Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix

[Christian]

Stephen Ingram sbingram@... writes:


 2. Configuration - With Postfix, you can set all different areas (e.g.
 virtual, aliases, etc.) to use LDAP lookup of configuration
 information. You are typically searching for the email address (mail
 attribute in IPA) and your search will generally return the userid
 (uid attribute) of where the mail is to be stored. .../...
 Steve
 
Playing with IPA too in order to better understand what it provides and how
to use it, I realized that like almost any other solution that is bringing
its own LDAP back-end, IPA make it à la Microsoft, which means that IPA
LDAP server is used for IPA purpose only (for what I understand so far).
If you want to rely on LDAP for mail delivery, e.g. 
havioɕ�Ё�͕��)�ͥɕ�Ё�͕�ٕ�́�ȁ�ɕ�Ё���̰�ѡ�ԁ���ݥѠ)��Ё���ѡ�Ȱ��ɕ�Ё1@�͕�ٕȁ�ȁѼ��ɥєȁ�ݸ(��幍�ɽѥѽ���Ѽ��幍�ɽ��锁�́�Ս���́���ͥ���ɥ�́�ɽ��%A)1@�ݥѠ�1@�͕�ٕȁ�͕ȁA��љ����ٕ��Ё�̸()$���܁ѡ�Ё��Ѡ���ձɕ��Ѽ�ɕ�䁽��%A�1@���Ё�Ё)�ɽ٥��ٕ́�䁉�ͥմ���ɕ��ѕ�ɥ��ѕ̸�9���ɽ��)���а���ѕɹ�х��ɕ�̰��սфݕ�ٕ���ɕ�եɕ��ݡЁ�)Ѽɕ͕�٥���ɽ�Սѥ���()=�ѥ�ձ�Ѽѽ��锁%A�1@�͍���ЁѡЁݥ�ͼ)ɕ�եɕ́Ѽ���ٕݕѕəɑ䁥͸�Ё���((

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix

[Simo Sorce]

On Wed, 2012-10-31 at 11:34 +1000, Peter Brown wrote:
 Hi everyone,
 
 
 I have been trying to work out how to achieve this.
 I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix
 and dovecot on my new mail server authenticating against Freeipa.
 One last thing I would love to do it pull down the virtual users and
 aliases for the domains my mailserver will be serving from freeipa.
 Is this possible?
 Is this all automatic due to sssd looking up the user details in the
 ds?
 Does it do the same for domains and email aliases or will I need extra
 lookups to achieve this.

A loong time ago I sue the excellent support in postfix to route mail
based on data in ldap, however I have no idea how's dovecot support for
that.

FreeIPA will create a single domain for you atm, but you can indeed
associate any email address to a user, however sssd does not have any
facility to resolve a user by email address, so unless you just care
about the default domain (in which case you can lookup users via sssd
just like you would against /etc/passwd) I think you'll have to
configure your daemons to lookup data directly via ldap.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix

[Dmitri Pal]

On 10/30/2012 09:34 PM, Peter Brown wrote:
 Hi everyone,

 I have been trying to work out how to achieve this.
 I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix
 and dovecot on my new mail server authenticating against Freeipa.
 One last thing I would love to do it pull down the virtual users and
 aliases for the domains my mailserver will be serving from freeipa.
 Is this possible?
 Is this all automatic due to sssd looking up the user details in the ds?
 Does it do the same for domains and email aliases or will I need extra
 lookups to achieve this.

 Thanks in advance.
 Pete.


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
I am not sure if anything on those pages is relevant to what you are
trying to accomplish but they talk about FreeIPA and dovecot integration:
http://www.freeipa.org/page/Dovecot_Integration
http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On
If not the author of the pages - Dale might have more experience with
the similar environment and might have tried what you are looking for.

