Deploying Postfix with LDAP (FreeIPA) virtual aliases and Kerberos Authentication

For those of you looking for a way to set up Postfix so your client base can login with Single Sign On, this article is for you.

Here we will be walking through configuring postfix for the following criteria:

  1. LDAP based User lookups (In this article I have used FreeIPA 3.0)
  2. Single Sign On authentication for mail sending.
  3. Enabling TLS based connections using FreeIPA as the Certificate Authority.

Please be aware that this article does not cover accessing a user’s mailbox as this is covered in the following article.
https://www.dalemacartney.com/2012/07/05/configuring-dovecot-to-authenticate-freeipa-users-using-kerberos-with-single-sign-on/

Before I continue I’d like to thank Loris Santamaria and Anthony Messina from the freeipa-users@redhat.com mailing list for their assistance in getting this solution working.

Details used in this article are as follows:

FreeIPA Servers: ds01.example.com, ds02.example.com
Postfix Server: mail.example.com
IPA Test user: ipauser1

 

Enable LDAP virtual alias maps

A virtual alias map in Postfix allows you to map users from varying sources so that Postfix will know to accept mail for that user. This is advantageous as it means you don’t have to manually create a local user on the server in order for mail to be received.

Step 1. To set up the LDAP based map, please run the following commands on your Postfix Server.

[root@mail ~]# postconf -e 'virtual_alias_domains = example.com'
[root@mail ~]# postconf -e 'virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf'

Step 2. Create the /etc/postfix/ldap_aliases.cf file with the below content
Please note that the below config will enable TLS queries to your FreeIPA server.

server_host = ds01.example.com, ds02.example.com
search_base = cn=accounts,dc=example,dc=com
query_filter = (mail=%s)
result_attribute = uid
bind = no
start_tls = yes
version = 3

Step 3. Once you’ve saved your ldap_aliases.cf file, you need to hash file so Postfix can read it.

[root@mail ~]# postmap /etc/postfix/ldap_aliases.cf

Step 4. Now we need to correct the SELinux contexts of the new files so Postfix can read them.

[root@mail ~]# restorecon -R /etc/postfix/

Step 5. Lastly, restart postfix to apply the changes.

[root@mail ~]# service postfix restart
Shutting down postfix:                                     [  OK  ]
Starting postfix:                                          [  OK  ]
[root@mail ~]#

 

Setting up Single Sign on for authentication

This step requires configuring FreeIPA, SASL and a bit of Postfix for good measure.

Lets start with FreeIPA.

Step 1. On your FreeIPA server, create a new service principle for your Postfix server

[root@ds01 ~]# ipa service-add smtp/mail.example.com
 --------------------------------------------------
 Added service "smtp/mail.example.com@EXAMPLE.COM"
 --------------------------------------------------
 Principal: smtp/mail.example.com@EXAMPLE.COM
 Managed by: mail.example.com
 [root@ds01 ~]#

Step 2. Now we need to download that new service principle to the Postfix server. Make sure you set the right permissions to the keytab as well.

[root@mail ~]# ipa-getkeytab -s ds01.example.com -p smtp/mail.example.com -k /etc/postfix/smtp.keytab
[root@mail ~]# chown root:mail /etc/postfix/smtp.keytab
[root@mail ~]# chmod 640 /etc/postfix/smtp.keytab

Step 3. Configure SASL

Edit the file /etc/sasl2/smtpd.conf so that it reads as follows.

pwcheck_method: saslauthd
mech_list: GSSAPI PLAIN LOGIN
Edit the file /etc/sysconfig/saslauthd so that it reads as follows
# Directory in which to place saslauthd's listening socket, pid file, and so
# on.  This directory must already exist.
 SOCKETDIR=/var/run/saslauthd
# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
 MECH=kerberos5
# Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line.
# DAEMONOPTS=--user saslauth
# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
 FLAGS=

Step 4. Next run the following commands to configure Postfix for SASL integration

[root@mail ~]# postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab'
[root@mail ~]# postconf -e 'smtpd_client_restrictions = permit_sasl_authenticated, reject'
[root@mail ~]# postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, reject'
[root@mail ~]# postconf -e 'smtpd_sender_restrictions = permit_sasl_authenticated, reject'
[root@mail ~]# postconf -e 'smtpd_sasl_auth_enable = yes'
[root@mail ~]# postconf -e 'smtpd_sasl_security_options = noanonymous'
[root@mail ~]# postconf -e 'smtpd_sasl_tls_security_options = $smtpd_sasl_security_options'
[root@mail ~]# postconf -e 'broken_sasl_auth_clients = yes'
[root@mail ~]# postconf -e 'smtpd_sasl_authenticated_header = yes'
[root@mail ~]# postconf -e 'smtpd_sasl_local_domain = $mydomain'

Step 5. Restart services

Lastly, restart both saslauthd and postfix services to apply the changes you have made. Also remember to enable saslauthd to start on boot

service saslauthd restart
service postfix restart
chkconfig saslauthd on

 

 Configuring TLS Connections

Lastly, to top things off, we will enable TLS for our authenticated clients to be able to login securely to the mail server.

Step 1. To begin with, lets request a new certificate from FreeIPA.

On your Postfix server, create a new directory and set required permissions.

[root@mail ~]# mkdir /etc/postfix-certs
[root@mail ~]# chcon -t cert_t /etc/postfix-certs

Now lets request the certificate.

