Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
Hey sounds good to me, just glad it is working for you :). The only other question/suggestion I have is that it looks like you aren't leveraging kerberos in your configuration for SSO, You might want to think about doing this as it can be a pretty nice configuration. Essentially you would just need to add service principles for the host in the form of imap and or pop, and change the auth line in your dovecot config to allow for gssapi auth, like so: sed -i -r s(\smechanisms =).*\1 gssapi plain Then assuming your user has a ticket, and their client is properly configured, they no longer need to do anything upon logging into their system, kerb will auth the rest. If you are on a multihomed system, you will need two additional changes, service principles for the other host name, and the following modification: sed -i -r 's#auth_gssapi_hostname.*auth_gssapi_hostname = $ALL' I got a little caught up when you referenced the /etc/krb5.keytab file as possibly part of the problem so I thought this was more a kerb issue. Exactly, I was confused by this as well - I would like to see this working, too. But I would say we would need to do something with the permissions on /etc/krb5.keytab which is now (by default) only readable by root. We need to address this problem more in general as when inegrating Bind DNS server, you hit the same thing. I would say something like ACL entry would help. Ondrej Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
On Tue, 2012-01-31 at 10:22 +0100, Ondrej Valousek wrote: Hey sounds good to me, just glad it is working for you :). The only other question/suggestion I have is that it looks like you aren't leveraging kerberos in your configuration for SSO, You might want to think about doing this as it can be a pretty nice configuration. Essentially you would just need to add service principles for the host in the form of imap and or pop, and change the auth line in your dovecot config to allow for gssapi auth, like so: sed -i -r s(\smechanisms =).*\1 gssapi plain Then assuming your user has a ticket, and their client is properly configured, they no longer need to do anything upon logging into their system, kerb will auth the rest. If you are on a multihomed system, you will need two additional changes, service principles for the other host name, and the following modification: sed -i -r 's#auth_gssapi_hostname.*auth_gssapi_hostname = $ALL' I got a little caught up when you referenced the /etc/krb5.keytab file as possibly part of the problem so I thought this was more a kerb issue. Exactly, I was confused by this as well - I would like to see this working, too. But I would say we would need to do something with the permissions on /etc/krb5.keytab which is now (by default) only readable by root. We need to address this problem more in general as when inegrating Bind DNS server, you hit the same thing. I would say something like ACL entry would help. I fail to see why non-root processes should be trying to read /etc/krb5.keytab at all. You should be generating a per-service keytab with only the keys necessary for that service to authenticate itself to the KDC. So you might have /etc/dovecot/dovecot.keytab which is readable only by the dovecot user. The problem with allowing access to /etc/krb5.keytab is that it means that an exploit in another process (especially a mail server!) could gain access to the keys necessary to impersonate your host in kerberized applications on the network. That's really dangerous. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
