[Freeipa-users] Postfix and FreeIPA in a secure setup

Dale Macartney dale at themacartneyclan.com
Wed Mar 13 12:41:05 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 03/13/2013 10:47 AM, Dale Macartney wrote:
>
>
> On 03/12/2013 02:05 PM, Anthony Messina wrote:
> > On Tuesday, March 12, 2013 08:53:59 AM Anthony Messina wrote:
> >> On Tuesday, March 12, 2013 01:50:47 PM Dale Macartney wrote:
> >>> > # Import environment for Kerberos v5 GSSAPI
> >>> >
> >>> > import_environment =
> >>> >
> >>> > MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY
> >>>
> >>> LANG=C
> >>>
> >>> > KRB5_KTNAME=/etc/postfix/smtp.keytab
> >>>
> >>>
> >>> Anthony, where were you declaring the above? In Squid, I've added the
> >>> keytab to the service startup script. Presumably it would be somewhere
> >>> similar?>
> >>>
> >>>
> >>> Dale
> >>
> >> In /etc/postfix/main.cf
>
> > Sorry, I sent too fast. from man (5) postconf:
>
> > import_environment (default: see postconf -d output)
> > The list of environment parameters that a Postfix process will import
> > from a non-Postfix parent process. Examples of relevant parameters:
>
> > TZ Needed for sane time keeping on most System-V-ish systems.
>
> > DISPLAY
> > Needed for debugging Postfix daemons with an X-windows debugger.
>
> > XAUTHORITY
> > Needed for debugging Postfix daemons with an X-windows debugger.
>
> > MAIL_CONFIG
> > Needed to make "postfix -c" work.
>
> > Specify a list of names and/or name=value pairs, separated by
> > whitespace or comma. The name=value form is supported with Postfix
version 2.1
> > and later.
> Things aren't really playing ball here....
>
> I've configured postfix from default install with the below changes..
>
> Am I missing something?
>
> ipa-getkeytab -s ds01.example.com -p smtp/$(hostname) -k
/etc/postfix/smtp.keytab
> postconf -e 'inet_interfaces = all'
> postconf -e 'mydestination = $myhostname, localhost.$mydomain,
localhost, $mydomain'
> postconf -e 'myorigin = $mydomain'
> postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG
TZ XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab'
> postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination'
> postconf -e 'smtpd_sasl_auth_enable = yes'
> postconf -e 'smtpd_sasl_security_options = noanonymous'
> postconf -e 'smtpd_sasl_tls_security_options =
$smtpd_sasl_security_options'
>
> cat >> /etc/postfix/main.cf << EOF
> virtual_alias_domains = example.com
> virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf
> EOF
>
> cat > /etc/postfix/ldap_aliases.cf << EOF
> server_host = ds01.example.com
> search_base = cn=accounts,dc=example,dc=com
> query_filter = (mail=%s)
> result_attribute = uid
> bind = no
> start_tls = yes
> version = 3
> EOF
>
> postmap /etc/postfix/ldap_aliases.cf
> restorecon -R /etc/postfix/
>
> cat > /etc/sasl2/smtpd.conf << EOF
> pwcheck_method: saslauthd
> mech_list: GSSAPI PLAIN LOGIN
> EOF
>
>
>
> LDAP lookups work perfectly, however kerberos authentication doesn't
seem to want to work. I should mention, I am not using SSL (yet). Does
sasl/gssapi have some form of prereq of SSL by any chance?
>
> Logs from maillog are as follows
>
> Mar 12 15:51:27 mail01 postfix/smtpd[26240]: connect from
unknown[10.0.1.101]
> Mar 12 15:51:27 mail01 postfix/smtpd[26240]: warning: SASL
authentication failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information ()
> Mar 12 15:51:27 mail01 postfix/smtpd[26240]: warning:
unknown[10.0.1.101]: SASL GSSAPI authentication failed: generic failure
> Mar 12 15:51:27 mail01 postfix/smtpd[26240]: disconnect from
unknown[10.0.1.101]
>
> Thanks all
>

Silly mistake on my part. Simple perms issue with keytab file.

Below is a working config of postfix with IPA user lookups and kerberos
authenticated sending.

ipa-getkeytab -s ds01.example.com -p smtp/$(hostname) -k
/etc/postfix/smtp.keytab
chown root:mail /etc/postfix/smtp.keytab
chmod 644 /etc/postfix/smtp.keytab

postconf -e 'inet_interfaces = all'
postconf -e 'mydestination = $myhostname, localhost.$mydomain,
localhost, $mydomain'
postconf -e 'myorigin = $mydomain'
postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ
XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, 
permit_mynetworks,  reject_unauth_destination'
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'smtpd_sasl_tls_security_options = $smtpd_sasl_security_options'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_sasl_local_domain = $mydomain'


cat >> /etc/postfix/main.cf << EOF
virtual_alias_domains = example.com
virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf
EOF

cat > /etc/postfix/ldap_aliases.cf << EOF
server_host = ds01.example.com
search_base = cn=accounts,dc=example,dc=com
query_filter = (mail=%s)
result_attribute = uid
bind = no
start_tls = yes
version = 3
EOF

postmap /etc/postfix/ldap_aliases.cf
restorecon -R /etc/postfix/

cat > /etc/sasl2/smtpd.conf << EOF
pwcheck_method: saslauthd
mech_list: GSSAPI PLAIN LOGIN
EOF

sed -i 's/MECH=pam/MECH=kerberos5/g' /etc/sysconfig/saslauthd



>
>
>
>
>
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRQHPYAAoJEAJsWS61tB+qpOsQAJsGDmZVHLbP4YloMoYDM4M2
zOkF7fhIqT+4OKlb5hgBxcFY/VFvwGK/qvYguNbvlxIfT+DQgkTZ5hHKSHjWj1kQ
YVTaztp7p3S3acAYLTKprOltPslnFED4PuUA+EN8pxV/VAiABBE0xBoEIUGoIvEn
oRsU2UmAkaDpFxP1F9vVM6APsvDXkTMaxmzlRZFkaotDkbSXAd58x5h5TajjpEs7
rnppLgB7rfgL5bmeNjEoUT7g61nRvMYINh+Rr6HhZwOxWWfbe0SWXHasCkUrJ0V3
5aXzhFH9z4hEGCKYZv5ugqDD/uw0c8/GOpYwONqwfVhEET0JxiKxgZnhoUP20SrT
7RV8D6vzqhXtFdiD6MLrZ1euejuNRmGpSg3NxfOmKC8z1rHjXmYj61ppPGHJslNs
4Ey61JuB+s5ickJKJ13juCzNmqYTmjclBUc4kzvEiYBPpskgmus3e/d3MUqpC/Jp
17pS/aiPvm6Ko1N2QFbApAMVPGtooF3rt0HuJW8O7oJLnQw3GPwx4jViOY57t4Ka
aiiYTs/ECddKKhTmc/GX12HuXhvZQtembGUar+BDt85nFYX5nkKlHxL7D9znmXmO
/fA83oOhJexdzcq5zD/aOHlnv2j/eLDLXpPZFV8McLO9tqTPgeToqznyDVstrO4f
JyxVSyPS8fY9noBVXydH
=0xzR
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130313/db963e28/attachment.htm>

More information about the Freeipa-users mailing list