Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

[Ranbir]

On Mon, 2015-12-14 at 13:51 -0500, Simo Sorce wrote:
> There are a few ways to go about it.
> 
> another way is to use a custom subtree + schema to store these emails
> only.
> 
> It really depends on what kind of tools you want to use to manage the
> information too.

I ended up creating normal users, set passwords for those that needed
them (some are public shared IMAP folders and so don't need passwords)
and set all of their shells to /sbin/nologin. None of them have the
right to ssh, gdm, etc.

The thought of creating a custom schema, OIDs and whatnot sent me into
fits. freeipa is supposed to make my life easier, not harder, so I took
the simpler route. In a different setting a custom schema would be
warranted.

-- 
Ranbir


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

[Martin Kosek]

On 12/12/2015 12:26 AM, Martin Štefany wrote:
> Hello Ranbir,
> 
> I'm working on this, even today I was putting more things together.
> (That DRAFT is really uncommented version of what I currently have). And
> I've opened also https://fedorahosted.org/freeipa/ticket/5521 to get a
> bit more out of it.
> 
> To sum it up what I've put together:
> - Postfix for SMTP MTA
> - Dovecot for IMAP (no POP3)
> - Amavisd-new with ClamAV and SpamAssassin for Antispam / Antivirus /
> additional header checks, etc.
> - SPF, DKIM, DMARC support for both sending and receiving mail
> - setup is HA thanks to DNS records, and 2 separate systems running
> almost identical configuration and Dovecot replicates mailboxes using
> dsync
> - PLAIN / LOGIN / GSSAPI authentication for SSO login thanks to FreeIPA
> (integration with Evolution on Fedora/RHEL/CentOS desktop joined to
> FreeIPA domain works also great)
> - users, of course, stored in FreeIPA, usage granted only to ones with
> correct e-mail field, group membership (and enablement of the ID)
> - but some pieces are still missing:
>   - I'm still reviewing e.g. correct postfix restrictions and
> documenting the full setup
>   - there's missing support for GUI configuration domain aliases, user
> aliases, sender/receiver Bcc support, quota setup, etc. even if
> something is managable via ipa-admintools and LDAP attributes
> 
> I would like to finish it asap, within a week or two, cause I run this
> e-mail system at home (as somebody already mentioned, why not?) and I
> don't like it unfinished. ;)
> 
> But to give you a good place to start: have a look to iRedMail project, 
> http://www.iredmail.org/, ZhangHuangbin's product is great and it helped
> me a lot to prepare what I described above. There's no support for 'old-
> style' HA, but you can still run it 'HA' on VM with all the benefits,
> and there's not direct support for FreeIPA integration, but guideline
> for ActiveDirectory integration exists, so you can start there: http://w
> ww.iredmail.org/docs/active.directory.html.
> 
> As Natxo mentioned, it all depends what kind of integration you want and
> what do you expect from mail setup. ;)
> 
> Martin

Looks as a decent amount of work included in this. BTW, if you have cycles to
contribute a How To to http://www.freeipa.org/page/HowTos or update/improve
existing guides there, I think other FreeIPA community members would be very
very grateful :-)

Thanks,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

[Ranbir]

On Sun, 2015-12-13 at 21:56 +0100, Natxo Asenjo wrote:
> so what have you tried?

A number of things. However, I've been able to get past the SASL GSSAPI
error I was seeing in Postfix. Now I've run into another issue though I
don't think it's related to freeipa.

I'm going to post what I did once I have a working setup. In the
meantime, I have other questions.

How would one handle an email only user in freeipa? I have mail
accounts that aren't attached to a real person and yet I need the
"user" to exist in freeipa.

-- 
Ranbir


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

[Ranbir]

On Mon, 2015-12-14 at 11:30 -0500, Ranbir wrote:
> How would one handle an email only user in freeipa? I have mail
> accounts that aren't attached to a real person and yet I need the
> "user" to exist in freeipa.

Should I just create a normal user account, set the password and mail
and disable logins?

-- 
Ranbir


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

[Simo Sorce]

On Mon, 2015-12-14 at 13:38 -0500, Ranbir wrote:
> On Mon, 2015-12-14 at 11:30 -0500, Ranbir wrote:
> > How would one handle an email only user in freeipa? I have mail
> > accounts that aren't attached to a real person and yet I need the
> > "user" to exist in freeipa.
> 
> Should I just create a normal user account, set the password and mail
> and disable logins?

There are a few ways to go about it.

another way is to use a custom subtree + schema to store these emails
only.

