Re: [Freeipa-users] postfix ipa

2013-11-29 Thread Martin Kosek
On 11/29/2013 11:27 AM, Natxo Asenjo wrote:
 hi,
 
 just came accross Erinn Looney-Triggs's excellent writeup on using
 kerberos voor relaying e-mail
 (https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/)
 and have a question.
 
 Would it not be possibly easier to just use the host's keytab
 (/etc/krb5.keytab) instead of just deploying a new service principal
 to every smtp client?
 
 I ask this because I am in the point of deploying something similar
 and would rather not need to have to deploy another set of keytabs
 everywhere unless this is a security malpractice, of course.
 
 TIA,
 --
 Groeten,
 natxo

Easier? Yes. More secure? Probably not.

Kerberos experts may correct me, but from my POV, it is better to separate
these privileges. It postfix works on host/`hostname`@REALM, it could act as a
host identity. For example, attacker could change host's SSH public keys in
FreeIPA host entry in LDAP if it takes control over the mail service. Or it
could unenroll the host entirely from FreeIPA.

If it run's on own keytab and thus an own identity, it can only act on behalf 
it.

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] postfix ipa

2013-11-29 Thread Sumit Bose
On Fri, Nov 29, 2013 at 12:03:58PM +0100, Martin Kosek wrote:
 On 11/29/2013 11:27 AM, Natxo Asenjo wrote:
  hi,
  
  just came accross Erinn Looney-Triggs's excellent writeup on using
  kerberos voor relaying e-mail
  (https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/)
  and have a question.
  
  Would it not be possibly easier to just use the host's keytab
  (/etc/krb5.keytab) instead of just deploying a new service principal
  to every smtp client?
  
  I ask this because I am in the point of deploying something similar
  and would rather not need to have to deploy another set of keytabs
  everywhere unless this is a security malpractice, of course.
  
  TIA,
  --
  Groeten,
  natxo
 
 Easier? Yes. More secure? Probably not.
 
 Kerberos experts may correct me, but from my POV, it is better to separate
 these privileges. It postfix works on host/`hostname`@REALM, it could act as a
 host identity. For example, attacker could change host's SSH public keys in
 FreeIPA host entry in LDAP if it takes control over the mail service. Or it
 could unenroll the host entirely from FreeIPA.
 
 If it run's on own keytab and thus an own identity, it can only act on behalf 
 it.

yes, reusing keytabs is like giving all users the same password and
making them aware of it.

bye,
Sumit

 
 Martin
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Postfix IPA

2012-07-05 Thread M.R Niranjan
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/03/2012 11:14 AM, free...@noboost.org wrote:
 Hi All,
 
 Server:
 ipa-server-2.1.3-9.el6.x86_64
 sssd-1.5.1-66.el6_2.3
 
 Client:
 ipa-client-2.1.3-9.el6.x86_64
 
 
 I've got Postfix working with IPA and to be honest it was actually very
 easy. I simply setup a standard postfix server, configured the IPA
 client and when mail was delivered, postfix detected the UID's from IPA
 and delivered the mail. 
 
 So I thought to myself, this is one of the most important services we
 have. What would happen if the SSSD client failed for some reason on the
 postfix server?
 

By sssd client failing do you mean sssd not able to reach ldap servers
or sssd service crashing ?

If sssd parent crashes then i think not much you could do but if the
child services of sssd doesn't respond sssd does restart the child
services automatically .

Refer: http://freeipa.org/page/Service_Controller_Daemon#Configuration_Store

 As expected the postfix server bounces the email back to it's sender. 
 -
 This is the mail system at host pan.example.com.
 
 I'm sorry to have to inform you that your message could not
 be delivered to one or more recipients. It's attached below.
 
 For further assistance, please send mail to postmaster.
 
 If you do so, please include this problem report. You can
 delete your own text from the attached returned message.
 
The mail system
 
 cr...@safevm-craig.example.com (expanded from
 cr...@example.com): host
 safevm-craig.example.com[192.168.0.28] said: 550 5.1.1
 cr...@safevm-cht.example.com: Recipient address rejected:
 User
 unknown in local recipient table (in reply to RCPT TO command)
 -
 
 Before I start investigating backup mail servers, different posfix
 queues. Just thought I'd ask if anyone else has setup their one solution 
 to ensure the safety of mail delivery with IPA? 
 
 cya
 
 Craig
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
 
 


- -- 
Regards
M.R.Niranjan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/y6UwACgkQLu3FX2BHx8enSACePeiIfGU6DlGMsA4mSrm4mfo4
wYAAnRAA6zyXQ02mM6S3AMCyr5eLAY9w
=aICl
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Postfix IPA

2012-07-05 Thread Simo Sorce
On Tue, 2012-07-03 at 18:15 +0530, M.R Niranjan wrote:
 
 On 07/03/2012 11:14 AM, free...@noboost.org wrote:
  Hi All,
  
  Server:
  ipa-server-2.1.3-9.el6.x86_64
  sssd-1.5.1-66.el6_2.3
  
  Client:
  ipa-client-2.1.3-9.el6.x86_64
  
  
  I've got Postfix working with IPA and to be honest it was actually
 very
  easy. I simply setup a standard postfix server, configured the IPA
  client and when mail was delivered, postfix detected the UID's from
 IPA
  and delivered the mail. 
  
  So I thought to myself, this is one of the most important services
 we
  have. What would happen if the SSSD client failed for some reason on
 the
  postfix server?
  
 
 By sssd client failing do you mean sssd not able to reach ldap servers
 or sssd service crashing ?
 
 If sssd parent crashes then i think not much you could do but if the
 child services of sssd doesn't respond sssd does restart the child
 services automatically .
 
 Refer:
 http://freeipa.org/page/Service_Controller_Daemon#Configuration_Store
 

Also we still keep serving users out of the sssd cache as long as
sssd_nss process is running.
And with the memory cache we have in 1.9.0 you may still get users from
the cache directly even if the whole sssd dies.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Postfix IPA

2012-07-05 Thread Rob Crittenden

free...@noboost.org wrote:

Hi All,

Server:
ipa-server-2.1.3-9.el6.x86_64
sssd-1.5.1-66.el6_2.3

Client:
ipa-client-2.1.3-9.el6.x86_64


I've got Postfix working with IPA and to be honest it was actually very
easy. I simply setup a standard postfix server, configured the IPA
client and when mail was delivered, postfix detected the UID's from IPA
and delivered the mail.

So I thought to myself, this is one of the most important services we
have. What would happen if the SSSD client failed for some reason on the
postfix server?

As expected the postfix server bounces the email back to it's sender.
-
This is the mail system at host pan.example.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

cr...@safevm-craig.example.com (expanded from
 cr...@example.com): host
 safevm-craig.example.com[192.168.0.28] said: 550 5.1.1
 cr...@safevm-cht.example.com: Recipient address rejected:
User
 unknown in local recipient table (in reply to RCPT TO command)
-

Before I start investigating backup mail servers, different posfix
queues. Just thought I'd ask if anyone else has setup their one solution
to ensure the safety of mail delivery with IPA?


I think this would apply to any non-file-based nss provider (ldap, nis, 
etc). What does your nsswitch.conf look like?


I wonder if something clever can be done like [!UNAVAIL=return]. My nss 
knowledge is limited though so I'm not sure what gets returned to the 
lookup call though, whether it is distinguishable from a notfound.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users