On Friday, March 08, 2013 08:09:20 AM Loris Santamaria wrote:
> > 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for
> > authenticated SSO mail sending
> 
> Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com".
> On the mail server you should obtain the keytab with ipa-getkeytab and
> save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf :
> 
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
> broken_sasl_auth_clients = yes
> smtpd_recipient_restrictions = 
>   permit_sasl_authenticated,
>   permit_mynetworks,
>   reject_unauth_destination
> 
> Lastly, add to /etc/sasl2/smtpd.conf:
> pwcheck_method: saslauthd
> mech_list: GSSAPI PLAIN LOGIN
> 
> Restart postfix and saslauthd and it should work.

You *may* also need to update Postfix's environment:

# Import environment for Kerberos v5 GSSAPI
import_environment =
        MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
        KRB5_KTNAME=/etc/postfix/smtp.keytab

-A

-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to