[Freeipa-users] Introduction and question regarding SMTP/IMAP

Thu Jun 26 15:41:36 UTC 2014

Hi Simo,

On 6/26/2014 8:54 AM, Simo Sorce wrote:
> On Wed, 2014-06-25 at 19:00 -0500, David Gonzalez Herrera - [DGHVoIP]
> wrote:
>> Thanks Simo, I'm testing that but I have no relay host, do I need one?.
> A relay host is the mail server your MUA contacts to send email.
> So instructions should apply just as well for your mail server, from the
> GSSAPI PoV at least.
Great, but before I try it and see if it does the trick should I remove 
the section form teh Post fix+Dovecot Integration from Dale MaCarney's 
howto?.

My current main.cf conf looks like this:

[root at mail ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY 
DISPLAY LANG=C    KRB5_KTNAME=/etc/postfix/smtp.keytab 
KRB5CCNAME=FILE:${queue_directory}/kerberos/krb5_ccache
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command =
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = domain.net
myhostname = mail.domain.net
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/postfix/smtp.crt
smtp_tls_key_file = /etc/postfix/smtp.key
smtp_tls_mandatory_ciphers = high
smtp_tls_security_level = secure
smtp_tls_session_cache_database = 
btree:${data_directory}/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_client_restrictions = permit_sasl_authenticated,  permit
smtpd_recipient_restrictions = permit_sasl_authenticated, permit
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sender_restrictions = permit_sasl_authenticated,  permit
smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/certs/smtp.crt
smtpd_tls_key_file = /etc/postfix/certs/smtp.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = domain.net
virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf

The other very serious issue is that I keep getting Access Denied when 
external servers try to send mail to my "domain.net" address

Like this:

Jun 26 10:35:51 mail postfix/smtpd[20398]: warning: 255.23.15.115: 
hostname customer.worldstream.nl verification failed: Name or service 
not known
Jun 26 10:35:51 mail postfix/smtpd[20398]: connect from 
unknown[255.23.15.115]
Jun 26 10:35:51 mail postfix/smtpd[20398]: NOQUEUE: reject: RCPT from 
unknown[255.23.15.115]: 554 5.7.1 <unknown[255.23.15.115]>: Client host 
rejected: Access denied; from=<david at DOMAIN.com> to=<david at DOMAIN.net> 
proto=ESMTP helo=<extranet.DOMAIN.com>
Jun 26 10:35:51 mail postfix/smtpd[20398]: disconnect from 
unknown[255.23.15.115]

I see there's no reference on any howto nor any other doc so I don't 
really know where to start debugging this because outbound mail was 
working now it doesn't, it's just all of it being deferered, I guess 
it's certificate issue,, but even before the TLS issues I always got the 
Hos Rejected: Access Denied

Also, though not related there are many SSL issues, but again those are 
postfix related and I can fifgure out.

Jun 26 10:22:24 mail postfix/smtp[20176]: certificate verification 
failed for alt1.gmail-smtp-in.l.google.com[74.125.25.27]:25: untrusted 
issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Jun 26 10:22:24 mail postfix/smtp[20176]: 0371321045: Server certificate 
not trusted

If anyone can tell me where to go from here.

As I've said all along, you guys have gotten me very close with every 
answer I was at at point where I had nothing now all of your help has 
helped me get to a near-finished point for this project.

I'm planning a Youtube video or a blog post on my personal blog with the 
right setup.

Thank you all

--Regards DavidG
>
> Simo.
>
>> Cheers.
>>
>> --Regards DavidG
>> On 6/25/2014 1:51 PM, Simo Sorce wrote:
>>> On Wed, 2014-06-25 at 13:28 -0500, Dave Gonzalez wrote:
>>>> [root at mail ~]# cat saslauthd.conf
>>>> ldap_servers: ldap://ipa.domain.net
>>>> ldap_search_base: cn=users,cn=accounts,dc=domain,dc=net
>>>> ldap_filter: (|(uid=%u)(mail=%u))
>>>> ldap_bind_dn: uid=david,cn=users,cn=accounts,dc=domain,dc=net
>>>> ldap_bind_pw: pass
>>> This configuration is for password based authentication tested against
>>> an LDAP server. Has really nothing to do with GSSAPI.
>>>
>>> This guide should help you configure postfix with GSSAPI authentication:
>>> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/
>>>
>>> Simo.
>>>
>