Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/13/2013 12:48 PM, Anthony Messina wrote: > On Wednesday, March 13, 2013 12:41:05 PM Dale Macartney wrote: >> Silly mistake on my part. Simple perms issue with keytab file. >> >> Below is a working config of postfix with IPA user lookups and kerberos >> authenticated sending. >> >> ipa-getkeytab -s ds01.example.com -p smtp/$(hostname) -k >> /etc/postfix/smtp.keytab chown root:mail /etc/postfix/smtp.keytab >> chmod 644 /etc/postfix/smtp.keytab >> >> postconf -e 'inet_interfaces = all' >> postconf -e 'mydestination = $myhostname, localhost.$mydomain, localhost, >> $mydomain' postconf -e 'myorigin = $mydomain' >> postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ >> XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab' postconf -e >> 'smtpd_recipient_restrictions = permit_sasl_authenticated, >> permit_mynetworks, reject_unauth_destination' postconf -e >> 'smtpd_sasl_auth_enable = yes' >> postconf -e 'smtpd_sasl_security_options = noanonymous' >> postconf -e 'smtpd_sasl_tls_security_options = $smtpd_sasl_security_options' >> postconf -e 'broken_sasl_auth_clients = yes' >> postconf -e 'smtpd_sasl_authenticated_header = yes' >> postconf -e 'smtpd_sasl_local_domain = $mydomain' >> >> >> cat >> /etc/postfix/main.cf << EOF >> virtual_alias_domains = example.com >> virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf >> EOF >> >> cat > /etc/postfix/ldap_aliases.cf << EOF >> server_host = ds01.example.com >> search_base = cn=accounts,dc=example,dc=com >> query_filter = (mail=%s) >> result_attribute = uid >> bind = no >> start_tls = yes >> version = 3 >> EOF >> >> postmap /etc/postfix/ldap_aliases.cf >> restorecon -R /etc/postfix/ >> >> cat > /etc/sasl2/smtpd.conf << EOF >> pwcheck_method: saslauthd >> mech_list: GSSAPI PLAIN LOGIN >> EOF >> >> sed -i 's/MECH=pam/MECH=kerberos5/g' /etc/sysconfig/saslauthd > > Glad you got it working. -A New article published for those interested. Will copy across to wiki also. https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ Dale > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRQbJJAAoJEAJsWS61tB+q7VcP/2S2AURARXTcLbIgEYa2euhh yN2I6BK/lyUOxA4U2Zgxi3f9BVr4wmV56I+DItijDYMSc0kSMQg6rP8SRnfHlyxH m7tl05u0h+UOmIr3DOUStl+QESje9V9fQ9SC0oB11D7VKchWkjWS9bp4LRgF9ClL PpJ+/GFnb9Rn7yzvFCXePz4k9kcqBansDCvgAO/042qRg5ki+kfAF4b+XeGISNQG Xdoe2MWpFERDHDFr6K471wNF34u+sFJay2H/uBjKm2IrpoAQEOefoI3z3UoF6CPs G5OOPkxApduR9RcaraoactqvOyfCxGyYVdT1g01CbBg9WrRZd8WZj/zg1+9rfwmL EwZDjEVFXuEL3s+oGHCw0VP3DVAzxbHsmvPBIglve8iP8HTo4nxey+FFKi6CIeQj Sz8GhXVuOTQCzPtLZ9IyPd2HtFhDBHH0eUvAqN2OtoVf+XWnUA2GUu2wlRidGbwC shlODnPAezMyf8UJKbtv8rf++yrwIvflI/NJB6RFnPr0OgweSh8tS2wvS6BQhNYh CysTtO41DINhdr3z8JtY7HG+OFNL7YGhdLemeWtVu56mYgHOWr+rpBmFFGyMbRxB /wx2jOXsto+ZgiL4j2N6dVntbfOPLI+zxeo80oDz5STJgS9aqjU/UjGEZT9Gykpu 5duxt+Auwpxsbulesb/n =bM0O -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/13/2013 01:17 PM, Simo Sorce wrote: > On Wed, 2013-03-13 at 12:41 +, Dale Macartney wrote: >> chown root:mail /etc/postfix/smtp.keytab >> chmod 644 /etc/postfix/smtp.keytab >> > NEVER ever use 644 on a keytab file. > > A keytab is like a password, if you make it accessible to everybody on a > system you gave it up. > > Sorry to be harsh but I want to make it very clear for our uses that > keytabs are *secrets* and should *never* be made available to the whole > system, It is exactly like putting a password in the clear in a file and > making it accessible to everyone. > > In your case I guess you want to use 660 or 640. Thanks for pointing out the typo.. 640 is usual practice as the services only need read access to the keytab. > > > Simo. > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRQH1rAAoJEAJsWS61tB+qPzkQAK7c9YK88iTMeyclwH8hn1Y1 