[Freeipa-users] Postfix and FreeIPA in a secure setup
Anthony Messina
amessina at messinet.com
Wed Mar 13 12:48:38 UTC 2013
On Wednesday, March 13, 2013 12:41:05 PM Dale Macartney wrote:
> Silly mistake on my part. Simple perms issue with keytab file.
>
> Below is a working config of postfix with IPA user lookups and kerberos
> authenticated sending.
>
> ipa-getkeytab -s ds01.example.com -p smtp/$(hostname) -k
> /etc/postfix/smtp.keytab chown root:mail /etc/postfix/smtp.keytab
> chmod 644 /etc/postfix/smtp.keytab
>
> postconf -e 'inet_interfaces = all'
> postconf -e 'mydestination = $myhostname, localhost.$mydomain, localhost,
> $mydomain' postconf -e 'myorigin = $mydomain'
> postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ
> XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab' postconf -e
> 'smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, reject_unauth_destination' postconf -e
> 'smtpd_sasl_auth_enable = yes'
> postconf -e 'smtpd_sasl_security_options = noanonymous'
> postconf -e 'smtpd_sasl_tls_security_options = $smtpd_sasl_security_options'
> postconf -e 'broken_sasl_auth_clients = yes'
> postconf -e 'smtpd_sasl_authenticated_header = yes'
> postconf -e 'smtpd_sasl_local_domain = $mydomain'
>
>
> cat >> /etc/postfix/main.cf << EOF
> virtual_alias_domains = example.com
> virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf
> EOF
>
> cat > /etc/postfix/ldap_aliases.cf << EOF
> server_host = ds01.example.com
> search_base = cn=accounts,dc=example,dc=com
> query_filter = (mail=%s)
> result_attribute = uid
> bind = no
> start_tls = yes
> version = 3
> EOF
>
> postmap /etc/postfix/ldap_aliases.cf
> restorecon -R /etc/postfix/
>
> cat > /etc/sasl2/smtpd.conf << EOF
> pwcheck_method: saslauthd
> mech_list: GSSAPI PLAIN LOGIN
> EOF
>
> sed -i 's/MECH=pam/MECH=kerberos5/g' /etc/sysconfig/saslauthd
Glad you got it working. -A
--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130313/5c9f1efc/attachment.sig>
More information about the Freeipa-users
mailing list