For those of you looking for a way to set up Postfix so your client base can login with Single Sign On, this article is for you.
Here we will be walking through configuring postfix for the following criteria:
- LDAP based User lookups (In this article I have used FreeIPA 3.0)
- Single Sign On authentication for mail sending.
- Enabling TLS based connections using FreeIPA as the Certificate Authority.
Please be aware that this article does not cover accessing a user’s mailbox as this is covered in the following article.
https://www.dalemacartney.com/2012/07/05/configuring-dovecot-to-authenticate-freeipa-users-using-kerberos-with-single-sign-on/
Before I continue I’d like to thank Loris Santamaria and Anthony Messina from the freeipa-users@redhat.com mailing list for their assistance in getting this solution working.
Details used in this article are as follows:
FreeIPA Servers: ds01.example.com, ds02.example.com Postfix Server: mail.example.com IPA Test user: ipauser1
Enable LDAP virtual alias maps
A virtual alias map in Postfix allows you to map users from varying sources so that Postfix will know to accept mail for that user. This is advantageous as it means you don’t have to manually create a local user on the server in order for mail to be received.
Step 1. To set up the LDAP based map, please run the following commands on your Postfix Server.
[root@mail ~]# postconf -e 'virtual_alias_domains = example.com' [root@mail ~]# postconf -e 'virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf'
Step 2. Create the /etc/postfix/ldap_aliases.cf file with the below content
Please note that the below config will enable TLS queries to your FreeIPA server.
server_host = ds01.example.com, ds02.example.com search_base = cn=accounts,dc=example,dc=com query_filter = (mail=%s) result_attribute = uid bind = no start_tls = yes version = 3
Step 3. Once you’ve saved your ldap_aliases.cf file, you need to hash file so Postfix can read it.
[root@mail ~]# postmap /etc/postfix/ldap_aliases.cf
Step 4. Now we need to correct the SELinux contexts of the new files so Postfix can read them.
[root@mail ~]# restorecon -R /etc/postfix/
Step 5. Lastly, restart postfix to apply the changes.
[root@mail ~]# service postfix restart Shutting down postfix: [ OK ] Starting postfix: [ OK ] [root@mail ~]#
Setting up Single Sign on for authentication
This step requires configuring FreeIPA, SASL and a bit of Postfix for good measure.
Lets start with FreeIPA.
Step 1. On your FreeIPA server, create a new service principle for your Postfix server
[root@ds01 ~]# ipa service-add smtp/mail.example.com -------------------------------------------------- Added service "smtp/mail.example.com@EXAMPLE.COM" -------------------------------------------------- Principal: smtp/mail.example.com@EXAMPLE.COM Managed by: mail.example.com [root@ds01 ~]#
Step 2. Now we need to download that new service principle to the Postfix server. Make sure you set the right permissions to the keytab as well.
[root@mail ~]# ipa-getkeytab -s ds01.example.com -p smtp/mail.example.com -k /etc/postfix/smtp.keytab [root@mail ~]# chown root:mail /etc/postfix/smtp.keytab [root@mail ~]# chmod 640 /etc/postfix/smtp.keytab
Step 3. Configure SASL
Edit the file /etc/sasl2/smtpd.conf so that it reads as follows.
pwcheck_method: saslauthd mech_list: GSSAPI PLAIN LOGIN Edit the file /etc/sysconfig/saslauthd so that it reads as follows # Directory in which to place saslauthd's listening socket, pid file, and so # on. This directory must already exist. SOCKETDIR=/var/run/saslauthd # Mechanism to use when checking passwords. Run "saslauthd -v" to get a list # of which mechanism your installation was compiled with the ablity to use. MECH=kerberos5 # Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line. # DAEMONOPTS=--user saslauth # Additional flags to pass to saslauthd on the command line. See saslauthd(8) # for the list of accepted flags. FLAGS=
Step 4. Next run the following commands to configure Postfix for SASL integration
[root@mail ~]# postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab' [root@mail ~]# postconf -e 'smtpd_client_restrictions = permit_sasl_authenticated, reject' [root@mail ~]# postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, reject' [root@mail ~]# postconf -e 'smtpd_sender_restrictions = permit_sasl_authenticated, reject' [root@mail ~]# postconf -e 'smtpd_sasl_auth_enable = yes' [root@mail ~]# postconf -e 'smtpd_sasl_security_options = noanonymous' [root@mail ~]# postconf -e 'smtpd_sasl_tls_security_options = $smtpd_sasl_security_options' [root@mail ~]# postconf -e 'broken_sasl_auth_clients = yes' [root@mail ~]# postconf -e 'smtpd_sasl_authenticated_header = yes' [root@mail ~]# postconf -e 'smtpd_sasl_local_domain = $mydomain'
Step 5. Restart services
Lastly, restart both saslauthd and postfix services to apply the changes you have made. Also remember to enable saslauthd to start on boot
service saslauthd restart service postfix restart chkconfig saslauthd on
Configuring TLS Connections
Lastly, to top things off, we will enable TLS for our authenticated clients to be able to login securely to the mail server.