fK2kaqYdcc/irdbH6oQzew+lmkg7hmK9oJf4GF1o/yDDwVDXwJrA1pS+8+FCrPH/ k+rlO+cRKa0rg5A+CfsaP7j31qvZZOD8prIXm5MCmRg5US6eN4wk706Mr5iAflE6 BUnav5acejmkD/86FFTm/AsuaAYObjnh00Oaf2hWcEQSloVU3/Pv+trEOJZklcPd vK1Qg6U0A7QuZGFk7/1SqWybPtUR6fVTbqevXwIZnQfTrf63yNlbiPV8zl+LfNaE /+28DNOGLmrKSNfuzDOXjgH3ys4rdqfMwyb7RJzI6FZgE3VjQ/otgIyw1MwS/4cA E3Dp8FYeKl6WbJTlQ3py4mlnSIHl6ozWZe0ePecKlJiYAHzUWP9XFLw21u9afxep pncL11sLXWuvEQT3NL1xHepoYNik0zgDJP3urt+9Htje8jGgBrDUN9ljzWfnyro1 Qrszj++QI1zefejM9LtOSz/hLL722Z+uLP724pum14gErlhDnhrqbzUVbjEdRdXW PZtqdG+Fz+7nWM89kcvKJIenBhoW1axY5+JXuDQ7oT+neoRie+aCzeO1LsmIALuj 7m52jtB5ao3HH70TY86sHBGnlLYZj97qdTK/kb+aVktwRh/H8vO3GeR5Ew4vOm0p kpGTy+/lWzQv0WYISqJC =QPwA -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
On Wed, 2013-03-13 at 12:41 +, Dale Macartney wrote: > chown root:mail /etc/postfix/smtp.keytab > chmod 644 /etc/postfix/smtp.keytab > NEVER ever use 644 on a keytab file. A keytab is like a password, if you make it accessible to everybody on a system you gave it up. Sorry to be harsh but I want to make it very clear for our uses that keytabs are *secrets* and should *never* be made available to the whole system, It is exactly like putting a password in the clear in a file and making it accessible to everyone. In your case I guess you want to use 660 or 640. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
On Wednesday, March 13, 2013 12:41:05 PM Dale Macartney wrote: > Silly mistake on my part. Simple perms issue with keytab file. > > Below is a working config of postfix with IPA user lookups and kerberos > authenticated sending. > > ipa-getkeytab -s ds01.example.com -p smtp/$(hostname) -k > /etc/postfix/smtp.keytab chown root:mail /etc/postfix/smtp.keytab > chmod 644 /etc/postfix/smtp.keytab > > postconf -e 'inet_interfaces = all' > postconf -e 'mydestination = $myhostname, localhost.$mydomain, localhost, > $mydomain' postconf -e 'myorigin = $mydomain' > postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ > XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab' postconf -e > 'smtpd_recipient_restrictions = permit_sasl_authenticated, > permit_mynetworks, reject_unauth_destination' postconf -e > 'smtpd_sasl_auth_enable = yes' > postconf -e 'smtpd_sasl_security_options = noanonymous' > postconf -e 'smtpd_sasl_tls_security_options = $smtpd_sasl_security_options' > postconf -e 'broken_sasl_auth_clients = yes' > postconf -e 'smtpd_sasl_authenticated_header = yes' > postconf -e 'smtpd_sasl_local_domain = $mydomain' > > > cat >> /etc/postfix/main.cf << EOF > virtual_alias_domains = example.com > virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf > EOF > > cat > /etc/postfix/ldap_aliases.cf << EOF > server_host = ds01.example.com > search_base = cn=accounts,dc=example,dc=com > query_filter = (mail=%s) > result_attribute = uid > bind = no > start_tls = yes > version = 3 > EOF > > postmap /etc/postfix/ldap_aliases.cf > restorecon -R /etc/postfix/ > > cat > /etc/sasl2/smtpd.conf << EOF > pwcheck_method: saslauthd > mech_list: GSSAPI PLAIN LOGIN > EOF > > sed -i 's/MECH=pam/MECH=kerberos5/g' /etc/sysconfig/saslauthd Glad you got it working. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/13/2013 10:47 AM, Dale Macartney wrote: > > > On 03/12/2013 02:05 PM, Anthony Messina wrote: > > On Tuesday, March 12, 2013 08:53:59 AM Anthony Messina wrote: > >> On Tuesday, March 12, 2013 01:50:47 PM Dale Macartney wrote: > >>> > # Import environment for Kerberos v5 GSSAPI > >>> > > >>> > import_environment = > >>> > > >>> > MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY > >>> > >>> LANG=C > >>> > >>> > KRB5_KTNAME=/etc/postfix/smtp.keytab > >>> > >>> > >>> Anthony, where were you declaring the above? In Squid, I've added the > >>> keytab to the service startup script. Presumably it would be somewhere > >>> similar?