I fail to see why non-root processes should be trying to read /etc/krb5.keytab at all. You should be generating a per-service keytab with only the keys necessary for that service to authenticate itself to the KDC. So you might have /etc/dovecot/dovecot.keytab which is readable only by the dovecot user. The problem with allowing access to /etc/krb5.keytab is that it means that an exploit in another process (especially a mail server!) could gain access to the keys necessary to impersonate your host in kerberized applications on the network. That's really dangerous. Right, but that's exactly what is happening with kerberized BIND, right? As far as I understand, you need to chown /etc/krb5.keytab to 'named' first. In general, you are probably right, the only problem is that most of the Linux kerberized services expect krb5.keytab in /etc. Moreover, in situation where winbind (or later maybe even sssd, for example) maintains the system Kerberos database, we would need some means to tell him to maintain more database files on multiple locations - and that is too messy. Maybe a time to introduce some simple database layer on the top of the /etc/krb5.keytab which would handle the permissions correctly? Applications/services would need to talk to this layer and not krb5.keytab directly. Ondrej ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
On Tue, 2012-01-31 at 13:58 +0100, Ondrej Valousek wrote: I fail to see why non-root processes should be trying to read /etc/krb5.keytab at all. You should be generating a per-service keytab with only the keys necessary for that service to authenticate itself to the KDC. So you might have /etc/dovecot/dovecot.keytab which is readable only by the dovecot user. The problem with allowing access to /etc/krb5.keytab is that it means that an exploit in another process (especially a mail server!) could gain access to the keys necessary to impersonate your host in kerberized applications on the network. That's really dangerous. Right, but that's exactly what is happening with kerberized BIND, right? As far as I understand, you need to chown /etc/krb5.keytab to 'named' first. Not at all, in freeipa we create a /etc/named/dns.keytab (or similar) and we put there the keys for the DNS/fqdn@REALM principal. In general, you are probably right, the only problem is that most of the Linux kerberized services expect krb5.keytab in /etc. /etc/krb5.keytab is simply the default keytab location, you just need to set the KRB5_KTNAME env variable right before services startup (init scripts or systemd unit files) to make them user a different default. Some let you explicitly define the keytab location in their config to avoid having to mess with environment variables. Moreover, in situation where winbind (or later maybe even sssd, for example) maintains the system Kerberos database, we would need some means to tell him to maintain more database files on multiple locations - and that is too messy. These tools maintain only the host/ or at most the cifs/ keytab normally. The other keytabs are not, although with AD that's messy as AD aliases all keys to the host/ one. That is a bad issue with AD that I plan to fix in the spring via the gss-proxy project I am working on. Maybe a time to introduce some simple database layer on the top of the /etc/krb5.keytab which would handle the permissions correctly? See https://fedorahosted.org/gss-proxy/ I know there isn't much info yet. Some info is here, but also needs a bit of updating: http://k5wiki.kerberos.org/wiki/Projects/ProxyGSSAPI Applications/services would need to talk to this layer and not krb5.keytab directly. That's completely right, working on that :-) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
