Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?
On Mon, 2015-12-14 at 13:51 -0500, Simo Sorce wrote: > There are a few ways to go about it. > > another way is to use a custom subtree + schema to store these emails > only. > > It really depends on what kind of tools you want to use to manage the > information too. I ended up creating normal users, set passwords for those that needed them (some are public shared IMAP folders and so don't need passwords) and set all of their shells to /sbin/nologin. None of them have the right to ssh, gdm, etc. The thought of creating a custom schema, OIDs and whatnot sent me into fits. freeipa is supposed to make my life easier, not harder, so I took the simpler route. In a different setting a custom schema would be warranted. -- Ranbir signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?
On 12/12/2015 12:26 AM, Martin Štefany wrote: > Hello Ranbir, > > I'm working on this, even today I was putting more things together. > (That DRAFT is really uncommented version of what I currently have). And > I've opened also https://fedorahosted.org/freeipa/ticket/5521 to get a > bit more out of it. > > To sum it up what I've put together: > - Postfix for SMTP MTA > - Dovecot for IMAP (no POP3) > - Amavisd-new with ClamAV and SpamAssassin for Antispam / Antivirus / > additional header checks, etc. > - SPF, DKIM, DMARC support for both sending and receiving mail > - setup is HA thanks to DNS records, and 2 separate systems running > almost identical configuration and Dovecot replicates mailboxes using > dsync > - PLAIN / LOGIN / GSSAPI authentication for SSO login thanks to FreeIPA > (integration with Evolution on Fedora/RHEL/CentOS desktop joined to > FreeIPA domain works also great) > - users, of course, stored in FreeIPA, usage granted only to ones with > correct e-mail field, group membership (and enablement of the ID) > - but some pieces are still missing: > - I'm still reviewing e.g. correct postfix restrictions and > documenting the full setup > - there's missing support for GUI configuration domain aliases, user > aliases, sender/receiver Bcc support, quota setup, etc. even if > something is managable via ipa-admintools and LDAP attributes > > I would like to finish it asap, within a week or two, cause I run this > e-mail system at home (as somebody already mentioned, why not?) and I > don't like it unfinished. ;) > > But to give you a good place to start: have a look to iRedMail project, > http://www.iredmail.org/, ZhangHuangbin's product is great and it helped > me a lot to prepare what I described above. There's no support for 'old- > style' HA, but you can still run it 'HA' on VM with all the benefits, > and there's not direct support for FreeIPA integration, but guideline > for ActiveDirectory integration exists, so you can start there: http://w > ww.iredmail.org/docs/active.directory.html. > > As Natxo mentioned, it all depends what kind of integration you want and > what do you expect from mail setup. ;) > > Martin Looks as a decent amount of work included in this. BTW, if you have cycles to contribute a How To to http://www.freeipa.org/page/HowTos or update/improve existing guides there, I think other FreeIPA community members would be very very grateful :-) Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?
On Sun, 2015-12-13 at 21:56 +0100, Natxo Asenjo wrote: > so what have you tried? A number of things. However, I've been able to get past the SASL GSSAPI error I was seeing in Postfix. Now I've run into another issue though I don't think it's related to freeipa. I'm going to post what I did once I have a working setup. In the meantime, I have other questions. How would one handle an email only user in freeipa? I have mail accounts that aren't attached to a real person and yet I need the "user" to exist in freeipa. -- Ranbir signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?
On Mon, 2015-12-14 at 11:30 -0500, Ranbir wrote: > How would one handle an email only user in freeipa? I have mail > accounts that aren't attached to a real person and yet I need the > "user" to exist in freeipa. Should I just create a normal user account, set the password and mail and disable logins? -- Ranbir signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?
On Mon, 2015-12-14 at 13:38 -0500, Ranbir wrote: > On Mon, 2015-12-14 at 11:30 -0500, Ranbir wrote: > > How would one handle an email only user in freeipa? I have mail > > accounts that aren't attached to a real person and yet I need the > > "user" to exist in freeipa. > > Should I just create a normal user account, set the password and mail > and disable logins? There are a few ways to go about it. another way is to use a custom subtree + schema to store these emails only. It really depends on what kind of tools you want to use to manage the information too. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?