> > >>> > >>> > >>> Dale > >> > >> In /etc/postfix/main.cf > > > Sorry, I sent too fast. from man (5) postconf: > > > import_environment (default: see postconf -d output) > > The list of environment parameters that a Postfix process will import > > from a non-Postfix parent process. Examples of relevant parameters: > > > TZ Needed for sane time keeping on most System-V-ish systems. > > > DISPLAY > > Needed for debugging Postfix daemons with an X-windows debugger. > > > XAUTHORITY > > Needed for debugging Postfix daemons with an X-windows debugger. > > > MAIL_CONFIG > > Needed to make "postfix -c" work. > > > Specify a list of names and/or name=value pairs, separated by > > whitespace or comma. The name=value form is supported with Postfix version 2.1 > > and later. > Things aren't really playing ball here > > I've configured postfix from default install with the below changes.. > > Am I missing something? > > ipa-getkeytab -s ds01.example.com -p smtp/$(hostname) -k /etc/postfix/smtp.keytab > postconf -e 'inet_interfaces = all' > postconf -e 'mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain' > postconf -e 'myorigin = $mydomain' > postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab' > postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination' > postconf -e 'smtpd_sasl_auth_enable = yes' > postconf -e 'smtpd_sasl_security_options = noanonymous' > postconf -e 'smtpd_sasl_tls_security_options = $smtpd_sasl_security_options' > > cat >> /etc/postfix/main.cf << EOF > virtual_alias_domains = example.com > virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf > EOF > > cat > /etc/postfix/ldap_aliases.cf << EOF > server_host = ds01.example.com > search_base = cn=accounts,dc=example,dc=com > query_filter = (mail=%s) > result_attribute = uid > bind = no > start_tls = yes > version = 3 > EOF > > postmap /etc/postfix/ldap_aliases.cf > restorecon -R /etc/postfix/ > > cat > /etc/sasl2/smtpd.conf << EOF > pwcheck_method: saslauthd > mech_list: GSSAPI PLAIN LOGIN > EOF > > > > LDAP lookups work perfectly, however kerberos authentication doesn't seem to want to work. I should mention, I am not using SSL (yet). Does sasl/gssapi have some form of prereq of SSL by any chance? > > Logs from maillog are as follows > > Mar 12 15:51:27 mail01 postfix/smtpd[26240]: connect from unknown[10.0.1.101] > Mar 12 15:51:27 mail01 postfix/smtpd[26240]: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () > Mar 12 15:51:27 mail01 postfix/smtpd[26240]: warning: unknown[10.0.1.101]: SASL GSSAPI authentication failed: generic failure > Mar 12 15:51:27 mail01 postfix/smtpd[26240]: disconnect from unknown[10.0.1.101] > > Thanks all > Silly mistake on my part. Simple perms issue with keytab file. Below is a working config of postfix with IPA user lookups and kerberos authenticated sending. ipa-getkeytab -s ds01.example.com -p smtp/$(hostname) -k /etc/postfix/smtp.keytab chown root:mail /etc/postfix/smtp.keytab chmod 644 /etc/postfix/smtp.keytab postconf -e 'inet_interfaces = all' postconf -e 'mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain' postconf -e 'myorigin = $mydomain' postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'smtpd_sasl_tls_security_options = $smtpd_sasl_security_options' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_sasl_authenticated_header = yes' postconf -e 'smtpd_sasl_local_domain = $mydomain' cat >> /etc/postfix/main.cf << EOF virtual_alias_domains = example.com virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf EOF cat > /etc/postfix/ldap_aliases.cf << EOF server_host = ds01.example.com search_base = cn=accounts,dc=example,dc=com query_filter = (mail=%s) result_attribute = uid bind = no start_tls = yes version = 3 EOF postmap /etc/postfix/ldap_aliases.cf re
