[Freeipa-users] Getting virtual aliases and domains via freeipa with Postfix
Stephen Ingram
sbingram at gmail.com
Thu Nov 1 05:07:31 UTC 2012
On Wed, Oct 31, 2012 at 6:25 PM, Peter Brown <rendhalver at gmail.com> wrote:
> On 1 November 2012 08:20, Stephen Ingram <sbingram at gmail.com> wrote:
>>
>> On Tue, Oct 30, 2012 at 6:34 PM, Peter Brown <rendhalver at gmail.com> wrote:
>> > Hi everyone,
>> >
>> > I have been trying to work out how to achieve this.
>> > I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix and
>> > dovecot on my new mail server authenticating against Freeipa.
>> > One last thing I would love to do it pull down the virtual users and
>> > aliases
>> > for the domains my mailserver will be serving from freeipa.
>> > Is this possible?
>> > Is this all automatic due to sssd looking up the user details in the ds?
>> > Does it do the same for domains and email aliases or will I need extra
>> > lookups to achieve this.
>>
>> I've recently built an entire mail system around FreeIPA and it works
>> great. There are two parts to be concerned with:
>>
>> 1. Authentication - With Postfix, this is handled by saslauthd which
>> can authenticate against Kerberos (using or not using sssd). I used
>> Cyrus-IMAP for the mailstore which also uses saslauthd. Doveccot has
>> it's own sasl built in which can authenticate against Kerberos or
>> LDAP, thus it should work with IPA.
>
>
> I have dovecot authing against freeipa (via pam)and I setup a sasl auth
> instance in dovecot and have postfix authing against that.
> I figured why setup another sasl auth daemon when dovecot can do it for me
> so they effectively use the same authentication source.
>
>> 2. Configuration - With Postfix, you can set all different areas (e.g.
>> virtual, aliases, etc.) to use LDAP lookup of configuration
>> information. You are typically searching for the email address (mail
>> attribute in IPA) and your search will generally return the userid
>> (uid attribute) of where the mail is to be stored. I don't believe
>> that Dovecot or Cyrus-IMAP have any way of maintaining any
>> configuration in LDAP so you generally have to setup mailboxes and
>> authorization information by hand using their tools.
>
>
> I have most of that worked out but getting delivery addresses for domains
> that aren't the base is proving tricky.
> It's looking like I will need to add some extra schemas to the ds so i can
> add the delivery domain to each user and somehow use that to construct the
> delivery address.
> I am not sure I can do that though.
I didn't really have to add anything except for one extra attribute.
You can group your users into user groups representing the domains
they belong to such that Postfix can query whether or not to accept
for a domain or not. I added mailAlternateAddress for aliases rather
than user multi-value attribute mail so I can have a "master" email
address for each user. It was easy to do with the existing schema
(mailRecipient objectclass). BTW if you haven't already figured it
out, postmap -q is your friend when setting up your LDAP config in
Postfix. Just keep adjusting everything until you get the answer you
(and Postfix) expect.
> I am half tempted to add the extra components of 389-ds and see it that will
> let me do what I need.
>
> On a side note the freeipa lads seem to be working out how to add
> multitenancy support so it will be capable of serving multiple separate
> Kerberos principals.
> That would help a lot but I need to cobble something together now.
Yes, if you want unique uid's within each domain you'll have to wait
for that. I gave up on that notion and simply require unique uids for
every user regardless of domain and deliver to single domain style
mail store setup.
Steve
More information about the Freeipa-users
mailing list