Step 1. To begin with, lets request a new certificate from FreeIPA.
On your Postfix server, create a new directory and set required permissions.
[root@mail ~]# mkdir /etc/postfix-certs [root@mail ~]# chcon -t cert_t /etc/postfix-certs
Now lets request the certificate.
[root@mail ~]# ipa-getcert request -r -f /etc/postfix-certs/smtp.crt -k /etc/postfix-certs/smtp.key -N CN=mail.example.com -D mail.example.com -K smtp/mail.example.com
You should now see your new private and public key located in the /etc/postfix-certs folder.
Step 2. Now lets configure postfix to read our new certificate.
Run the following commands on your Postfix server to apply the necessary changes.
[root@mail ~]# postconf -e 'smtpd_tls_auth_only = yes' [root@mail ~]# postconf -e 'smtpd_tls_key_file = /etc/postfix-certs/smtp.key' [root@mail ~]# postconf -e 'smtpd_tls_cert_file = /etc/postfix-certs/smtp.crt' [root@mail ~]# postconf -e 'smtpd_tls_received_header = yes' [root@mail ~]# postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
Step 3. Restart Postfix
You should reload your postfix service in order to apply the new changes.
[root@mail ~]# service postfix restart Shutting down postfix: [ OK ] Starting postfix: [ OK ] [root@mail ~]#
Testing and troubleshooting
Once you have set everything up that you wish, don’t forget to verify your work.
If you have setup TLS connections and single sign on is working fine, you will see the following in your /var/log/maillog file which will indicate a successful implementation.
This shows that the client is authenticating with GSSAPI and SASL at the time the user is sending an email.
Mar 14 11:03:14 mail postfix/smtpd[1994]: 005304162E: client=unknown[10.0.1.101], sasl_method=GSSAPI, sasl_username=ipauser1@example.com
If you have set up LDAP virtual maps as well, go ahead and try and email a user that does not exist and see what happens. You will get a rather rude message saying that the user does not exist.
You will also see logs in /var/log/maillog which look similar to those below.
Mar 14 11:09:18 mail postfix/smtpd[2097]: NOQUEUE: reject: RCPT from unknown[10.0.1.101]: 550 5.1.1 <notarealuser@example.com>: Recipient address rejected: User unknown in local recipient table; from=<ipauser1@example.com> to=<notarealuser@example.com> proto=ESMTP helo=<workstation01.example.com>
Thanks for the great guides.
I used your dovecot guide and had no problems authenticating (using IPA logins) to receive mail.
The postfix guide works great but not with TSL/SASL stuff turned on. I had to comment all those lines out. (I’m sure the guide is fine and it’s something on my end) From there I can send mail unsecurely through postfix and receive it securely through dovecot. With TSL/SASL is the port still 25? Is there anything else I should consider?
If I try to send mail with TSL/SASL on, Thunderbird just keep trying and trying to send with errors. /var/log/maillog on the server reports the connection but nothing after that, no errors, no issues.
To answer the above question you need to enable tls in the master.cf file…
edit /etc/postfix/master.cf as root user
uncomment the following two lines
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
Bam… Postfix will now listen on 587 for TLS.
I am having a problem with the virtual ldap maps. I followed your guide on how to get dovecot working. Everything works like a champion except that I cannot get postfix to find the user in the 389-ds directory. I am using freeipa on fedora 19. I’m sure I am just doing it wrong.
Any help would be great.
I get the above errors “reject: RCPT from unknown[10.0.1.101]: 550 5.1.1 : Recipient address rejected: User unknown in local recipient table; from= to= proto=ESMTP helo=”
The problem is that the users do exist. I know, its how I am logging into the server. There is an email address in the email address field in IPA.
Any help would be fantastic.
Hi tim would you please tell how configure dovecot server to authenticate imap user ??? i see this http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On
but i cant authenticate my users
please help me
Thanks for this writeup! Very close, but no cigar when trying it on CentOS 7. The mapping via LDAP works great, but saslauthd is somehow getting “user@example.com” instead of “user@EXAMPLE.COM” in my case, to which kerberos promptly fails the request.
How can I either make kerberos use use the properly capitalized realm name? I have the [domain_realms] elements set up they are just not using it..
This somewhat works. However I cannot get groups to be mailed or received mail with FreeIPA.
ANyone got a good example on this let me know. Love to have email groups within freeipa
I found this article fit the bill. I deployed postfix with IdM on RHEL7.
Corrections to be made:
1) postconf -e ‘virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf’
should be
postconf -e ‘virtual_alias_maps = hash:/etc/postfix/ldap_aliases.cf’
2) Step 3 above actually has 2 files to edit. It is not clear due to a page formatting problem. Run the following should fix this.
# configure authentication files
# edit /etc/sasl2/smtpd.conf
cat < /etc/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: gssapi plain login
EOF
#edit /etc/sysconfig/saslauthd
cat < /etc/sysconcfig/saslauthd
# Directory in which to place saslauthd’s listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/run/saslauthd
# Mechanism to use when checking passwords. Run “saslauthd -v” to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=kerberos5
# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
FLAGS=
EOF