On Fri, 2015-12-11 at 22:13 +0100, Natxo Asenjo wrote: > what exactly do you want to achieve? 'Integrate' could mean a couple > of things, so please specify. Ya, that was lame. Let me elaborate. I have a postfix server and a dovecot server: both are running in separate KVMs. They're on different subnets and they have a firewall in between. I've opened up ports to allow them to talk to each other because the postfix server is using dovecot for smtp auth and lmtp for mail delivery. The dovecot users are in a password file. At the moment, my mail setup is working perfectly. I have a master IPA server on the same network as the dovecot box. There's a replica IPA server on the postfix server's network. Both servers are joined to the IPA domain although they are in different DNS domains (which doesn't really matter here, I guess). I would like to move postfix and dovecot to use IPA for sasl auth and for managing the virtual mailboxes. I have a good idea of how this is all supposed to work together. What I need are the actual steps to get it done. -- Ranbir signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?
On Fri, Dec 11, 2015 at 11:32 PM, Ranbirwrote: > On Fri, 2015-12-11 at 22:13 +0100, Natxo Asenjo wrote: > > what exactly do you want to achieve? 'Integrate' could mean a couple > > of things, so please specify. > > I would like to move postfix and dovecot to use IPA for sasl auth and > for managing the virtual mailboxes. I have a good idea of how this is > all supposed to work together. What I need are the actual steps to get > it done. > so what have you tried? -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?
hi Ranbir, On Fri, Dec 11, 2015 at 9:29 PM, Ranbirwrote: > Hi All, > > I want to integrate my Postfix server with IPA. I've found a couple of > documents on how this can be done, but they don't accomplish the feat > the same way (they're also not discussing the exact same end goal). I'm > left wondering how exactly to integrate IPA and Postfix. > > what exactly do you want to achieve? 'Integrate' could mean a couple of things, so please specify. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?
Hello Ranbir, I'm working on this, even today I was putting more things together. (That DRAFT is really uncommented version of what I currently have). And I've opened also https://fedorahosted.org/freeipa/ticket/5521 to get a bit more out of it. To sum it up what I've put together: - Postfix for SMTP MTA - Dovecot for IMAP (no POP3) - Amavisd-new with ClamAV and SpamAssassin for Antispam / Antivirus / additional header checks, etc. - SPF, DKIM, DMARC support for both sending and receiving mail - setup is HA thanks to DNS records, and 2 separate systems running almost identical configuration and Dovecot replicates mailboxes using dsync - PLAIN / LOGIN / GSSAPI authentication for SSO login thanks to FreeIPA (integration with Evolution on Fedora/RHEL/CentOS desktop joined to FreeIPA domain works also great) - users, of course, stored in FreeIPA, usage granted only to ones with correct e-mail field, group membership (and enablement of the ID) - but some pieces are still missing: - I'm still reviewing e.g. correct postfix restrictions and documenting the full setup - there's missing support for GUI configuration domain aliases, user aliases, sender/receiver Bcc support, quota setup, etc. even if something is managable via ipa-admintools and LDAP attributes I would like to finish it asap, within a week or two, cause I run this e-mail system at home (as somebody already mentioned, why not?) and I don't like it unfinished. ;) But to give you a good place to start: have a look to iRedMail project, http://www.iredmail.org/, ZhangHuangbin's product is great and it helped me a lot to prepare what I described above. There's no support for 'old- style' HA, but you can still run it 'HA' on VM with all the benefits, and there's not direct support for FreeIPA integration, but guideline for ActiveDirectory integration exists, so you can start there: http://w ww.iredmail.org/docs/active.directory.html. As Natxo mentioned, it all depends what kind of integration you want and what do you expect from mail setup. ;) Martin On Pi, 2015-12-11 at 22:13 +0100, Natxo Asenjo wrote: > hi Ranbir, > > > On Fri, Dec 11, 2015 at 9:29 PM, Ranbir> wrote: > > Hi All, > > > > I want to integrate my Postfix server with IPA. I've found a couple > > of > > documents on how this can be done, but they don't accomplish the > > feat > > the same way (they're also not discussing the exact same end goal). > > I'm > > left wondering how exactly to integrate IPA and Postfix. > > > what exactly do you want to achieve? 'Integrate' could mean a couple > of things, so please specify. > > -- > Groeten, > natxo > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project