On 01/31/2012 05:07 PM, Dale Macartney wrote: sed -i s-#auth_krb5_keytab =-auth_krb5_keytab = /etc/krb5.keytab-g /etc/dovecot/conf.d/10-auth.conf Perhaps I could recommend to retreive the imap/imaps keytabs into a seperate keytab file, and configure the auth_krb5_keytab config file option in dovecot.conf to point to this file. This increases the security by a tenfold as pointed out earlier in this thread. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 thanks Siggi, I was just browsing past those mails from earlier today as well... I'll make those changes before it goes on the wiki. On 01/31/2012 04:37 PM, Sigbjorn Lie wrote: On 01/31/2012 05:07 PM, Dale Macartney wrote: sed -i s-#auth_krb5_keytab =-auth_krb5_keytab = /etc/krb5.keytab-g /etc/dovecot/conf.d/10-auth.conf Perhaps I could recommend to retreive the imap/imaps keytabs into a seperate keytab file, and configure the auth_krb5_keytab config file option in dovecot.conf to point to this file. This increases the security by a tenfold as pointed out earlier in this thread. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPKBl+AAoJEAJsWS61tB+qIaEQAKvmMIbXaf8xoExx4I2zNSf6 Vz0cmCH5DLzOLnIJR13qqsSCOcYiYRow6o/F5hlsoN1sbdvPDKXpg2xDviWqUI4V wNyC7/HLCjNyufqj+El/V9hQfGbu6CggIei5cPB716R9Lq+5Wwi6Wbv0l/4KB3aV K6c0iow93cVA7Z9F1LfYynxKpsYAMX+0jnc+hybnVqlQHk1F24LIkfCKO5vQLz/N qw0h+PddqD57sfJNxUxjQ9OpPeWDZYuCtIeFnCsbG8LnfLhkU6oHoxJYFCySpynN tTkBLDLG94CAsav5rWmttzuxLvVQR7dFpemOvgaAXMOHrOGl75+XTH1b4AyEU9XP BuX87CrzhuNWNCDV5lI82DGgjeOH2O5UN16vpE8KTT94fstH3OvOjpwBIQoMq+1A /3Rj3hL+Q5UYkPm30+0eCPTlFwnlwUQpeNI27DuzV/SnjCvqtNeqTBxP6o3CdGHL 0/vNWVOVgbhCYkPp5c+mceLrJVihtVNFhhVv1v7KNmITbu2PVklkDhwLgDY3T3Cw YuYqSkO7AgQSb7eirw4t/KRhEvvwOTmrAB61l4WFtgonrr3pH6+zwYoyZvBTDwd8 UN2VfyjjGc6Sdc7NYKfOi7EgNaGJlxL/z0yJN6gz8LU1sWfv6Ol4vPoyE7obc68z wQLL9IVwG/7btEoWdFA3 =Dpue -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All I just found the culprit for the selinux error I have the user's home dir automatically created when I was testing the account was working. ssh us...@mail02.example.com... etc for some reason, the selinux context of the users homedir is set to home_root_t instead of user_home_dir_t. once a restorecon was run on /home (restorecon -R /home) the selinux errors disappeared when accessing mail via imap. I'll do a write up of the details for the wiki so it is documented. Dale On 01/31/2012 04:40 PM, Dale Macartney wrote: thanks Siggi, I was just browsing past those mails from earlier today as well... I'll make those changes before it goes on the wiki. On 01/31/2012 04:37 PM, Sigbjorn Lie wrote: On 01/31/2012 05:07 PM, Dale Macartney wrote: sed -i s-#auth_krb5_keytab =-auth_krb5_keytab = /etc/krb5.keytab-g /etc/dovecot/conf.d/10-auth.conf Perhaps I could recommend to retreive the imap/imaps keytabs into a seperate keytab file, and configure the auth_krb5_keytab config file option in dovecot.conf to point to this file. This increases the security by a tenfold as pointed out earlier in this thread. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPKDFpAAoJEAJsWS61tB+qmn4P/32sD+bJJWd2J8XjqFti6lC2 BZhahWgYiEpfwgGX5B3YSwx7v6URq+dYdp0ZIYJFTAMitq6qDD8Y0wJ7bpd1zxb1 GyVLDDBxkpzLOSFe21CqQVsWvOLU9AHlOWcT4AaKYU8M2s4XqyIqiY8WduAzJcen l1Q2yryZ6uAYdpLsG4WHxu9WvfSE+85K0cvFlc302tVa/JyML40gsRueRN7gRAHa zhPOu605ZgEP890CvP1jHN77hH7WU52MZqBJrscnFIbxEhuJtjMzXIPcGeJev+TR aHiBzdGVsQUssFAL6B589l+Q3NxRSlU/zxCk9pERF3Ql8m/YPnlBiTdqa0Am3y6+ PJF5ggmkDIeWCWuJwT9f1Rpm2zF/ooytnPlcIfm3hbETHFdzPjNBH52M/whXrCx6 XdUw5Bk3sYkSdmrbgjqVY/gz+We3JzkWBPbiKf1I8DD7EOTT4lb5BNxsSKAslwZn apbnIcTkMn9du22zIn5/o1iYbnUi52BEJkTj0ZNrmNDeVNMYA/A/ssUcC4ecEiql aIDftfH+2sFvzDBIyB1eygibpcI2ILTy4J8gwLSAZyZ3oF65icnfTUldkqB/JBC8 6yVJKXMNIojTQo7NKaBJ3pDF1mALLzfXldGOqxudF7U7TlhGyvqA+SpTPxA9IM77 qKHqWoOCfTci/4C+ncLn =0kQn -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