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/12/2013 02:05 PM, Anthony Messina wrote: > On Tuesday, March 12, 2013 08:53:59 AM Anthony Messina wrote: >> On Tuesday, March 12, 2013 01:50:47 PM Dale Macartney wrote: >>> > # Import environment for Kerberos v5 GSSAPI >>> > >>> > import_environment = >>> > >>> > MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY >>> >>> LANG=C >>> >>> > KRB5_KTNAME=/etc/postfix/smtp.keytab >>> >>> >>> Anthony, where were you declaring the above? In Squid, I've added the >>> keytab to the service startup script. Presumably it would be somewhere >>> similar?> >>> >>> >>> Dale >> >> In /etc/postfix/main.cf > > Sorry, I sent too fast. from man (5) postconf: > > import_environment (default: see postconf -d output) > The list of environment parameters that a Postfix process will import > from a non-Postfix parent process. Examples of relevant parameters: > > TZ Needed for sane time keeping on most System-V-ish systems. > > DISPLAY > Needed for debugging Postfix daemons with an X-windows debugger. > > XAUTHORITY > Needed for debugging Postfix daemons with an X-windows debugger. > > MAIL_CONFIG > Needed to make "postfix -c" work. > > Specify a list of names and/or name=value pairs, separated by > whitespace or comma. The name=value form is supported with Postfix version 2.1 > and later. Things aren't really playing ball here I've configured postfix from default install with the below changes.. Am I missing something? ipa-getkeytab -s ds01.example.com -p smtp/$(hostname) -k /etc/postfix/smtp.keytab postconf -e 'inet_interfaces = all' postconf -e 'mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain' postconf -e 'myorigin = $mydomain' postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'smtpd_sasl_tls_security_options = $smtpd_sasl_security_options' cat >> /etc/postfix/main.cf << EOF virtual_alias_domains = example.com virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf EOF cat > /etc/postfix/ldap_aliases.cf << EOF server_host = ds01.example.com search_base = cn=accounts,dc=example,dc=com query_filter = (mail=%s) result_attribute = uid bind = no start_tls = yes version = 3 EOF postmap /etc/postfix/ldap_aliases.cf restorecon -R /etc/postfix/ cat > /etc/sasl2/smtpd.conf << EOF pwcheck_method: saslauthd mech_list: GSSAPI PLAIN LOGIN EOF LDAP lookups work perfectly, however kerberos authentication doesn't seem to want to work. I should mention, I am not using SSL (yet). Does sasl/gssapi have some form of prereq of SSL by any chance? Logs from maillog are as follows Mar 12 15:51:27 mail01 postfix/smtpd[26240]: connect from unknown[10.0.1.101] Mar 12 15:51:27 mail01 postfix/smtpd[26240]: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () Mar 12 15:51:27 mail01 postfix/smtpd[26240]: warning: unknown[10.0.1.101]: SASL GSSAPI authentication failed: generic failure Mar 12 15:51:27 mail01 postfix/smtpd[26240]: disconnect from unknown[10.0.1.101] Thanks all > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRQFlOAAoJEAJsWS61tB+qHFcP+gJWHxYHh+VdnpEGBg0gFMdm iHEe568jU7gDe5UdUP52RzUKIRYdSH3QRoYi4X8VIVjSIo8wlSWHEspvJlgjLDXE zsV9hGzINF/XNBnX9kA/h94fzvWjgHq5DsTXrCiymtjAyDSQJVWR10j4zCEN6Nwp rA68xlWpnqRE54zlSJx1QTF+pHp7KIvTbJ2QZQuOVBpXKK4HuKkt4XSrSgHvNAaZ lqxINgbfrApde8wuaGcz7JgfcMGeOiDA08oUSyZCch8gyLC1DdMvbtaElECce6ea dhbzchbz8sVtUFyXcsNk3M9x6dLWUFPuQ5IzPfwGv8UjXAaXeYKIXpwlNkAyb0lC x7COqcGRMArl6e+YY6VyMHgwHgAEcn69WfVbkGZAgGAkMs3gEce2a7JtmiYm/Os5 Ax757W4dJjxkJg3iu11kAfO90dhwYL3O9JB8yYPHuZYQpSogbp6aQUhiWXgydp1d 7rgZfitJehEPLKqwbOzYi7nBy9N+2zbP6pdom1oApHpXkC6iSro31wzQ5qCy1+Z2 m2CDExrFXEEu0UPIQvCd7BW43L2CYac91g89gwK3tLfT0tyX6zb6vKeFZ2tdrI8D FogyxaKLDE5gFhdk+O2SZghLniN0YefF/wKWAa++tC8o1U3SQKAP5aH15p9Le8Rt +NefKeJRsREs0Fx5XXQN =nOEI -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
