Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix
Stephen Ingram sbingram@... writes: 2. Configuration - With Postfix, you can set all different areas (e.g. virtual, aliases, etc.) to use LDAP lookup of configuration information. You are typically searching for the email address (mail attribute in IPA) and your search will generally return the userid (uid attribute) of where the mail is to be stored. .../... Steve Playing with IPA too in order to better understand what it provides and how to use it, I realized that like almost any other solution that is bringing its own LDAP back-end, IPA make it à la Microsoft, which means that IPA LDAP server is used for IPA purpose only (for what I understand so far). If you want to rely on LDAP for mail delivery, e.g. havioɕ�Ё�͕��)�ͥɕ�Ё�͕�ٕ�́�ȁ�ɕ�Ё���̰�ѡ�ԁ���ݥѠ)��Ё���ѡ�Ȱ��ɕ�Ё1@�͕�ٕȁ�ȁѼ��ɥєȁ�ݸ(��幍�ɽѥѽ���Ѽ��幍�ɽ��锁�́�Ս���́���ͥ���ɥ�́�ɽ��%A)1@�ݥѠ�1@�͕�ٕȁ�͕ȁA��љ����ٕ��Ё�̸()$���܁ѡ�Ё��Ѡ���ձɕ��Ѽ�ɕ�䁽��%A�1@���Ё�Ё)�ɽ٥��ٕ́�䁉�ͥմ���ɕ��ѕ�ɥ��ѕ̸�9���ɽ��)���а���ѕɹ�х��ɕ�̰��սфݕ�ٕ���ɕ�եɕ��ݡЁ�)Ѽɕ͕�٥���ɽ�Սѥ���()=�ѥ�ձ�Ѽѽ��锁%A�1@�͍���ЁѡЁݥ�ͼ)ɕ�եɕ́Ѽ���ٕݕѕəɑ䁥�Ё���(( -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix
On Wed, 2012-10-31 at 11:34 +1000, Peter Brown wrote: Hi everyone, I have been trying to work out how to achieve this. I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix and dovecot on my new mail server authenticating against Freeipa. One last thing I would love to do it pull down the virtual users and aliases for the domains my mailserver will be serving from freeipa. Is this possible? Is this all automatic due to sssd looking up the user details in the ds? Does it do the same for domains and email aliases or will I need extra lookups to achieve this. A loong time ago I sue the excellent support in postfix to route mail based on data in ldap, however I have no idea how's dovecot support for that. FreeIPA will create a single domain for you atm, but you can indeed associate any email address to a user, however sssd does not have any facility to resolve a user by email address, so unless you just care about the default domain (in which case you can lookup users via sssd just like you would against /etc/passwd) I think you'll have to configure your daemons to lookup data directly via ldap. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix
On 10/30/2012 09:34 PM, Peter Brown wrote: Hi everyone, I have been trying to work out how to achieve this. I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix and dovecot on my new mail server authenticating against Freeipa. One last thing I would love to do it pull down the virtual users and aliases for the domains my mailserver will be serving from freeipa. Is this possible? Is this all automatic due to sssd looking up the user details in the ds? Does it do the same for domains and email aliases or will I need extra lookups to achieve this. Thanks in advance. Pete. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I am not sure if anything on those pages is relevant to what you are trying to accomplish but they talk about FreeIPA and dovecot integration: http://www.freeipa.org/page/Dovecot_Integration http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On If not the author of the pages - Dale might have more experience with the similar environment and might have tried what you are looking for. HTH -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix
On Tue, Oct 30, 2012 at 6:34 PM, Peter Brown rendhal...@gmail.com wrote: Hi everyone, I have been trying to work out how to achieve this. I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix and dovecot on my new mail server authenticating against Freeipa. One last thing I would love to do it pull down the virtual users and aliases for the domains my mailserver will be serving from freeipa. Is this possible? Is this all automatic due to sssd looking up the user details in the ds? Does it do the same for domains and email aliases or will I need extra lookups to achieve this. I've recently built an entire mail system around FreeIPA and it works great. There are two parts to be concerned with: 1. Authentication - With Postfix, this is handled by saslauthd which can authenticate against Kerberos (using or not using sssd). I used Cyrus-IMAP for the mailstore which also uses saslauthd. Doveccot has it's own sasl built in which can authenticate against Kerberos or LDAP, thus it should work with IPA. 2. Configuration - With Postfix, you can set all different areas (e.g. virtual, aliases, etc.) to use LDAP lookup of configuration information. You are typically searching for the email address (mail attribute in IPA) and your search will generally return the userid (uid attribute) of where the mail is to be stored. I don't believe that Dovecot or Cyrus-IMAP have any way of maintaining any configuration in LDAP so you generally have to setup mailboxes and authorization information by hand using their tools. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix
On Wed, Oct 31, 2012 at 6:25 PM, Peter Brown rendhal...@gmail.com wrote: On 1 November 2012 08:20, Stephen Ingram sbing...@gmail.com wrote: On Tue, Oct 30, 2012 at 6:34 PM, Peter Brown rendhal...@gmail.com wrote: Hi everyone, I have been trying to work out how to achieve this. I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix and dovecot on my new mail server authenticating against Freeipa. One last thing I would love to do it pull down the virtual users and aliases for the domains my mailserver will be serving from freeipa. Is this possible? Is this all automatic due to sssd looking up the user details in the ds? Does it do the same for domains and email aliases or will I need extra lookups to achieve this. I've recently built an entire mail system around FreeIPA and it works great. There are two parts to be concerned with: 1. Authentication - With Postfix, this is handled by saslauthd which can authenticate against Kerberos (using or not using sssd). I used Cyrus-IMAP for the mailstore which also uses saslauthd. Doveccot has it's own sasl built in which can authenticate against Kerberos or LDAP, thus it should work with IPA. I have dovecot authing against freeipa (via pam)and I setup a sasl auth instance in dovecot and have postfix authing against that. I figured why setup another sasl auth daemon when dovecot can do it for me so they effectively use the same authentication source. 