On Tue, 2012-01-31 at 21:03 +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Simo I have used oddjob in the past and it works a treat, however this was with ipa-client-install.. I was just dappling around with the script over diner and saw you were an author... whenever I use the flag --mkhomedir with ipa-client-install, i get the wrong contexts on the home dirs... I raised a bugzilla ticket just before I left the office. Bug *786223* https://bugzilla.redhat.com/show_bug.cgi?id=786223. I'll keep playing with it an see what I come across. I'll feed back if anything useful comes up. I am going to mark it as duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=647589 as that is an authconfig bug. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
On Tue, 2012-01-31 at 21:03 +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Simo I have used oddjob in the past and it works a treat, however this was with ipa-client-install.. I was just dappling around with the script over diner and saw you were an author... whenever I use the flag --mkhomedir with ipa-client-install, i get the wrong contexts on the home dirs... I raised a bugzilla ticket just before I left the office. Bug *786223* https://bugzilla.redhat.com/show_bug.cgi?id=786223. I'll keep playing with it an see what I come across. I'll feed back if anything useful comes up. Yeah, ipa-client-install just invokes 'authconfig --update --enablemkhomedir' Authconfig's GUI version will auto-detect the presence of pam_oddjob_mkhomedir and prefer that over pam_mkhomedir, but it appears the command-line version always configures pam_mkhomedir. We need to get that fixed in authconfig. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
Dovecot is not running as root - can't read your krb5.keytab...? On 01/30/2012 01:16 PM, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all I'm working on a test lab setup at the moment with RHEL 6.2 running IPA 2.1 and experimenting with simple mail server setups. . I have mail being received base on pam lookups from IPA. The mail server is tapped into IPA via the ipa-client-install. I am using a default install of the dovecot rpm from RHN, and dovecot is listening via imap/imaps, however all authentication requests fail when attempting to login via imap.. I added the necessary keytabs for imap/mail.example.com and imaps/mail.example.com to /etc/krb5.keytab but this hasn't allowed authentication. has anyone set up dovecot through IPA before? Any recommendations? thanks all Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPJoodAAoJEAJsWS61tB+qgfAQALXxeXRMbC+8n6+ixmqYPOL3 q1YkUQ9YgCfbCpGQcNiR0g4lDWavTZkZSMUhR485qH858PpZ7Pmf7Wu1vE6xCWPB 2v2mdcwkhO9tdpYMiUCn4TN+cgxJcdpr4YlPECAA/K60ZoeSFFNtfjQnYUoMByn/ OCf19cw84sNFuJlCeBOGiCGWDKQWhOy2eXj68o0P1u8eZioOi+pAOD/c31p/JXXC 3jeG3d6l8wDrIXT5xHIbiXwx45k8Fg2kIAdAcZsbxUBC39QH558iQMUOkwIJ9UAi msOu60wfmoC8f99KZl1hRb6OAG59uPnMmzirVKyCfyRub/2mgUfThON59zyy8eb7 OLHzj5XDIX5Wb6+WyvP7X0QaPxLK75f/qzDoFONQrotVCa0JLb6zji6lt3SfVnFT s47ynT8pQznq1/wk3MkYPTDHTHYbOAwdPwlBD1R7UBY2gL2zXu6ixnypF5R1kaRY 5jnDeXF3vqOoOrdMBMX/fre4Dpx3wW3zSB4MsR4n9OZpooTkzIiRR6/3Qe7PZFNT CELaUi5jkwrVwk4datqGPcIestLc74bosVU+rJsMTGTRGFIBqP7L6w2dwVj2ZnHT okMySzEn2U2jIvxu4HAsFCjxZ5qmAY4S/yZsemKzqbyinyT9VdeEroqeUXDY5Y7o 9PG1gWdqAiZsGKBHTXDP =FOu6 -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
On 01/30/2012 07:16 AM, Dale Macartney wrote: Hi all I'm working on a test lab setup at the moment with RHEL 6.2 running IPA 2.1 and experimenting with simple mail server setups. . I have mail being received base on pam lookups from IPA. The mail server is tapped into IPA via the ipa-client-install. I am using a default install of the dovecot rpm from RHN, and dovecot is listening via imap/imaps, however all authentication requests fail when attempting to login via imap.. I added the necessary keytabs for imap/mail.example.com and imaps/mail.example.com to /etc/krb5.keytab but this hasn't allowed authentication. has anyone set up dovecot through IPA before? Any recommendations? Hi Dale, Will you be so kind to share with the list a little bit more details about how to setup Dovecot with IPA? If you can provide step by step instructions we would publish them on the FreeIPA wiki. Thank you Dmitri thanks all Dale ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