On Tuesday, March 12, 2013 08:53:59 AM Anthony Messina wrote: > On Tuesday, March 12, 2013 01:50:47 PM Dale Macartney wrote: > > > # Import environment for Kerberos v5 GSSAPI > > > > > > import_environment = > > > > > > MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY > > > > LANG=C > > > > > KRB5_KTNAME=/etc/postfix/smtp.keytab > > > > > > Anthony, where were you declaring the above? In Squid, I've added the > > keytab to the service startup script. Presumably it would be somewhere > > similar?> > > > > > > Dale > > In /etc/postfix/main.cf Sorry, I sent too fast. from man (5) postconf: import_environment (default: see postconf -d output) The list of environment parameters that a Postfix process will import from a non-Postfix parent process. Examples of relevant parameters: TZ Needed for sane time keeping on most System-V-ish systems. DISPLAY Needed for debugging Postfix daemons with an X-windows debugger. XAUTHORITY Needed for debugging Postfix daemons with an X-windows debugger. MAIL_CONFIG Needed to make "postfix -c" work. Specify a list of names and/or name=value pairs, separated by whitespace or comma. The name=value form is supported with Postfix version 2.1 and later. -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
On Tuesday, March 12, 2013 01:50:47 PM Dale Macartney wrote: > > # Import environment for Kerberos v5 GSSAPI > > > > import_environment = > > > > MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY > > LANG=C > > > KRB5_KTNAME=/etc/postfix/smtp.keytab > > Anthony, where were you declaring the above? In Squid, I've added the keytab > to the service startup script. Presumably it would be somewhere similar? > > Dale In /etc/postfix/main.cf -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/08/2013 02:34 PM, Anthony Messina wrote: > On Friday, March 08, 2013 08:09:20 AM Loris Santamaria wrote: >>> 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for >>> authenticated SSO mail sending >> >> Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com". >> On the mail server you should obtain the keytab with ipa-getkeytab and >> save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf : >> >> smtpd_sasl_auth_enable = yes >> smtpd_sasl_security_options = noanonymous >> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options >> broken_sasl_auth_clients = yes >> smtpd_recipient_restrictions = >> permit_sasl_authenticated, >> permit_mynetworks, >> reject_unauth_destination >> >> Lastly, add to /etc/sasl2/smtpd.conf: >> pwcheck_method: saslauthd >> mech_list: GSSAPI PLAIN LOGIN >> >> Restart postfix and saslauthd and it should work. > > You *may* also need to update Postfix's environment: > > # Import environment for Kerberos v5 GSSAPI > import_environment = > MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C > KRB5_KTNAME=/etc/postfix/smtp.keytab Anthony, where were you declaring the above? In Squid, I've added the keytab to the service startup script. Presumably it would be somewhere similar? Dale > > -A > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRPzK1AAoJEAJsWS61tB+qPuIQAIfFv9uSxgjOx0iItVrOiTJ1 vPNd2pxQwednomutiHtZA8dTfXG1O/pEhbQFytpTm5Gmy4z3HKaVxq2Yb88ebzS5 ANm87rDmmQVRG9SOJhjVCyfFrlelM87Qtt0LBDvyPUUykuYh1j93TWH6E+QITWFJ r+wBn+dVvA4HbhXENpv2drPFMmmdJgRDjvHa4TL2kF8E62Tjp8EkeIwkcTVTK8px HypFZ1CrCh2ZxmNwG0akN4bipZWFzAoWlUXWWJmEwT8TutpaQrdvBIuhSab5UdWv