It really depends on what kind of tools you want to use to manage the
information too.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

[Ranbir]

On Fri, 2015-12-11 at 22:13 +0100, Natxo Asenjo wrote:
> what exactly do you want to achieve? 'Integrate' could mean a couple 
> of things, so please specify. 

Ya, that was lame. Let me elaborate.

I have a postfix server and a dovecot server: both are running in
separate KVMs. They're on different subnets and they have a firewall in
between. I've opened up ports to allow them to talk to each other
because the postfix server is using dovecot for smtp auth and lmtp for
mail delivery. The dovecot users are in a password file. At the moment,
my mail setup is working perfectly.

I have a master IPA server on the same network as the dovecot box.
There's a replica IPA server on the postfix server's network. Both
servers are joined to the IPA domain although they are in different DNS
domains (which doesn't really matter here, I guess).

I would like to move postfix and dovecot to use IPA for sasl auth and
for managing the virtual mailboxes. I have a good idea of how this is
all supposed to work together. What I need are the actual steps to get
it done.

 
-- 
Ranbir


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

[Natxo Asenjo]

On Fri, Dec 11, 2015 at 11:32 PM, Ranbir  wrote:

> On Fri, 2015-12-11 at 22:13 +0100, Natxo Asenjo wrote:
> > what exactly do you want to achieve? 'Integrate' could mean a couple
> > of things, so please specify.
>




> I would like to move postfix and dovecot to use IPA for sasl auth and
> for managing the virtual mailboxes. I have a good idea of how this is
> all supposed to work together. What I need are the actual steps to get
> it done.
>

so what have you tried?

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

[Natxo Asenjo]

hi Ranbir,


On Fri, Dec 11, 2015 at 9:29 PM, Ranbir  wrote:

> Hi All,
>
> I want to integrate my Postfix server with IPA. I've found a couple of
> documents on how this can be done, but they don't accomplish the feat
> the same way (they're also not discussing the exact same end goal). I'm
> left wondering how exactly to integrate IPA and Postfix.
>
>
what exactly do you want to achieve? 'Integrate' could mean a couple of
things, so please specify.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

[Martin Štefany]

Hello Ranbir,

I'm working on this, even today I was putting more things together.
(That DRAFT is really uncommented version of what I currently have). And
I've opened also https://fedorahosted.org/freeipa/ticket/5521 to get a
bit more out of it.

To sum it up what I've put together:
- Postfix for SMTP MTA
- Dovecot for IMAP (no POP3)
- Amavisd-new with ClamAV and SpamAssassin for Antispam / Antivirus /
additional header checks, etc.
- SPF, DKIM, DMARC support for both sending and receiving mail
- setup is HA thanks to DNS records, and 2 separate systems running
almost identical configuration and Dovecot replicates mailboxes using
dsync
- PLAIN / LOGIN / GSSAPI authentication for SSO login thanks to FreeIPA
(integration with Evolution on Fedora/RHEL/CentOS desktop joined to
FreeIPA domain works also great)
- users, of course, stored in FreeIPA, usage granted only to ones with
correct e-mail field, group membership (and enablement of the ID)
- but some pieces are still missing:
  - I'm still reviewing e.g. correct postfix restrictions and
documenting the full setup
  - there's missing support for GUI configuration domain aliases, user
aliases, sender/receiver Bcc support, quota setup, etc. even if
something is managable via ipa-admintools and LDAP attributes

I would like to finish it asap, within a week or two, cause I run this
e-mail system at home (as somebody already mentioned, why not?) and I
don't like it unfinished. ;)

But to give you a good place to start: have a look to iRedMail project, 
http://www.iredmail.org/, ZhangHuangbin's product is great and it helped
me a lot to prepare what I described above. There's no support for 'old-
style' HA, but you can still run it 'HA' on VM with all the benefits,
and there's not direct support for FreeIPA integration, but guideline
for ActiveDirectory integration exists, so you can start there: http://w
ww.iredmail.org/docs/active.directory.html.

As Natxo mentioned, it all depends what kind of integration you want and
what do you expect from mail setup. ;)

Martin




On Pi, 2015-12-11 at 22:13 +0100, Natxo Asenjo wrote:
> hi Ranbir,
> 
> 
> On Fri, Dec 11, 2015 at 9:29 PM, Ranbir 
> wrote:
> > Hi All,
> > 
> > I want to integrate my Postfix server with IPA. I've found a couple
> > of
> > documents on how this can be done, but they don't accomplish the
> > feat
> > the same way (they're also not discussing the exact same end goal).
> > I'm
> > left wondering how exactly to integrate IPA and Postfix.
> > 
> what exactly do you want to achieve? 'Integrate' could mean a couple
> of things, so please specify. 
> 
> --
> Groeten,
> natxo
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project