I can help you with items #1 and #2:

El vie, 08-03-2013 a las 08:56 +0000, Dale Macartney escribiĆ³:
> Hi all
> I've been reading through threads and threads of mailing lists and
> google search results on this but most of the documentation isn't very
> specific and is just vague enough for me not to make any progress.
> Would anyone be able to assist with the following setup of Postfix?
> Criteria is as follows
> 1. Alias list comes from IPA via LDAPS to verify a legitimate mail user
> (specific attribute or group membership might be required here as all
> ipa users now have an email address value.)

There are many ways to solve this, this is using the virtual transport.
In /etc/postfix/main.cf:

virtual_alias_domains = mydomain.com
virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf

In /etc/postfix/ldap_aliases.cf:

server_host = myipa1, myipa2
search_base = cn=accounts,dc=mydomain,dc=com
query_filter = (mail=%s)
result_attribute = uid
bind = no

After editing /etc/postfix/ldap_aliases.cf you should run
"postmap /etc/postfix/ldap_aliases.cf". Not using LDAPS here, but you
should be able to reading "man 5 ldap_table"

> 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for
> authenticated SSO mail sending

Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com".
On the mail server you should obtain the keytab with ipa-getkeytab and
save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf :

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = 

Lastly, add to /etc/sasl2/smtpd.conf:
pwcheck_method: saslauthd

Restart postfix and saslauthd and it should work.

> 3. Mail sending permission based on an LDAPS group membership, to
> prevent unauthorised sending of mail from unknown users.

Never done that but there is the definitive documentation:

Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Freeipa-users mailing list

Reply via email to