I can help you with items #1 and #2:

El vie, 08-03-2013 a las 08:56 +0000, Dale Macartney escribió:
> Hi all
> 
> I've been reading through threads and threads of mailing lists and
> google search results on this but most of the documentation isn't very
> specific and is just vague enough for me not to make any progress.
> 
> Would anyone be able to assist with the following setup of Postfix?
> 
> Criteria is as follows
> 
> 1. Alias list comes from IPA via LDAPS to verify a legitimate mail user
> (specific attribute or group membership might be required here as all
> ipa users now have an email address value.)

There are many ways to solve this, this is using the virtual transport.
In /etc/postfix/main.cf:

virtual_alias_domains = mydomain.com
virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf

In /etc/postfix/ldap_aliases.cf:

server_host = myipa1, myipa2
search_base = cn=accounts,dc=mydomain,dc=com
query_filter = (mail=%s)
result_attribute = uid
bind = no

After editing /etc/postfix/ldap_aliases.cf you should run
"postmap /etc/postfix/ldap_aliases.cf". Not using LDAPS here, but you
should be able to reading "man 5 ldap_table"

> 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for
> authenticated SSO mail sending

Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com".
On the mail server you should obtain the keytab with ipa-getkeytab and
save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf :

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = 
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_destination

Lastly, add to /etc/sasl2/smtpd.conf:
pwcheck_method: saslauthd
mech_list: GSSAPI PLAIN LOGIN

Restart postfix and saslauthd and it should work.

> 3. Mail sending permission based on an LDAPS group membership, to
> prevent unauthorised sending of mail from unknown users.

Never done that but there is the definitive documentation:
http://www.postfix.org/RESTRICTION_CLASS_README.html


-- 
Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to