nRsdzpfUpA8z0+qeF6cf2Inw0vCJFFrhezDzow3H/xEsaIEreAz/VriP5kavkoLr NJAZkX/BHCCqqUDGyAI3HYucgcVHlM5K+P4btT0ULZTzxCdeC9vv6IhPyeoeGjyS 9Ox+ipw8Yv+a/le7eFZIhwbU5VePjpAhJTflCya7Rj8YJ2+jBE5UWtut+qCVDduQ KIfZhDaT3o3Vi5aBzK/ziHhDiOg90Et0pyOgwb2u/Bsqqm3TJ7bg/GL9szA/dNH0 PQezfoazK1kE6rAItPvN3++5Xgo7kK0wMm4zNZyevAZ/McKikioec0P0HSLhZcyT /c8JLz3SbYPY2941DvR8n2yrb7vrV8ud6tc2pz0NL30I+2qCOUfr5INNBA+a7f3F leHvuBX3WxuY/ylxV3mW =52yq -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/08/2013 02:34 PM, Anthony Messina wrote: > On Friday, March 08, 2013 08:09:20 AM Loris Santamaria wrote: >>> 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for >>> authenticated SSO mail sending >> >> Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com". >> On the mail server you should obtain the keytab with ipa-getkeytab and >> save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf : >> >> smtpd_sasl_auth_enable = yes >> smtpd_sasl_security_options = noanonymous >> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options >> broken_sasl_auth_clients = yes >> smtpd_recipient_restrictions = >> permit_sasl_authenticated, >> permit_mynetworks, >> reject_unauth_destination >> >> Lastly, add to /etc/sasl2/smtpd.conf: >> pwcheck_method: saslauthd >> mech_list: GSSAPI PLAIN LOGIN >> >> Restart postfix and saslauthd and it should work. > > You *may* also need to update Postfix's environment: > > # Import environment for Kerberos v5 GSSAPI > import_environment = > MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C > KRB5_KTNAME=/etc/postfix/smtp.keytab > > -A Thanks Anthony, that was actually going to be my next question as I prefer to keep service specific keytabs. Dale > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJROfyPAAoJEAJsWS61tB+qG8MP/2MMt+BQWcOKe4jvxeQJrOBi xYzPnh5OtrUoEMtgvKdghQHdI/okxDjxgoZwCzThupGnzyZ+bQa08m+l7njcPCwo byQJwyab19PY4qXQxx6yledRd0qG5+854YYXBZ35ZslTd7eOalIPwczW0qyb4Qv6 OqOe6a9H9xGt+cKzAWE/B8TXiWR7Td2hlRdX7hUWh1/0ghRRR0lFR9HQsCHx6fm5 EFTpIqKqxksO+7hk17ZyOoyOo0aV51l8Ns3QzK3d7GMKZ89uuBQEBI6ChNdAG942 ncSKgAgshgrVzozhX4qhIDqOiQc52D9X8EU03OSRcniEDNsNz2yz0ZtQiLQYDiwT 41re5rmq/yu7PmOK+AGKCZA5MQjwf9yMz2GJz5vwIhcjcLIYO2vftI+luKCylVXt p5c/UcEcaNKyIjOMBM8GlBSGt3KXW/XAMD2kpq6sPjHDsjvPlLa1AvJFPl5tMJrd hMKGs+YTwr96TOlbN/8a3WCTZWL61WqXAAlO192xJKsXavadmSIODXXUCkeVfK9i Um1WhQmg7fCAvIq7/zDzdDuB2BQ2B01dVCSCdMNmpChV8h2XYIEQ+J7ZoYvfwD+Q pubvgNwe4+z+OR6d9rf2ZUujHJodmjkojdzDfV2+QQAUelkdWyYzHwHXdjuQpzwi hVujreS8h7MA6LJVdj3Y =TVUW -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
On Friday, March 08, 2013 08:09:20 AM Loris Santamaria wrote: > > 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for > > authenticated SSO mail sending > > Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com". > On the mail server you should obtain the keytab with ipa-getkeytab and > save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf : > > smtpd_sasl_auth_enable = yes > smtpd_sasl_security_options = noanonymous > smtpd_sasl_tls_security_options = $smtpd_sasl_security_options > broken_sasl_auth_clients = yes > smtpd_recipient_restrictions = > permit_sasl_authenticated, > permit_mynetworks, > reject_unauth_destination > > Lastly, add to /etc/sasl2/smtpd.conf: > pwcheck_method: saslauthd > mech_list: GSSAPI PLAIN LOGIN > > Restart postfix and saslauthd and it should work. You *may* also need to update Postfix's environment: # Import environment for Kerberos v5 GSSAPI import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/08/2013 12:39 PM, Loris Santamaria wrote: > I can help you with items #1 and #2: > > El vie, 08-03-2013 a las 08:56 +, Dale Macartney escribió: >> Hi all >> >> I've been reading through threads and threads of mailing lists and >> google search results on