HTH

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix

[Stephen Ingram]

On Tue, Oct 30, 2012 at 6:34 PM, Peter Brown rendhal...@gmail.com wrote:
 Hi everyone,

 I have been trying to work out how to achieve this.
 I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix and
 dovecot on my new mail server authenticating against Freeipa.
 One last thing I would love to do it pull down the virtual users and aliases
 for the domains my mailserver will be serving from freeipa.
 Is this possible?
 Is this all automatic due to sssd looking up the user details in the ds?
 Does it do the same for domains and email aliases or will I need extra
 lookups to achieve this.

I've recently built an entire mail system around FreeIPA and it works
great. There are two parts to be concerned with:

1. Authentication - With Postfix, this is handled by saslauthd which
can authenticate against Kerberos (using or not using sssd). I used
Cyrus-IMAP for the mailstore which also uses saslauthd. Doveccot has
it's own sasl built in which can authenticate against Kerberos or
LDAP, thus it should work with IPA.

2. Configuration - With Postfix, you can set all different areas (e.g.
virtual, aliases, etc.) to use LDAP lookup of configuration
information. You are typically searching for the email address (mail
attribute in IPA) and your search will generally return the userid
(uid attribute) of where the mail is to be stored. I don't believe
that Dovecot or Cyrus-IMAP have any way of maintaining any
configuration in LDAP so you generally have to setup mailboxes and
authorization information by hand using their tools.

Steve

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix

[Stephen Ingram]

On Wed, Oct 31, 2012 at 6:25 PM, Peter Brown rendhal...@gmail.com wrote:
 On 1 November 2012 08:20, Stephen Ingram sbing...@gmail.com wrote:

 On Tue, Oct 30, 2012 at 6:34 PM, Peter Brown rendhal...@gmail.com wrote:
  Hi everyone,
 
  I have been trying to work out how to achieve this.
  I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix and
  dovecot on my new mail server authenticating against Freeipa.
  One last thing I would love to do it pull down the virtual users and
  aliases
  for the domains my mailserver will be serving from freeipa.
  Is this possible?
  Is this all automatic due to sssd looking up the user details in the ds?
  Does it do the same for domains and email aliases or will I need extra
  lookups to achieve this.

 I've recently built an entire mail system around FreeIPA and it works
 great. There are two parts to be concerned with:

 1. Authentication - With Postfix, this is handled by saslauthd which
 can authenticate against Kerberos (using or not using sssd). I used
 Cyrus-IMAP for the mailstore which also uses saslauthd. Doveccot has
 it's own sasl built in which can authenticate against Kerberos or
 LDAP, thus it should work with IPA.


 I have dovecot authing against freeipa (via pam)and I setup a sasl auth
 instance in dovecot and have postfix authing against that.
 I figured why setup another sasl auth daemon when dovecot can do it for me
 so they effectively use the same authentication source.

 2. Configuration - With Postfix, you can set all different areas (e.g.
 virtual, aliases, etc.) to use LDAP lookup of configuration
 information. You are typically searching for the email address (mail
 attribute in IPA) and your search will generally return the userid
 (uid attribute) of where the mail is to be stored. I don't believe
 that Dovecot or Cyrus-IMAP have any way of maintaining any
 configuration in LDAP so you generally have to setup mailboxes and
 authorization information by hand using their tools.


 I have most of that worked out but getting delivery addresses for domains
 that aren't the base is proving tricky.
 It's looking like I will need to add some extra schemas to the ds so i can
 add the delivery domain to each user and somehow use that to construct the
 delivery address.
 I am not sure I can do that though.

I didn't really have to add anything except for one extra attribute.
You can group your users into user groups representing the domains
they belong to such that Postfix can query whether or not to accept
for a domain or not. I added mailAlternateAddress for aliases rather
than user multi-value attribute mail so I can have a master email
address for each user. It was easy to do with the existing schema
(mailRecipient objectclass). BTW if you haven't already figured it
out, postmap -q is your friend when setting up your LDAP config in
Postfix. Just keep adjusting everything until you get the answer you
(and Postfix) expect.

 I am half tempted to add the extra components of 389-ds and see it that will
 let me do what I need.

 On a side note the freeipa lads seem to be working out how to add
 multitenancy support so it will be capable of serving multiple separate
 Kerberos principals.
 That would help a lot but I need to cobble something together now.

