On 07/12/2013 11:36 AM, Simo Sorce wrote: > On Fri, 2013-07-12 at 10:04 -0500, Anthony Messina wrote: >> On Wednesday, July 10, 2013 05:00:53 PM Dmitri Pal wrote: >>> On 07/10/2013 12:12 PM, Simo Sorce wrote: >>>> On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote: >>>>> Folks, >>>>> I swear I am not trying to drive up traffic to my very small blog, but I >>>>> wrote up some instruction for how to configure the postfix mail client >>>>> to use Kerberos to relay through a Postfix gateway. >>>>> >>>>> Instructions are here for folks that are interested: >>>>> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-> >>>>> >> relaying-smtp-client/ >>>>> >>>>> Hopefully it is useful to some people in the future, for me it took the >>>>> help of some users on the Postfix list, a lot of it was not clear. >> >> Erinn, this is excellent! I've been looking for just this idea! Thanks. >> >>> I think it is worth mentioning that starting Fedora 19 the step to >>> configure cron to fetch tickets is not needed. GSS proxy can be >>> configured instead to automatically acquire tickets on client's behalf. >>> https://fedorahosted.org/gss-proxy/ >>> >>> It generally applies to any unattended client that uses keytab to >>> authenticate it being messaging client, DB client, LDAP client or >>> anything else. You name it... >>> >>> Thanks for the blog! >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >> >> >> Dmitri, thanks for the info on gssproxy. I am using gssproxy for NFS in >> F19, >> but have not begun using it for other services such as an smtp client, >> though >> this is exactly what I'd be looking for. Do you think you'd be able to show >> us what the gssproxy.conf file might look like for Postfix's smtp service? > > I will need to look at how postifix uses gssapi, it may 'just work' or > it may require some patching to avoid bad uses of gssapi or > unconditional uses of direct krb5 calls. For nfs-util I had to send a > very small patch. > If SASL is used I am relatively sure it will just work though. > >> How would one store the keytab in /var/lib/gssapi/clients? As far as I can >> tell, the keytabs stored there are listed as <uidnumber>.keytab, so I >> imagine >> this would be stored as the postfix user's uidnumber. > > When you use a keytab for 'accepting' rather than 'initialing' you can > place it where you want and give it whatever name you want as it doesn't > change based on the peer name. Of course you want to place it in a place > where (only) gssproxy can use it. > > The configuration for SMTP would be something like: > > [service/smtp-server] > mechs = krb5 > cred_store = keytab:/etc/postfix/smtp.keytab > trusted = no > euid = 12345 #smtp's process user id > > > HTH, > Simo. >
Simo et al. I would still recommend taking a look but Postfix delegates all of that to SASL. -Erinn
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
