Hi Simo,

On 6/26/2014 8:54 AM, Simo Sorce wrote:
On Wed, 2014-06-25 at 19:00 -0500, David Gonzalez Herrera - [DGHVoIP]
wrote:
Thanks Simo, I'm testing that but I have no relay host, do I need one?.
A relay host is the mail server your MUA contacts to send email.
So instructions should apply just as well for your mail server, from the
GSSAPI PoV at least.
Great, but before I try it and see if it does the trick should I remove the section form teh Post fix+Dovecot Integration from Dale MaCarney's howto?.


My current main.cf conf looks like this:

[root@mail ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab KRB5CCNAME=FILE:${queue_directory}/kerberos/krb5_ccache
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command =
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = domain.net
myhostname = mail.domain.net
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/postfix/smtp.crt
smtp_tls_key_file = /etc/postfix/smtp.key
smtp_tls_mandatory_ciphers = high
smtp_tls_security_level = secure
smtp_tls_session_cache_database = btree:${data_directory}/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_client_restrictions = permit_sasl_authenticated,  permit
smtpd_recipient_restrictions = permit_sasl_authenticated, permit
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sender_restrictions = permit_sasl_authenticated,  permit
smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/certs/smtp.crt
smtpd_tls_key_file = /etc/postfix/certs/smtp.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = domain.net
virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf

The other very serious issue is that I keep getting Access Denied when external servers try to send mail to my "domain.net" address

Like this:

Jun 26 10:35:51 mail postfix/smtpd[20398]: warning: 255.23.15.115: hostname customer.worldstream.nl verification failed: Name or service not known Jun 26 10:35:51 mail postfix/smtpd[20398]: connect from unknown[255.23.15.115] Jun 26 10:35:51 mail postfix/smtpd[20398]: NOQUEUE: reject: RCPT from unknown[255.23.15.115]: 554 5.7.1 <unknown[255.23.15.115]>: Client host rejected: Access denied; from=<da...@domain.com> to=<da...@domain.net> proto=ESMTP helo=<extranet.DOMAIN.com> Jun 26 10:35:51 mail postfix/smtpd[20398]: disconnect from unknown[255.23.15.115]

I see there's no reference on any howto nor any other doc so I don't really know where to start debugging this because outbound mail was working now it doesn't, it's just all of it being deferered, I guess it's certificate issue,, but even before the TLS issues I always got the Hos Rejected: Access Denied

Also, though not related there are many SSL issues, but again those are postfix related and I can fifgure out.

Jun 26 10:22:24 mail postfix/smtp[20176]: certificate verification failed for alt1.gmail-smtp-in.l.google.com[74.125.25.27]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority Jun 26 10:22:24 mail postfix/smtp[20176]: 0371321045: Server certificate not trusted

If anyone can tell me where to go from here.

As I've said all along, you guys have gotten me very close with every answer I was at at point where I had nothing now all of your help has helped me get to a near-finished point for this project.

I'm planning a Youtube video or a blog post on my personal blog with the right setup.

Thank you all

--Regards DavidG

Simo.

Cheers.

--Regards DavidG
On 6/25/2014 1:51 PM, Simo Sorce wrote:
On Wed, 2014-06-25 at 13:28 -0500, Dave Gonzalez wrote:
[root@mail ~]# cat saslauthd.conf
ldap_servers: ldap://ipa.domain.net
ldap_search_base: cn=users,cn=accounts,dc=domain,dc=net
ldap_filter: (|(uid=%u)(mail=%u))
ldap_bind_dn: uid=david,cn=users,cn=accounts,dc=domain,dc=net
ldap_bind_pw: pass
This configuration is for password based authentication tested against
an LDAP server. Has really nothing to do with GSSAPI.

This guide should help you configure postfix with GSSAPI authentication:
https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/

Simo.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to