On 01/30/2012 11:42 AM, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Of course Dmitri Here you go. I was actually trying to resolve this for an automated kickstart process anyway. The details specific to dovecot are in the middle. # Connect server to IPA domain (ensure DNS is working correctly otherwise this step will fail) ipa-client-install -U -p admin -w mysecretpassword # install postfix if necessary (installed by default in rhel6) yum -y install postfix # set postfix to start on boot chkconfig postfix on # configure postfix with hostname, domain and origin details sed -i 's/#myhostname = host.domain.tld/myhostname = servername.example.com/g' /etc/postfix/main.cf sed -i 's/#mydomain = domain.tld/mydomain = example.com/g' /etc/postfix/main.cf sed -i 's/#myorigin = $mydomain/myorigin = $mydomain/g' /etc/postfix/main.cf # configure postfix to listen on all interfaces sed -i 's/#inet_interfaces = all/inet_interfaces = all/g' /etc/postfix/main.cf sed -i 's/inet_interfaces = localhost/#inet_interfaces = localhost/g' /etc/postfix/main.cf # apply postfix changes service postfix restart # Install dovecot yum -y install dovecot # set dovecot to start on boot chkconfig dovecot on # set dovecot to listen on imap and imaps only sed -i 's/#protocols = imap pop3 lmtp/protocols = imap imaps/g' /etc/dovecot/dovecot.conf # point dovecot to required mailbox directory (This is the section that was previously failing) echo mail_location = mbox:~/mail:INBOX=/var/mail/%u /etc/dovecot/dovecot.conf # reload dovecot to apply changes service dovecot restart # Apply working IPtables cat /etc/sysconfig/iptables EOF # Generated by iptables-save v1.4.7 on Tue Jan 10 12:17:41 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [29:4596] - -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT - -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT - -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT - -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - -A INPUT -p icmp -j ACCEPT - -A INPUT -i lo -j ACCEPT - -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT - -A INPUT -j REJECT --reject-with icmp-host-prohibited - -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Tue Jan 10 12:17:41 2012 EOF With the above details, I am able to replicate a 100% working IPA authenticated mail server, allowing IPA users to retrieve mail via imap/imaps. I hope this helps. A lot! Thanks! http://freeipa.org/page/Dovecot_Integration Dale On 01/30/2012 01:46 PM, Dmitri Pal wrote: - ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Erinn I originally asked the question as I was thinking my auth attempts were failing when using ipa, however this was not the case. On closer inspection, i found that the authentication was successful yet dovecot was failing to read a missing mailbox. I found that dovecot was simply missing the mailbox_location directive, detailed below. mail_location = mbox:~/mail:INBOX=/var/mail/%u Once I restarted dovecot with this extra line, the authentication was again validated. I was then prompted to accept the self-signed certificate from dovecot and I was able to retrieve the mail as intended. Does this help clear things up? Dale On 01/30/2012 07:11 PM, Erinn Looney-Triggs wrote: On 01/30/2012 07:42 AM, Dale Macartney wrote: Of course Dmitri Here you go. I was actually trying to resolve this for an automated kickstart process anyway. The details specific to