this but most of the documentation isn't very >> specific and is just vague enough for me not to make any progress. >> >> Would anyone be able to assist with the following setup of Postfix? >> >> Criteria is as follows >> >> 1. Alias list comes from IPA via LDAPS to verify a legitimate mail user >> (specific attribute or group membership might be required here as all >> ipa users now have an email address value.) > > There are many ways to solve this, this is using the virtual transport. > In /etc/postfix/main.cf: > > virtual_alias_domains = mydomain.com > virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf > > In /etc/postfix/ldap_aliases.cf: > > server_host = myipa1, myipa2 > search_base = cn=accounts,dc=mydomain,dc=com > query_filter = (mail=%s) > result_attribute = uid > bind = no > > After editing /etc/postfix/ldap_aliases.cf you should run > "postmap /etc/postfix/ldap_aliases.cf". Not using LDAPS here, but you > should be able to reading "man 5 ldap_table" Now that worked like a charm, thanks very much. Will work on ldaps support and see if its possible. > >> 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for >> authenticated SSO mail sending > > Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com". > On the mail server you should obtain the keytab with ipa-getkeytab and > save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf : > > smtpd_sasl_auth_enable = yes > smtpd_sasl_security_options = noanonymous > smtpd_sasl_tls_security_options = $smtpd_sasl_security_options > broken_sasl_auth_clients = yes > smtpd_recipient_restrictions = > permit_sasl_authenticated, > permit_mynetworks, > reject_unauth_destination > > Lastly, add to /etc/sasl2/smtpd.conf: > pwcheck_method: saslauthd > mech_list: GSSAPI PLAIN LOGIN > > Restart postfix and saslauthd and it should work. Getting the below output in logs when attempting to auth via gssapi on port 25 (is gssapi supported on port 25? could this be the cause?) Is there any way to verify sasl auth remotely from a client other than in postfix? I am using an ipa workstation and SSO with dovecot works fine so I know the users tickets are valid. ==> /var/log/maillog <== Mar 8 14:15:02 mail03 postfix/smtpd[6226]: connect from unknown[10.0.1.101] Mar 8 14:15:02 mail03 postfix/smtpd[6226]: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () Mar 8 14:15:02 mail03 postfix/smtpd[6226]: warning: unknown[10.0.1.101]: SASL GSSAPI authentication failed: generic failure Mar 8 14:15:02 mail03 postfix/smtpd[6226]: disconnect from unknown[10.0.1.101] > > >> 3. Mail sending permission based on an LDAPS group membership, to >> prevent unauthorised sending of mail from unknown users. > > Never done that but there is the definitive documentation: > http://www.postfix.org/RESTRICTION_CLASS_README.html > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJROfNMAAoJEAJsWS61tB+qPHUQAMFbaCnEJEfIwU7znQkM6Wvc LKGnra14CZ9Xq1kAWD4xGdzGVwBjOJ4bZ/DqCSvEBY6lRP7a/fh66TiU+DGBIxTX SpIFN2oKz/iuFOTMK1GQQRx99mYZuHGlB5vE0ibxW0J7U/y6A+mCvraRYhhvYA4a RzVH0wi5OZhyBhwHjbS5GtI/pzMutyV/vpElUQLT7X1YpwyuxUWgGX5Zbuuj60F6 KB56cXcpiMmbB8LAgQBPcYqz4co2KRurZ4pZxabGIH0RLI3Luy2gUnbmBgz/sFMv tlCSYr/QrZlZY4imSm7jLe5KP9/EILJ+FJPZnzzFDJ71Hgq45jWtjDO/BqV4gM4E aY26lZXfjtpuSBY2BLUqZC/o9mrvDPCCNLUF/dcCVM9++pvDObxjAxbNcydhknvA KC9IwMsbwZnDnXGratn/mv8MlHzQc2Stf2UEhXzDdXq+9rQBNg+LdPZCqJMCwuGf +WepTmCCrr53eUoCsb4acE5RVV7Tn+UV9jAZ/aHoc8zvPtSn5ZMEEIMEKqC9ISAK NVG/iWKunisf433IvBqcNgKwKg/tGdik9wOyjWEb1YaTMurHGGz/bHaEuh4PBQjF BqC7yuMMXbJjR27o8Trjr65cwRVPZqYaz/8LdalS7s5XLm3YsE++n/DDp2MDveCB 6SmL3vbCXJxNfiktJhAV =C+Xz -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix and FreeIPA in a secure setup
