[Freeipa-users] Introduction and question regarding SMTP/IMAP
Alexander Bokovoy
abokovoy at redhat.com
Wed Jun 25 15:54:48 UTC 2014
On Sun, 22 Jun 2014, Dave Gonzalez wrote:
>Hello there everyone David here,
>
>I'm big time Red Hat fan, I work for a company where we have a small
>20+ people directory, I'm currently using Samba4 to offer
>authentication to Openfire, Postfix, Dovecot (using GroupOffice); but
>I want to switch ebcause samba is a hassle to setup and whenever
>replication breaks it's nearly impossible to rebuild, anyways, My
>current environment is Proxmox VE 3 as virtualization platform and
>many CentOS/RedHat Servers holding my services.
>
>Please excuse me if this was already answered but after I went trhough
>the archives I coulnd't find anyone facing the same issue, please bear
>with me as I'm a newbie to FreeIPA and LDAP. I know I'm missing
>something or doing it wrong but after a week struggling with this
>setup I decided to call for the help of the experts.
>
>My environment:
>FreeIPA Server
>CentOS 6.5 x86_64
>
>Mail Server
>CentOS 6.5
>postfix-2.6.6-6.el6_5.x86_64
>dovecot-2.0.9-7.el6.x86_64
>ipa-python-3.0.0-37.el6.x86_64
>ipa-client-3.0.0-37.el6.x86_64
>python-iniparse-0.3.1-2.1.el6.noarch
>libipa_hbac-1.9.2-129.el6_5.4.x86_64
>libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
>
>I've followed these posts from Dale McCartney, whom I've also read his
>posts around here
>
>https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/
>
>http://www.freeipa.org/page/Dovecot_Integration
>
>None of them seem to work at the moment when using Thunderbird with
>the server set up as STARTLS Kerberos/GSSAPI -- Thunderbird also
>reports that
>
><quote>
>"The kerberos/GSSAPI ticket was not accepted by the IMAP server
>david at domain.com. Please chack that you're logged in to the
>Kerberos/GSSAPI realm"
></quote>
>
>with Dovecot I'm getting this
>
><code>
>Jun 22 11:01:25 imap-login: Info: Disconnected: Inactivity (no auth
>attempts): rip=1.1.1.1, lip=217.1.2.3
></code>
>
>I tried manual telnet and use a authenticate gssapi which retuns "+"
>which means module is indeed loading and the server is gssapi ready
>for the challenge.
>
>If anyone of you could point me into the right direction I'd really
>value that.
Following configuration works for me (generated with 'dovecot -n' from
my actual config files):
# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.14.4-200.fc20.x86_64 x86_64 Fedora release 20 (Heisenbug)
auth_default_realm = VDA.LI
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
auth_mechanisms = gssapi
auth_realms = VDA.LI
base_dir = /var/run/dovecot/
mail_location = maildir:~/Maildir
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
userdb {
driver = passwd
}
ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
The /etc/dovecot/dovecot.keytab contains the keytab, obtained with
# kinit admin
# ipa-getkeytab -s `hostname` -p imap/`hostname` -k /etc/dovecot/dovecot.keytab
# chown dovecot /etc/dovecot/dovecot.keytab
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list