dovecot are in the middle. # Connect server to IPA domain (ensure DNS is working correctly otherwise this step will fail) ipa-client-install -U -p admin -w mysecretpassword # install postfix if necessary (installed by default in rhel6) yum -y install postfix # set postfix to start on boot chkconfig postfix on # configure postfix with hostname, domain and origin details sed -i 's/#myhostname = host.domain.tld/myhostname = servername.example.com/g' /etc/postfix/main.cf sed -i 's/#mydomain = domain.tld/mydomain = example.com/g' /etc/postfix/main.cf sed -i 's/#myorigin = $mydomain/myorigin = $mydomain/g' /etc/postfix/main.cf # configure postfix to listen on all interfaces sed -i 's/#inet_interfaces = all/inet_interfaces = all/g' /etc/postfix/main.cf sed -i 's/inet_interfaces = localhost/#inet_interfaces = localhost/g' /etc/postfix/main.cf # apply postfix changes service postfix restart # Install dovecot yum -y install dovecot # set dovecot to start on boot chkconfig dovecot on # set dovecot to listen on imap and imaps only sed -i 's/#protocols = imap pop3 lmtp/protocols = imap imaps/g' /etc/dovecot/dovecot.conf # point dovecot to required mailbox directory (This is the section that was previously failing) echo mail_location = mbox:~/mail:INBOX=/var/mail/%u /etc/dovecot/dovecot.conf # reload dovecot to apply changes service dovecot restart # Apply working IPtables cat /etc/sysconfig/iptables EOF # Generated by iptables-save v1.4.7 on Tue Jan 10 12:17:41 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [29:4596] -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Tue Jan 10 12:17:41 2012 EOF With the above details, I am able to replicate a 100% working IPA authenticated mail server, allowing IPA users to retrieve mail via imap/imaps. I hope this helps. Dale On 01/30/2012 01:46 PM, Dmitri Pal wrote: On 01/30/2012 07:16 AM, Dale Macartney wrote: Hi all I'm working on a test lab setup at the moment with RHEL 6.2 running IPA 2.1 and experimenting with simple mail server setups. . I have mail being received base on pam lookups from IPA. The mail server is tapped into IPA via the ipa-client-install. I am using a default install of the dovecot rpm from RHN, and dovecot is listening via imap/imaps, however all authentication requests fail when attempting to login via imap.. I added the necessary keytabs for imap/mail.example.com and imaps/mail.example.com to /etc/krb5.keytab but this hasn't allowed authentication. has anyone set up dovecot through IPA before? Any recommendations? Hi Dale, Will you be so kind to share with the list a little bit more details about how to setup Dovecot with IPA? If you can provide step by step instructions we would publish them on the FreeIPA wiki. Thank you Dmitri thanks all Dale ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users So I am a bit confused
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
On 01/30/2012 10:20 AM, Dale Macartney wrote: Hi Erinn I originally asked the question as I was thinking my auth attempts were failing when using ipa, however this was not the case. On closer inspection, i found that the authentication was successful yet dovecot was failing to read a missing mailbox. I found that dovecot was simply missing the mailbox_location directive, detailed below. mail_location = mbox:~/mail:INBOX=/var/mail/%u Once I restarted dovecot with this extra line, the authentication was again validated. I was then prompted to accept the self-signed certificate from dovecot and I was able to retrieve the mail as intended. Does this help clear things up? Dale So I am a bit confused here, is this working for you or not? It looked like you were asking a question to begin with, but then at then end you are saying it is 100% working? Just trying to figure out whether you need help, -Erinn Hey sounds good to me, just glad it is working for you :). The only other question/suggestion I have is that it looks like you aren't leveraging kerberos in your configuration for SSO, You might want to think about doing this as it can be a pretty nice configuration. Essentially you would just need to add service principles for the host in the form of imap and or pop, and change the auth line in your dovecot config to allow for gssapi auth, like so: sed -i -r s(\smechanisms =).