (default: see postconf -d output)
> The list of environment parameters that a Postfix process will import
> from a non-Postfix parent process. Examples of relevant parameters:
>
> TZ Needed for sane time keeping on most System-V-ish systems.
>
> DISPLAY
> Needed for debugging Postfix daemons with an X-windows debugger.
>
> XAUTHORITY
> Needed for debugging Postfix daemons with an X-windows debugger.
>
> MAIL_CONFIG
> Needed to make "postfix -c" work.
>
> Specify a list of names and/or name=value pairs, separated by
> whitespace or comma. The name=value form is supported with Postfix
version 2.1
> and later.
Things aren't really playing ball here....

I've configured postfix from default install with the below changes..

Am I missing something?

ipa-getkeytab -s ds01.example.com -p smtp/$(hostname) -k
/etc/postfix/smtp.keytab
postconf -e 'inet_interfaces = all'
postconf -e 'mydestination = $myhostname, localhost.$mydomain,
localhost, $mydomain'
postconf -e 'myorigin = $mydomain'
postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ
XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, 
permit_mynetworks,  reject_unauth_destination'
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'smtpd_sasl_tls_security_options = $smtpd_sasl_security_options'

cat >> /etc/postfix/main.cf << EOF
virtual_alias_domains = example.com
virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf
EOF

cat > /etc/postfix/ldap_aliases.cf << EOF
server_host = ds01.example.com
search_base = cn=accounts,dc=example,dc=com
query_filter = (mail=%s)
result_attribute = uid
bind = no
start_tls = yes
version = 3
EOF

postmap /etc/postfix/ldap_aliases.cf
restorecon -R /etc/postfix/

cat > /etc/sasl2/smtpd.conf << EOF
pwcheck_method: saslauthd
mech_list: GSSAPI PLAIN LOGIN
EOF



LDAP lookups work perfectly, however kerberos authentication doesn't
seem to want to work. I  should mention, I am not using SSL (yet). Does
sasl/gssapi have some form of prereq of SSL by any chance?

Logs from maillog are as follows

Mar 12 15:51:27 mail01 postfix/smtpd[26240]: connect from
unknown[10.0.1.101]
Mar 12 15:51:27 mail01 postfix/smtpd[26240]: warning: SASL
authentication failure: GSSAPI Error: Unspecified GSS failure.  Minor
code may provide more information ()
Mar 12 15:51:27 mail01 postfix/smtpd[26240]: warning:
unknown[10.0.1.101]: SASL GSSAPI authentication failed: generic failure
Mar 12 15:51:27 mail01 postfix/smtpd[26240]: disconnect from
unknown[10.0.1.101]

Thanks all



>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRQFlOAAoJEAJsWS61tB+qHFcP+gJWHxYHh+VdnpEGBg0gFMdm
iHEe568jU7gDe5UdUP52RzUKIRYdSH3QRoYi4X8VIVjSIo8wlSWHEspvJlgjLDXE
zsV9hGzINF/XNBnX9kA/h94fzvWjgHq5DsTXrCiymtjAyDSQJVWR10j4zCEN6Nwp
rA68xlWpnqRE54zlSJx1QTF+pHp7KIvTbJ2QZQuOVBpXKK4HuKkt4XSrSgHvNAaZ
lqxINgbfrApde8wuaGcz7JgfcMGeOiDA08oUSyZCch8gyLC1DdMvbtaElECce6ea
dhbzchbz8sVtUFyXcsNk3M9x6dLWUFPuQ5IzPfwGv8UjXAaXeYKIXpwlNkAyb0lC
x7COqcGRMArl6e+YY6VyMHgwHgAEcn69WfVbkGZAgGAkMs3gEce2a7JtmiYm/Os5
Ax757W4dJjxkJg3iu11kAfO90dhwYL3O9JB8yYPHuZYQpSogbp6aQUhiWXgydp1d
7rgZfitJehEPLKqwbOzYi7nBy9N+2zbP6pdom1oApHpXkC6iSro31wzQ5qCy1+Z2
m2CDExrFXEEu0UPIQvCd7BW43L2CYac91g89gwK3tLfT0tyX6zb6vKeFZ2tdrI8D
FogyxaKLDE5gFhdk+O2SZghLniN0YefF/wKWAa++tC8o1U3SQKAP5aH15p9Le8Rt
+NefKeJRsREs0Fx5XXQN
=nOEI
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130313/cc1592d2/attachment.htm>

More information about the Freeipa-users mailing list