I can help you with items #1 and #2: El vie, 08-03-2013 a las 08:56 +, Dale Macartney escribió: > Hi all > > I've been reading through threads and threads of mailing lists and > google search results on this but most of the documentation isn't very > specific and is just vague enough for me not to make any progress. > > Would anyone be able to assist with the following setup of Postfix? > > Criteria is as follows > > 1. Alias list comes from IPA via LDAPS to verify a legitimate mail user > (specific attribute or group membership might be required here as all > ipa users now have an email address value.) There are many ways to solve this, this is using the virtual transport. In /etc/postfix/main.cf: virtual_alias_domains = mydomain.com virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf In /etc/postfix/ldap_aliases.cf: server_host = myipa1, myipa2 search_base = cn=accounts,dc=mydomain,dc=com query_filter = (mail=%s) result_attribute = uid bind = no After editing /etc/postfix/ldap_aliases.cf you should run "postmap /etc/postfix/ldap_aliases.cf". Not using LDAPS here, but you should be able to reading "man 5 ldap_table" > 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for > authenticated SSO mail sending Create the service in ipa, "ipa service-add smtp/myserver.mydomain.com". On the mail server you should obtain the keytab with ipa-getkeytab and save it in /etc/krb5.keytab. Then add to /etc/postfix/main.cf : smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination Lastly, add to /etc/sasl2/smtpd.conf: pwcheck_method: saslauthd mech_list: GSSAPI PLAIN LOGIN Restart postfix and saslauthd and it should work. > 3. Mail sending permission based on an LDAPS group membership, to > prevent unauthorised sending of mail from unknown users. Never done that but there is the definitive documentation: http://www.postfix.org/RESTRICTION_CLASS_README.html -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Postfix and FreeIPA in a secure setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all I've been reading through threads and threads of mailing lists and google search results on this but most of the documentation isn't very specific and is just vague enough for me not to make any progress. Would anyone be able to assist with the following setup of Postfix? Criteria is as follows 1. Alias list comes from IPA via LDAPS to verify a legitimate mail user (specific attribute or group membership might be required here as all ipa users now have an email address value.) 2. Kerberos / GSSAPI (I heard SASL can be used here as well ) for authenticated SSO mail sending 3. Mail sending permission based on an LDAPS group membership, to prevent unauthorised sending of mail from unknown users. I know a few list members have deployments of postfix and IPA already up and running so if you could share your experience here that would be fantastic. Many thanks. Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJROaerAAoJEAJsWS61tB+qaRoP/35C1po2tDzx2dMxXA8fmW6Q 8luyy6suHeGaLhzc5L0P3gelUSnxBQlBElRrysvVjQ0yfNHX7qzvUaDem84FGE7c aWEwmWhw6SjKUbtLKjPLKMJdgCSdwbaNIvdDp3ok4Qk7gWAl9XXJFCeh+puKgcml u8rwuye3pS5mlnBmkVSESEeHD8T6uFO8UuzjdgxjXp7eXfQkyvWUXD5B11p1Xj8w 8BvPMYb0l5UHwaIMuUhc8SWBTRZKV9wQXw0nd1T4VeoC51Ze9jib/VZbDHrOrufB Wy3dXgej3mlckw/T0mcSezPFZiLOwAI6g0hmeoxboMEwtvHhFu+wCHdWJn+dDFR/ IkWovKZYyg0alIezVkBOZVLYn2YiUpsoCM5lqRTOdgfCzK+NQ4mq1kuBJrVpAtcE 18FX9gBkRFEBHtHhT4Xz7z/79QO3kGW/aAkza5Tq02HpU4+lAyBgrzFgMUqh/n1d TdFrVgxsc4q6M3B8mLGdQQcIHFcybvqTl8cZJxZb7YE29vclvBvNT5j1VeLchiFq BS3mUwHO4PHGZA09fqMIxajvgvFsNqyimvaxZMAYDxGdWYRcEISGwPhsTGx3c2tR hAh3qylSmifC42OIk19tgG1kUt1AOoFpbWziwdVkwuqkLakuXdB4+qWUcyg6hyrW k5zBEHzRMdz/h9+OGKpZ =hlNj -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users