On 07/12/2013 11:04 AM, Anthony Messina wrote: > On Wednesday, July 10, 2013 05:00:53 PM Dmitri Pal wrote: >> On 07/10/2013 12:12 PM, Simo Sorce wrote: >>> On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote: >>>> Folks, >>>> I swear I am not trying to drive up traffic to my very small blog, but I >>>> wrote up some instruction for how to configure the postfix mail client >>>> to use Kerberos to relay through a Postfix gateway. >>>> >>>> Instructions are here for folks that are interested: >>>> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-> >>>> >> relaying-smtp-client/ >>>> >>>> Hopefully it is useful to some people in the future, for me it took the >>>> help of some users on the Postfix list, a lot of it was not clear. > > Erinn, this is excellent! I've been looking for just this idea! Thanks. > >> I think it is worth mentioning that starting Fedora 19 the step to >> configure cron to fetch tickets is not needed. GSS proxy can be >> configured instead to automatically acquire tickets on client's behalf. >> https://fedorahosted.org/gss-proxy/ >> >> It generally applies to any unattended client that uses keytab to >> authenticate it being messaging client, DB client, LDAP client or >> anything else. You name it... >> >> Thanks for the blog! >> >> >> -- >> Thank you, >> Dmitri Pal > > > Dmitri, thanks for the info on gssproxy. I am using gssproxy for NFS in F19, > but have not begun using it for other services such as an smtp client, though > this is exactly what I'd be looking for. Do you think you'd be able to show > us what the gssproxy.conf file might look like for Postfix's smtp service? > How would one store the keytab in /var/lib/gssapi/clients? As far as I can > tell, the keytabs stored there are listed as <uidnumber>.keytab, so I imagine > this would be stored as the postfix user's uidnumber. > > Thanks again. -A > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users >
No problem, glad it is useful. Please note that there is a bit of a problem currently that I am trying to document out. As it is written, the postfix config doesn't verify the TLS connection between client and server, this can create a security issue. Basically, you need to change the setting for smtp_tls_security_level from 'may' to 'secure' and make sure you either have a certificate signed by a known CA or have your own CA in the certificate trust. Within the confines of FreeIPA this is pretty easy given that you already have a PKI in place with IPA. GSSAPI inside of a TLS channel apparently isn't secure unless the channel is secure and verified. The irony being that GSSAPI auth outside of a TLS connection is just fine for postfix. The post will be updated with this information, but it takes a bit more work to make what I wrote above more approachable. -Erinn
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
