[Freeipa-users] Postfix and FreeIPA in a secure setup
Dale Macartney
dale at themacartneyclan.com
Thu Mar 14 11:19:39 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/13/2013 12:48 PM, Anthony Messina wrote:
> On Wednesday, March 13, 2013 12:41:05 PM Dale Macartney wrote:
>> Silly mistake on my part. Simple perms issue with keytab file.
>>
>> Below is a working config of postfix with IPA user lookups and kerberos
>> authenticated sending.
>>
>> ipa-getkeytab -s ds01.example.com -p smtp/$(hostname) -k
>> /etc/postfix/smtp.keytab chown root:mail /etc/postfix/smtp.keytab
>> chmod 644 /etc/postfix/smtp.keytab
>>
>> postconf -e 'inet_interfaces = all'
>> postconf -e 'mydestination = $myhostname, localhost.$mydomain, localhost,
>> $mydomain' postconf -e 'myorigin = $mydomain'
>> postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ
>> XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab'
postconf -e
>> 'smtpd_recipient_restrictions = permit_sasl_authenticated,
>> permit_mynetworks, reject_unauth_destination' postconf -e
>> 'smtpd_sasl_auth_enable = yes'
>> postconf -e 'smtpd_sasl_security_options = noanonymous'
>> postconf -e 'smtpd_sasl_tls_security_options =
$smtpd_sasl_security_options'
>> postconf -e 'broken_sasl_auth_clients = yes'
>> postconf -e 'smtpd_sasl_authenticated_header = yes'
>> postconf -e 'smtpd_sasl_local_domain = $mydomain'
>>
>>
>> cat >> /etc/postfix/main.cf << EOF
>> virtual_alias_domains = example.com
>> virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf
>> EOF
>>
>> cat > /etc/postfix/ldap_aliases.cf << EOF
>> server_host = ds01.example.com
>> search_base = cn=accounts,dc=example,dc=com
>> query_filter = (mail=%s)
>> result_attribute = uid
>> bind = no
>> start_tls = yes
>> version = 3
>> EOF
>>
>> postmap /etc/postfix/ldap_aliases.cf
>> restorecon -R /etc/postfix/
>>
>> cat > /etc/sasl2/smtpd.conf << EOF
>> pwcheck_method: saslauthd
>> mech_list: GSSAPI PLAIN LOGIN
>> EOF
>>
>> sed -i 's/MECH=pam/MECH=kerberos5/g' /etc/sysconfig/saslauthd
>
> Glad you got it working. -A
New article published for those interested. Will copy across to wiki also.
https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/
Dale
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJRQbJJAAoJEAJsWS61tB+q7VcP/2S2AURARXTcLbIgEYa2euhh
yN2I6BK/lyUOxA4U2Zgxi3f9BVr4wmV56I+DItijDYMSc0kSMQg6rP8SRnfHlyxH
m7tl05u0h+UOmIr3DOUStl+QESje9V9fQ9SC0oB11D7VKchWkjWS9bp4LRgF9ClL
PpJ+/GFnb9Rn7yzvFCXePz4k9kcqBansDCvgAO/042qRg5ki+kfAF4b+XeGISNQG
Xdoe2MWpFERDHDFr6K471wNF34u+sFJay2H/uBjKm2IrpoAQEOefoI3z3UoF6CPs
G5OOPkxApduR9RcaraoactqvOyfCxGyYVdT1g01CbBg9WrRZd8WZj/zg1+9rfwmL
EwZDjEVFXuEL3s+oGHCw0VP3DVAzxbHsmvPBIglve8iP8HTo4nxey+FFKi6CIeQj
Sz8GhXVuOTQCzPtLZ9IyPd2HtFhDBHH0eUvAqN2OtoVf+XWnUA2GUu2wlRidGbwC
shlODnPAezMyf8UJKbtv8rf++yrwIvflI/NJB6RFnPr0OgweSh8tS2wvS6BQhNYh
CysTtO41DINhdr3z8JtY7HG+OFNL7YGhdLemeWtVu56mYgHOWr+rpBmFFGyMbRxB
/wx2jOXsto+ZgiL4j2N6dVntbfOPLI+zxeo80oDz5STJgS9aqjU/UjGEZT9Gykpu
5duxt+Auwpxsbulesb/n
=bM0O
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130314/9b449e62/attachment.htm>
More information about the Freeipa-users
mailing list