On Fri, 2013-07-12 at 10:04 -0500, Anthony Messina wrote:
> On Wednesday, July 10, 2013 05:00:53 PM Dmitri Pal wrote:
> > On 07/10/2013 12:12 PM, Simo Sorce wrote:
> > > On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote:
> > >> Folks,
> > >> I swear I am not trying to drive up traffic to my very small blog, but I
> > >> wrote up some instruction for how to configure the postfix mail client
> > >> to use Kerberos to relay through a Postfix gateway.
> > >> 
> > >> Instructions are here for folks that are interested:
> > >> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a->
> > >>  >> relaying-smtp-client/
> > >> 
> > >> Hopefully it is useful to some people in the future, for me it took the
> > >> help of some users on the Postfix list, a lot of it was not clear.
> Erinn, this is excellent!  I've been looking for just this idea!  Thanks.
> > I think it is worth mentioning that starting Fedora 19 the step to
> > configure cron to fetch tickets is not needed. GSS proxy can be
> > configured instead to automatically acquire tickets on client's behalf.
> > https://fedorahosted.org/gss-proxy/
> > 
> > It generally applies to any unattended client that uses keytab to
> > authenticate it being messaging client, DB client, LDAP client or
> > anything else. You name it...
> > 
> > Thanks for the blog!
> > 
> > 
> > -- 
> > Thank you,
> > Dmitri Pal
> Dmitri, thanks for the info on gssproxy.  I am using gssproxy for NFS in F19, 
> but have not begun using it for other services such as an smtp client, though 
> this is exactly what I'd be looking for.  Do you think you'd be able to show 
> us what the gssproxy.conf file might look like for Postfix's smtp service? 

I will need to look at how postifix uses gssapi, it may 'just work' or
it may require some patching to avoid bad uses of gssapi or
unconditional uses of direct krb5 calls. For nfs-util I had to send a
very small patch.
If SASL is used I am relatively sure it will just work though.

> How would one store the keytab in /var/lib/gssapi/clients?  As far as I can 
> tell, the keytabs stored there are listed as <uidnumber>.keytab, so I imagine 
> this would be stored as the postfix user's uidnumber.

When you use a keytab for 'accepting' rather than 'initialing' you can
place it where you want and give it whatever name you want as it doesn't
change based on the peer name. Of course you want to place it in a place
where (only) gssproxy can use it.

The configuration for SMTP would be something like:

  mechs = krb5
  cred_store = keytab:/etc/postfix/smtp.keytab
  trusted = no
  euid = 12345 #smtp's process user id


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to