*\1 gssapi plain Then assuming your user has a ticket, and their client is properly configured, they no longer need to do anything upon logging into their system, kerb will auth the rest. If you are on a multihomed system, you will need two additional changes, service principles for the other host name, and the following modification: sed -i -r 's#auth_gssapi_hostname.*auth_gssapi_hostname = $ALL' I got a little caught up when you referenced the /etc/krb5.keytab file as possibly part of the problem so I thought this was more a kerb issue. -Erinn signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey Erinn, funny you mention that actually, I was adding service principles when i was first troubleshooting that. SSO is definitely on the planned cards for me to be honest. I'll send through the details to the list one I have a reproducible configuration :-) thanks for the positive feedback. Dale On 01/30/2012 07:41 PM, Erinn Looney-Triggs wrote: On 01/30/2012 10:20 AM, Dale Macartney wrote: Hi Erinn I originally asked the question as I was thinking my auth attempts were failing when using ipa, however this was not the case. On closer inspection, i found that the authentication was successful yet dovecot was failing to read a missing mailbox. I found that dovecot was simply missing the mailbox_location directive, detailed below. mail_location = mbox:~/mail:INBOX=/var/mail/%u Once I restarted dovecot with this extra line, the authentication was again validated. I was then prompted to accept the self-signed certificate from dovecot and I was able to retrieve the mail as intended. Does this help clear things up? Dale So I am a bit confused here, is this working for you or not? It looked like you were asking a question to begin with, but then at then end you are saying it is 100% working? Just trying to figure out whether you need help, -Erinn Hey sounds good to me, just glad it is working for you :). The only other question/suggestion I have is that it looks like you aren't leveraging kerberos in your configuration for SSO, You might want to think about doing this as it can be a pretty nice configuration. Essentially you would just need to add service principles for the host in the form of imap and or pop, and change the auth line in your dovecot config to allow for gssapi auth, like so: sed -i -r s(\smechanisms =).*\1 gssapi plain Then assuming your user has a ticket, and their client is properly configured, they no longer need to do anything upon logging into their system, kerb will auth the rest. If you are on a multihomed system, you will need two additional changes, service principles for the other host name, and the following modification: sed -i -r 's#auth_gssapi_hostname.