[root@mail ~]# ipa-getcert request -r -f /etc/postfix-certs/smtp.crt -k /etc/postfix-certs/smtp.key -N CN=mail.example.com -D mail.example.com -K smtp/mail.example.com

You should now see your new private and public key located in the /etc/postfix-certs folder.

Step 2. Now lets configure postfix to read our new certificate.

Run the following commands on your Postfix server to apply the necessary changes.

[root@mail ~]# postconf -e 'smtpd_tls_auth_only = yes'
[root@mail ~]# postconf -e 'smtpd_tls_key_file = /etc/postfix-certs/smtp.key'
[root@mail ~]# postconf -e 'smtpd_tls_cert_file = /etc/postfix-certs/smtp.crt'
[root@mail ~]# postconf -e 'smtpd_tls_received_header = yes'
[root@mail ~]# postconf -e 'smtpd_tls_session_cache_timeout = 3600s'

Step 3. Restart Postfix

You should reload your postfix service in order to apply the new changes.

[root@mail ~]# service postfix restart
Shutting down postfix:                                     [  OK  ]
Starting postfix:                                          [  OK  ]
[root@mail ~]#

Testing and troubleshooting

Once you have set everything up that you wish, don’t forget to verify your work.

If you have setup TLS connections and single sign on is working fine, you will see the following in your /var/log/maillog file which will indicate a successful implementation.

This shows that the client is authenticating with GSSAPI and SASL at the time the user is sending an email.

Mar 14 11:03:14 mail postfix/smtpd[1994]: 005304162E: client=unknown[10.0.1.101], sasl_method=GSSAPI, sasl_username=ipauser1@example.com

If you have set up LDAP virtual maps as well, go ahead and try and email a user that does not exist and see what happens. You will get a rather rude message saying that the user does not exist.

You will also see logs in /var/log/maillog which look similar to those below.

Mar 14 11:09:18 mail postfix/smtpd[2097]: NOQUEUE: reject: RCPT from unknown[10.0.1.101]: 550 5.1.1 <notarealuser@example.com>: Recipient address rejected: User unknown in local recipient table; from=<ipauser1@example.com> to=<notarealuser@example.com> proto=ESMTP helo=<workstation01.example.com>

6 comments on “Deploying Postfix with LDAP (FreeIPA) virtual aliases and Kerberos Authentication

  1. Tim November 26, 2013 12:12

    Thanks for the great guides.

    I used your dovecot guide and had no problems authenticating (using IPA logins) to receive mail.

    The postfix guide works great but not with TSL/SASL stuff turned on. I had to comment all those lines out. (I’m sure the guide is fine and it’s something on my end) From there I can send mail unsecurely through postfix and receive it securely through dovecot. With TSL/SASL is the port still 25? Is there anything else I should consider?

    If I try to send mail with TSL/SASL on, Thunderbird just keep trying and trying to send with errors. /var/log/maillog on the server reports the connection but nothing after that, no errors, no issues.

  2. Donny January 6, 2014 20:42

    To answer the above question you need to enable tls in the master.cf file…

    edit /etc/postfix/master.cf as root user

    uncomment the following two lines

    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes

    Bam… Postfix will now listen on 587 for TLS.

    I am having a problem with the virtual ldap maps. I followed your guide on how to get dovecot working. Everything works like a champion except that I cannot get postfix to find the user in the 389-ds directory. I am using freeipa on fedora 19. I’m sure I am just doing it wrong.

    Any help would be great.

    I get the above errors “reject: RCPT from unknown[10.0.1.101]: 550 5.1.1 : Recipient address rejected: User unknown in local recipient table; from= to= proto=ESMTP helo=”

    The problem is that the users do exist. I know, its how I am logging into the server. There is an email address in the email address field in IPA.

    Any help would be fantastic.

  3. Brian Topping October 13, 2014 05:37

    Thanks for this writeup! Very close, but no cigar when trying it on CentOS 7. The mapping via LDAP works great, but saslauthd is somehow getting “user@example.com” instead of “user@EXAMPLE.COM” in my case, to which kerberos promptly fails the request.

    How can I either make kerberos use use the properly capitalized realm name? I have the [domain_realms] elements set up they are just not using it..

  4. TonyB (@necronn99) March 22, 2016 18:18

    This somewhat works. However I cannot get groups to be mailed or received mail with FreeIPA.

    ANyone got a good example on this let me know. Love to have email groups within freeipa

  5. Paul Armstrong June 14, 2016 21:04

    I found this article fit the bill. I deployed postfix with IdM on RHEL7.

    Corrections to be made:
    1) postconf -e ‘virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf’

    should be

    postconf -e ‘virtual_alias_maps = hash:/etc/postfix/ldap_aliases.cf’

    2) Step 3 above actually has 2 files to edit. It is not clear due to a page formatting problem. Run the following should fix this.

    # configure authentication files

    # edit /etc/sasl2/smtpd.conf
    cat < /etc/sasl2/smtpd.conf
    pwcheck_method: saslauthd
    mech_list: gssapi plain login
    EOF

    #edit /etc/sysconfig/saslauthd
    cat < /etc/sysconcfig/saslauthd
    # Directory in which to place saslauthd’s listening socket, pid file, and so
    # on. This directory must already exist.
    SOCKETDIR=/run/saslauthd

    # Mechanism to use when checking passwords. Run “saslauthd -v” to get a list
    # of which mechanism your installation was compiled with the ablity to use.
    MECH=kerberos5

    # Additional flags to pass to saslauthd on the command line. See saslauthd(8)
    # for the list of accepted flags.
    FLAGS=

    EOF

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>