On 07/12/2013 11:04 AM, Anthony Messina wrote:
> On Wednesday, July 10, 2013 05:00:53 PM Dmitri Pal wrote:
>> On 07/10/2013 12:12 PM, Simo Sorce wrote:
>>> On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote:
>>>> Folks,
>>>> I swear I am not trying to drive up traffic to my very small blog, but I
>>>> wrote up some instruction for how to configure the postfix mail client
>>>> to use Kerberos to relay through a Postfix gateway.
>>>>
>>>> Instructions are here for folks that are interested:
>>>> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-> 
>>>> >> relaying-smtp-client/
>>>>
>>>> Hopefully it is useful to some people in the future, for me it took the
>>>> help of some users on the Postfix list, a lot of it was not clear.
> 
> Erinn, this is excellent!  I've been looking for just this idea!  Thanks.
> 
>> I think it is worth mentioning that starting Fedora 19 the step to
>> configure cron to fetch tickets is not needed. GSS proxy can be
>> configured instead to automatically acquire tickets on client's behalf.
>> https://fedorahosted.org/gss-proxy/
>>
>> It generally applies to any unattended client that uses keytab to
>> authenticate it being messaging client, DB client, LDAP client or
>> anything else. You name it...
>>
>> Thanks for the blog!
>>
>>
>> -- 
>> Thank you,
>> Dmitri Pal
> 
> 
> Dmitri, thanks for the info on gssproxy.  I am using gssproxy for NFS in F19, 
> but have not begun using it for other services such as an smtp client, though 
> this is exactly what I'd be looking for.  Do you think you'd be able to show 
> us what the gssproxy.conf file might look like for Postfix's smtp service?  
> How would one store the keytab in /var/lib/gssapi/clients?  As far as I can 
> tell, the keytabs stored there are listed as <uidnumber>.keytab, so I imagine 
> this would be stored as the postfix user's uidnumber.
> 
> Thanks again.  -A
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

No problem, glad it is useful.

Please note that there is a bit of a problem currently that I am trying
to document out. As it is written, the postfix config doesn't verify the
TLS connection between client and server, this can create a security issue.

Basically, you need to change the setting for smtp_tls_security_level
from 'may' to 'secure' and make sure you either have a certificate
signed by a known CA or have your own CA in the certificate trust.

Within the confines of FreeIPA this is pretty easy given that you
already have a PKI in place with IPA.

GSSAPI inside of a TLS channel apparently isn't secure unless the
channel is secure and verified. The irony being that GSSAPI auth outside
of a TLS connection is just fine for postfix.

The post will be updated with this information, but it takes a bit more
work to make what I wrote above more approachable.

-Erinn


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to