On 07/12/2013 11:36 AM, Simo Sorce wrote:
> On Fri, 2013-07-12 at 10:04 -0500, Anthony Messina wrote:
>> On Wednesday, July 10, 2013 05:00:53 PM Dmitri Pal wrote:
>>> On 07/10/2013 12:12 PM, Simo Sorce wrote:
>>>> On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote:
>>>>> Folks,
>>>>> I swear I am not trying to drive up traffic to my very small blog, but I
>>>>> wrote up some instruction for how to configure the postfix mail client
>>>>> to use Kerberos to relay through a Postfix gateway.
>>>>>
>>>>> Instructions are here for folks that are interested:
>>>>> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a->
>>>>>  >> relaying-smtp-client/
>>>>>
>>>>> Hopefully it is useful to some people in the future, for me it took the
>>>>> help of some users on the Postfix list, a lot of it was not clear.
>>
>> Erinn, this is excellent!  I've been looking for just this idea!  Thanks.
>>
>>> I think it is worth mentioning that starting Fedora 19 the step to
>>> configure cron to fetch tickets is not needed. GSS proxy can be
>>> configured instead to automatically acquire tickets on client's behalf.
>>> https://fedorahosted.org/gss-proxy/
>>>
>>> It generally applies to any unattended client that uses keytab to
>>> authenticate it being messaging client, DB client, LDAP client or
>>> anything else. You name it...
>>>
>>> Thanks for the blog!
>>>
>>>
>>> -- 
>>> Thank you,
>>> Dmitri Pal
>>
>>
>> Dmitri, thanks for the info on gssproxy.  I am using gssproxy for NFS in 
>> F19, 
>> but have not begun using it for other services such as an smtp client, 
>> though 
>> this is exactly what I'd be looking for.  Do you think you'd be able to show 
>> us what the gssproxy.conf file might look like for Postfix's smtp service? 
> 
> I will need to look at how postifix uses gssapi, it may 'just work' or
> it may require some patching to avoid bad uses of gssapi or
> unconditional uses of direct krb5 calls. For nfs-util I had to send a
> very small patch.
> If SASL is used I am relatively sure it will just work though.
> 
>> How would one store the keytab in /var/lib/gssapi/clients?  As far as I can 
>> tell, the keytabs stored there are listed as <uidnumber>.keytab, so I 
>> imagine 
>> this would be stored as the postfix user's uidnumber.
> 
> When you use a keytab for 'accepting' rather than 'initialing' you can
> place it where you want and give it whatever name you want as it doesn't
> change based on the peer name. Of course you want to place it in a place
> where (only) gssproxy can use it.
> 
> The configuration for SMTP would be something like:
> 
> [service/smtp-server]
>   mechs = krb5
>   cred_store = keytab:/etc/postfix/smtp.keytab
>   trusted = no
>   euid = 12345 #smtp's process user id
> 
> 
> HTH,
> Simo.
> 

Simo et al.
I would still recommend taking a look but Postfix delegates all of that
to SASL.

-Erinn

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to