2. Configuration - With Postfix, you can set all different areas (e.g. virtual, aliases, etc.) to use LDAP lookup of configuration information. You are typically searching for the email address (mail attribute in IPA) and your search will generally return the userid (uid attribute) of where the mail is to be stored. I don't believe that Dovecot or Cyrus-IMAP have any way of maintaining any configuration in LDAP so you generally have to setup mailboxes and authorization information by hand using their tools. I have most of that worked out but getting delivery addresses for domains that aren't the base is proving tricky. It's looking like I will need to add some extra schemas to the ds so i can add the delivery domain to each user and somehow use that to construct the delivery address. I am not sure I can do that though. I didn't really have to add anything except for one extra attribute. You can group your users into user groups representing the domains they belong to such that Postfix can query whether or not to accept for a domain or not. I added mailAlternateAddress for aliases rather than user multi-value attribute mail so I can have a master email address for each user. It was easy to do with the existing schema (mailRecipient objectclass). BTW if you haven't already figured it out, postmap -q is your friend when setting up your LDAP config in Postfix. Just keep adjusting everything until you get the answer you (and Postfix) expect. I am half tempted to add the extra components of 389-ds and see it that will let me do what I need. On a side note the freeipa lads seem to be working out how to add multitenancy support so it will be capable of serving multiple separate Kerberos principals. That would help a lot but I need to cobble something together now. Yes, if you want unique uid's within each domain you'll have to wait for that. I gave up on that notion and simply require unique uids for every user regardless of domain and deliver to single domain style mail store setup. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix
On 1 November 2012 15:07, Stephen Ingram sbing...@gmail.com wrote: On Wed, Oct 31, 2012 at 6:25 PM, Peter Brown rendhal...@gmail.com wrote: On 1 November 2012 08:20, Stephen Ingram sbing...@gmail.com wrote: On Tue, Oct 30, 2012 at 6:34 PM, Peter Brown rendhal...@gmail.com wrote: Hi everyone, I have been trying to work out how to achieve this. I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix and dovecot on my new mail server authenticating against Freeipa. One last thing I would love to do it pull down the virtual users and aliases for the domains my mailserver will be serving from freeipa. Is this possible? Is this all automatic due to sssd looking up the user details in the ds? Does it do the same for domains and email aliases or will I need extra lookups to achieve this. I've recently built an entire mail system around FreeIPA and it works great. There are two parts to be concerned with: 1. Authentication - With Postfix, this is handled by saslauthd which can authenticate against Kerberos (using or not using sssd). I used Cyrus-IMAP for the mailstore which also uses saslauthd. Doveccot has it's own sasl built in which can authenticate against Kerberos or LDAP, thus it should work with IPA. I have dovecot authing against freeipa (via pam)and I setup a sasl auth instance in dovecot and have postfix authing against that. I figured why setup another sasl auth daemon when dovecot can do it for me so they effectively use the same authentication source. 2. Configuration - With Postfix, you can set all different areas (e.g. virtual, aliases, etc.) to use LDAP lookup of configuration information. You are typically searching for the email address (mail attribute in IPA) and your search will generally return the userid (uid attribute) of where the mail is to be stored. I don't believe that Dovecot or Cyrus-IMAP have any way of maintaining any configuration in LDAP so you generally have to setup mailboxes and authorization information by hand using their tools. I have most of that worked out but getting delivery addresses for domains that aren't the base is proving tricky. It's looking like I will need to add some extra schemas to the ds so i can add the delivery domain to each user and somehow use that to construct the delivery address. I am not sure I can do that though. I didn't really have to add anything except for one extra attribute. You can group your users into user groups representing the domains they belong to such that Postfix can query whether or not to accept for a domain or not. I added mailAlternateAddress for aliases rather than user multi-value attribute mail so I can have a master email address for each user. It was easy to do with the existing schema (mailRecipient objectclass). BTW if you haven't already figured it out, postmap -q is your friend when setting up your LDAP config in Postfix. Just keep adjusting everything until you get the answer you (and Postfix) expect. I discovered that attribute when I was digging around in the ldif files and I was just wondering why they didn't use that for setting aliases. It would certainly make my ldap queries for postfix a lot simpler. I added the mailRecipient class to the defaults for users and tried to use the ipa user-mod --setattr=mailAlternateAddress= and it is telling me ipa: ERROR: attribute mailAlternateAddress not allowed I have also trying to set a few other non standard attributes that seem to be in the default schemas already and they all give me the same error. Am I missing something? I am half tempted to add the extra components of 389-ds and see it that will let me do what I need. On a side note the freeipa lads seem to be working out how to add multitenancy support so it will be capable of serving multiple separate Kerberos principals. That would help a lot but I need to cobble something together now. Yes, if you want unique uid's within each domain you'll have to wait for that. I gave up on that notion and simply require unique uids for every user regardless of domain and deliver to single domain style mail store setup. yeah that's tempting but I need to have separate domains. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users