Deploying Postfix with LDAP (FreeIPA) virtual aliases and Kerberos Authentication

For those of you looking for a way to set up Postfix so your client base can login with Single Sign On, this article is for you.

Here we will be walking through configuring postfix for the following criteria:

1. LDAP based User lookups (In this article I have used FreeIPA 3.0)
2. Single Sign On authentication for mail sending.
3. Enabling TLS based connections using FreeIPA as the Certificate Authority.

Please be aware that this article does not cover accessing a user’s mailbox as this is covered in the following article.
https://www.dalemacartney.com/2012/07/05/configuring-dovecot-to-authenticate-freeipa-users-using-kerberos-with-single-sign-on/

Before I continue I’d like to thank Loris Santamaria and Anthony Messina from the freeipa-users@redhat.com mailing list for their assistance in getting this solution working.

Details used in this article are as follows:

FreeIPA Servers: ds01.example.com, ds02.example.com
Postfix Server: mail.example.com
IPA Test user: ipauser1

 

Enable LDAP virtual alias maps

A virtual alias map in Postfix allows you to map users from varying sources so that Postfix will know to accept mail for that user. This is advantageous as it means you don’t have to manually create a local user on the server in order for mail to be received.

Step 1. To set up the LDAP based map, please run the following commands on your Postfix Server.

[root@mail ~]# postconf -e 'virtual_alias_domains = example.com'
[root@mail ~]# postconf -e 'virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf'

Step 2. Create the /etc/postfix/ldap_aliases.cf file with the below content
Please note that the below config will enable TLS queries to your FreeIPA server.

server_host = ds01.example.com, ds02.example.com
search_base = cn=accounts,dc=example,dc=com
query_filter = (mail=%s)
result_attribute = uid
bind = no
start_tls = yes
version = 3

Step 3. Once you’ve saved your ldap_aliases.cf file, you need to hash file so Postfix can read it.

[root@mail ~]# postmap /etc/postfix/ldap_aliases.cf

Step 4. Now we need to correct the SELinux contexts of the new files so Postfix can read them.

[root@mail ~]# restorecon -R /etc/postfix/

Step 5. Lastly, restart postfix to apply the changes.

[root@mail ~]# service postfix restart
Shutting down postfix:                                     [  OK  ]
Starting postfix:                                          [  OK  ]
[root@mail ~]#

 

Setting up Single Sign on for authentication

This step requires configuring FreeIPA, SASL and a bit of Postfix for good measure.

Lets start with FreeIPA.

Step 1. On your FreeIPA server, create a new service principle for your Postfix server

[root@ds01 ~]# ipa service-add smtp/mail.example.com
 --------------------------------------------------
 Added service "smtp/mail.example.com@EXAMPLE.COM"
 --------------------------------------------------
 Principal: smtp/mail.example.com@EXAMPLE.COM
 Managed by: mail.example.com
 [root@ds01 ~]#

Step 2. Now we need to download that new service principle to the Postfix server. Make sure you set the right permissions to the keytab as well.

[root@mail ~]# ipa-getkeytab -s ds01.example.com -p smtp/mail.example.com -k /etc/postfix/smtp.keytab
[root@mail ~]# chown root:mail /etc/postfix/smtp.keytab
[root@mail ~]# chmod 640 /etc/postfix/smtp.keytab

Step 3. Configure SASL

Edit the file /etc/sasl2/smtpd.conf so that it reads as follows.

pwcheck_method: saslauthd
mech_list: GSSAPI PLAIN LOGIN
Edit the file /etc/sysconfig/saslauthd so that it reads as follows
# Directory in which to place saslauthd's listening socket, pid file, and so
# on.  This directory must already exist.
 SOCKETDIR=/var/run/saslauthd
# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
 MECH=kerberos5
# Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line.
# DAEMONOPTS=--user saslauth
# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
 FLAGS=

Step 4. Next run the following commands to configure Postfix for SASL integration

[root@mail ~]# postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab'
[root@mail ~]# postconf -e 'smtpd_client_restrictions = permit_sasl_authenticated, reject'
[root@mail ~]# postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, reject'
[root@mail ~]# postconf -e 'smtpd_sender_restrictions = permit_sasl_authenticated, reject'
[root@mail ~]# postconf -e 'smtpd_sasl_auth_enable = yes'
[root@mail ~]# postconf -e 'smtpd_sasl_security_options = noanonymous'
[root@mail ~]# postconf -e 'smtpd_sasl_tls_security_options = $smtpd_sasl_security_options'
[root@mail ~]# postconf -e 'broken_sasl_auth_clients = yes'
[root@mail ~]# postconf -e 'smtpd_sasl_authenticated_header = yes'
[root@mail ~]# postconf -e 'smtpd_sasl_local_domain = $mydomain'

Step 5. Restart services

Lastly, restart both saslauthd and postfix services to apply the changes you have made. Also remember to enable saslauthd to start on boot

service saslauthd restart
service postfix restart
chkconfig saslauthd on

 

 Configuring TLS Connections

Lastly, to top things off, we will enable TLS for our authenticated clients to be able to login securely to the mail server.

Step 1. To begin with, lets request a new certificate from FreeIPA.

On your Postfix server, create a new directory and set required permissions.

[root@mail ~]# mkdir /etc/postfix-certs
[root@mail ~]# chcon -t cert_t /etc/postfix-certs

Now lets request the certificate.

[root@mail ~]# ipa-getcert request -r -f /etc/postfix-certs/smtp.crt -k /etc/postfix-certs/smtp.key -N CN=mail.example.com -D mail.example.com -K smtp/mail.example.com

You should now see your new private and public key located in the /etc/postfix-certs folder.

Step 2. Now lets configure postfix to read our new certificate.

Run the following commands on your Postfix server to apply the necessary changes.

[root@mail ~]# postconf -e 'smtpd_tls_auth_only = yes'
[root@mail ~]# postconf -e 'smtpd_tls_key_file = /etc/postfix-certs/smtp.key'
[root@mail ~]# postconf -e 'smtpd_tls_cert_file = /etc/postfix-certs/smtp.crt'
[root@mail ~]# postconf -e 'smtpd_tls_received_header = yes'
[root@mail ~]# postconf -e 'smtpd_tls_session_cache_timeout = 3600s'

Step 3. Restart Postfix

You should reload your postfix service in order to apply the new changes.

[root@mail ~]# service postfix restart
Shutting down postfix:                                     [  OK  ]
Starting postfix:                                          [  OK  ]
[root@mail ~]#

Testing and troubleshooting

Once you have set everything up that you wish, don’t forget to verify your work.

If you have setup TLS connections and single sign on is working fine, you will see the following in your /var/log/maillog file which will indicate a successful implementation.

This shows that the client is authenticating with GSSAPI and SASL at the time the user is sending an email.

Mar 14 11:03:14 mail postfix/smtpd[1994]: 005304162E: client=unknown[10.0.1.101], sasl_method=GSSAPI, sasl_username=ipauser1@example.com

If you have set up LDAP virtual maps as well, go ahead and try and email a user that does not exist and see what happens. You will get a rather rude message saying that the user does not exist.

You will also see logs in /var/log/maillog which look similar to those below.

Mar 14 11:09:18 mail postfix/smtpd[2097]: NOQUEUE: reject: RCPT from unknown[10.0.1.101]: 550 5.1.1 <notarealuser@example.com>: Recipient address rejected: User unknown in local recipient table; from=<ipauser1@example.com> to=<notarealuser@example.com> proto=ESMTP helo=<workstation01.example.com>