*auth_gssapi_hostname = $ALL' I got a little caught up when you referenced the /etc/krb5.keytab file as possibly part of the problem so I thought this was more a kerb issue. -Erinn -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPJvSFAAoJEAJsWS61tB+qG9oP/0pDktSo4y5iRKEvMVOplSEx NFIl2cRm3OsjcOJuCMoFotMTFon90H6KxYQz0sYvtERZZWrB7nkpKneRGHZ/ri9R e4eEV/Edp/3yck8INAZ2COMGTKGCm8SFdN1ihnAU7QQ1EDC+kKq/pKUfxyq4LKH2 2KDkCnR02zRfjr+bzaL5tWZkNIAxifsFr6ycuT0GrX03y1KErjPAbre4BPjTq3lG b5xHkZBGVCfFp6bxdfQSs2d4BLcNOwCA1vW0KXAUy4ps1dS220ceeutO+9WbM6Y/ f0g1Iupsa/mIHIIAr6SBi0RGqSEUVkYaRzSxqRSEckfYAK+hPlnl5r46O1UxOFaw jaiizMTgkK3Q2skEtsaVSmPGleNoK0sefvf+Tkuea+1qdSdPUQaqiLwteLGo/QxR KsNPcO8+SN/YtXMynSw2bCY/uejn+NWNJVAW39vWsTlUV4+dtm0SIIcp8s57CLb0 3fZ2XLsfAajF83EucYv0BJE/flnZBQkLFEK6WdM0d/6jcEwn3RE17gOm/ufzvyVQ c3fpRinNSoO+nxwg/wzyljSkd2vsZFIB0oPSeapg+OTccQooXg/QKxGD2ViDIJeq y0pqV6wl3YreKTrdNFG4Eurz99EBG3vZcXFDq7JNd3NMo5nxrrExHDYU9brrTsyN E8BCvhI6AIwHW/5rwOlN =QFxQ -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ;-) will do mate. I'm writing a list of items to cover at the moment actually. On 01/30/2012 08:02 PM, Dmitri Pal wrote: On 01/30/2012 02:50 PM, Dale Macartney wrote: Hey Erinn, funny you mention that actually, I was adding service principles when i was first troubleshooting that. SSO is definitely on the planned cards for me to be honest. I'll send through the details to the list one I have a reproducible configuration :-) And to the page, please thanks for the positive feedback. Dale On 01/30/2012 07:41 PM, Erinn Looney-Triggs wrote: On 01/30/2012 10:20 AM, Dale Macartney wrote: Hi Erinn I originally asked the question as I was thinking my auth attempts were failing when using ipa, however this was not the case. On closer inspection, i found that the authentication was successful yet dovecot was failing to read a missing mailbox. I found that dovecot was simply missing the mailbox_location directive, detailed below. mail_location = mbox:~/mail:INBOX=/var/mail/%u Once I restarted dovecot with this extra line, the authentication was again validated. I was then prompted to accept the self-signed certificate from dovecot and I was able to retrieve the mail as intended. Does this help clear things up? Dale So I am a bit confused here, is this working for you or not? It looked like you were asking a question to begin with, but then at then end you are saying it is 100% working? Just trying to figure out whether you need help, -Erinn Hey sounds good to me, just glad it is working for you :). The only other question/suggestion I have is that it looks like you aren't leveraging kerberos in your configuration for SSO, You might want to think about doing this as it can be a pretty nice configuration. Essentially you would just need to add service principles for the host in the form of imap and or pop, and change the auth line in your dovecot config to allow for gssapi auth, like so: sed -i -r s(\smechanisms =).*\1 gssapi plain Then assuming your user has a ticket, and their client is properly configured, they no longer need to do anything upon logging into their system, kerb will auth the rest. If you are on a multihomed system, you will need two additional changes, service principles for the other host name, and the following modification: sed -i -r 's#auth_gssapi_hostname.*auth_gssapi_hostname = $ALL' I got a little caught up when you referenced the /etc/krb5.keytab file as possibly part of the problem so I thought this was more a kerb issue. -Erinn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPJvqrAAoJEAJsWS61tB+qnecP/3JhcdNm/OQU+meGtP2TxjG2 Zjbhy12WF+Yxo1fW74W2cp21GdHbpvmCfQCCDRMtlCQso3kxpoEyPsU0Y+7+3kQ+ cL34l2f8jATvY6EqljxsGaeqstvfVSMtAUbWHbCJ3YOO4s2pYI3sfvENPL+bjOFV LzzgQ8CKnpspzyMoDapPnLFkfwNzGIjvnX7BMgy3pdJRk9oAHP8IRaa6U7H15Plu 7joC1ElbH09VyOhrjPwf7Jy9+3ayHeB/WLPJ4U0DR0rYsDjErFkDXA7R95Kw6MYQ N3DPsFELgIvxGxt5h8sXcbg9/MBpuPLtcpLaANoscNO76OLhy9qLSZjDgykbq6Kp zXOxNLWLwTHBWq8cv2Ul3H+WzM8mjYaE46VE9pksDAz0H+PljY5f0cHjUx/1sqqR cD/txgR32xZxGYJjfnODGwVrysNVpvqjsBysV7exdk4byldTXB4CbfhznyII+Ewk fIWh7h0gjx8U3uRAUcXZXNIcmmcyc9Z232J6hmlKN4Tc71GX/MLp7YfvGtVSbhzu rrlH16u7CAsi3DqMcwsb5zUW03CcJAp6qjmBoTHbSbhE4XmO6Gs+thlAkTKo1tzo ixdvApq3k8HcAlCvR9Uzwg90huWBmn9BcWAJY/DL5Sb6U5YbUwDzFX/gh9jgY1cr 8zYKbYb9LR9W8UqfwwpP =PkH/ -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