Yes, if you want unique uid's within each domain you'll have to wait
for that. I gave up on that notion and simply require unique uids for
every user regardless of domain and deliver to single domain style
mail store setup.

Steve

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix

[Peter Brown]

On 1 November 2012 15:07, Stephen Ingram sbing...@gmail.com wrote:

 On Wed, Oct 31, 2012 at 6:25 PM, Peter Brown rendhal...@gmail.com wrote:
  On 1 November 2012 08:20, Stephen Ingram sbing...@gmail.com wrote:
 
  On Tue, Oct 30, 2012 at 6:34 PM, Peter Brown rendhal...@gmail.com
 wrote:
   Hi everyone,
  
   I have been trying to work out how to achieve this.
   I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix
 and
   dovecot on my new mail server authenticating against Freeipa.
   One last thing I would love to do it pull down the virtual users and
   aliases
   for the domains my mailserver will be serving from freeipa.
   Is this possible?
   Is this all automatic due to sssd looking up the user details in the
 ds?
   Does it do the same for domains and email aliases or will I need extra
   lookups to achieve this.
 
  I've recently built an entire mail system around FreeIPA and it works
  great. There are two parts to be concerned with:
 
  1. Authentication - With Postfix, this is handled by saslauthd which
  can authenticate against Kerberos (using or not using sssd). I used
  Cyrus-IMAP for the mailstore which also uses saslauthd. Doveccot has
  it's own sasl built in which can authenticate against Kerberos or
  LDAP, thus it should work with IPA.
 
 
  I have dovecot authing against freeipa (via pam)and I setup a sasl auth
  instance in dovecot and have postfix authing against that.
  I figured why setup another sasl auth daemon when dovecot can do it for
 me
  so they effectively use the same authentication source.
 
  2. Configuration - With Postfix, you can set all different areas (e.g.
  virtual, aliases, etc.) to use LDAP lookup of configuration
  information. You are typically searching for the email address (mail
  attribute in IPA) and your search will generally return the userid
  (uid attribute) of where the mail is to be stored. I don't believe
  that Dovecot or Cyrus-IMAP have any way of maintaining any
  configuration in LDAP so you generally have to setup mailboxes and
  authorization information by hand using their tools.
 
 
  I have most of that worked out but getting delivery addresses for domains
  that aren't the base is proving tricky.
  It's looking like I will need to add some extra schemas to the ds so i
 can
  add the delivery domain to each user and somehow use that to construct
 the
  delivery address.
  I am not sure I can do that though.

 I didn't really have to add anything except for one extra attribute.
 You can group your users into user groups representing the domains
 they belong to such that Postfix can query whether or not to accept
 for a domain or not. I added mailAlternateAddress for aliases rather
 than user multi-value attribute mail so I can have a master email
 address for each user. It was easy to do with the existing schema
 (mailRecipient objectclass). BTW if you haven't already figured it
 out, postmap -q is your friend when setting up your LDAP config in
 Postfix. Just keep adjusting everything until you get the answer you
 (and Postfix) expect.


I discovered that attribute when I was digging around in the ldif files and
I was just wondering why they didn't use that for setting aliases.
It would certainly make my ldap queries for postfix a lot simpler.

I added the mailRecipient class to the defaults for users and tried to use
the ipa user-mod --setattr=mailAlternateAddress= and it is telling me

ipa: ERROR: attribute mailAlternateAddress not allowed

I have also trying to set a few other non standard attributes that seem to
be in the default schemas already and they all give me the same error.
Am I missing something?


 I am half tempted to add the extra components of 389-ds and see it that
 will
  let me do what I need.
 
  On a side note the freeipa lads seem to be working out how to add
  multitenancy support so it will be capable of serving multiple separate
  Kerberos principals.
  That would help a lot but I need to cobble something together now.

 Yes, if you want unique uid's within each domain you'll have to wait
 for that. I gave up on that notion and simply require unique uids for
 every user regardless of domain and deliver to single domain style
 mail store setup.



yeah that's tempting but I need to have separate domains.


 Steve

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users