Dovecot SASL and GSSAPI (IPA)
Hi Everyone,
I'm currently using dovecot SASL in postfix and passwd-file in dovecot for authenticating my users. I want to switch to using IPA instead.
I have both the postfix (mailman01) and dovecot (mailman02) servers joined to the IPA domain. I have GSSAPI working in dovecot for IMAP. But, the SASL GSSAPI authentication in postfix fails with this error:
warning: unknown[10.200.5.100]: SASL GSSAPI authentication failed:
This is what dovecot logs:
Dec 12 22:31:54 mailman02 dovecot: auth: Debug: auth client connected (pid=0) Dec 12 22:31:54 mailman02 dovecot: auth: Debug: client in: AUTH 1 GSSAPI service=smtp nologin lip=10.200.9.14 rip=10.200.5.100 secured resp=<hidden> Dec 12 22:31:54 mailman02 dovecot: auth: Debug: gssapi(?,10.200.5.100): Obtaining credentials for smtp@mailman02.theinside.rnr Dec 12 22:31:54 mailman02 dovecot: auth: gssapi(?,10.200.5.100): While processing incoming data: Unspecified GSS failure. Minor code may provide more information Dec 12 22:31:54 mailman02 dovecot: auth: gssapi(?,10.200.5.100): While processing incoming data: Wrong principal in request Dec 12 22:31:56 mailman02 dovecot: auth: Debug: client passdb out: FAIL 1
I've tried changing the "smtpd_sasl_local_domain" in postfix's main.cf file to "mailman02.theinside.rnr", but I get the same errors in dovecot and postfix. Right now the config in postfix looks like this:
import_environment="KRB5_KTNAME=/etc/postfix/smtp.keytab" smtpd_sasl_local_domain = mailman01.theoutside.rnr
Does what I'm trying to do make sense? If so, how do I fix it? Do I have to stop using dovecot sasl in postfix and switch to cyrus sasl?
-- Ranbir
Hi Ranbir
This is more a postfix question but I have done this configs before in a BETA-Lab and it's a real pain. I'll be glad to help if I can.
I my environment I had postfix directly authenticating SASL with the IPA server (FreeIPA) using Cyrus SASL libs. In IPA the service most be registered with principal smtp/HOSTNAME.
## # /etc/postfix/sasl/smtpd.conf ## pwcheck_method: saslauthd mech_list: GSSAPI PLAIN LOGIN
## # /etc/default/saslauthd ## START=yes DESC="SASL Authentication Daemon" NAME="saslauthd" MECHANISMS="kerberos5" MECH_OPTIONS="" THREADS=5 OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Regards,
Manuel Delgado
*Usuario Linux* *#520940 http://counter.li.org/*
Mag. Computación e Informática Universidad de Costa Rica Centro de Informática
On Sun, Dec 13, 2015 at 11:21 AM, Ranbir m3freak@thesandhufamily.ca wrote:
Hi Everyone,
I'm currently using dovecot SASL in postfix and passwd-file in dovecot for authenticating my users. I want to switch to using IPA instead.
I have both the postfix (mailman01) and dovecot (mailman02) servers joined to the IPA domain. I have GSSAPI working in dovecot for IMAP. But, the SASL GSSAPI authentication in postfix fails with this error:
warning: unknown[10.200.5.100]: SASL GSSAPI authentication failed:
This is what dovecot logs:
Dec 12 22:31:54 mailman02 dovecot: auth: Debug: auth client connected (pid=0) Dec 12 22:31:54 mailman02 dovecot: auth: Debug: client in: AUTH 1 GSSAPI service=smtp nologin lip=10.200.9.14 rip=10.200.5.100 secured resp=<hidden> Dec 12 22:31:54 mailman02 dovecot: auth: Debug: gssapi(?,10.200.5.100): Obtaining credentials for smtp@mailman02.theinside.rnr Dec 12 22:31:54 mailman02 dovecot: auth: gssapi(?,10.200.5.100): While processing incoming data: Unspecified GSS failure. Minor code may provide more information Dec 12 22:31:54 mailman02 dovecot: auth: gssapi(?,10.200.5.100): While processing incoming data: Wrong principal in request Dec 12 22:31:56 mailman02 dovecot: auth: Debug: client passdb out: FAIL 1
I've tried changing the "smtpd_sasl_local_domain" in postfix's main.cf file to "mailman02.theinside.rnr", but I get the same errors in dovecot and postfix. Right now the config in postfix looks like this:
import_environment="KRB5_KTNAME=/etc/postfix/smtp.keytab" smtpd_sasl_local_domain = mailman01.theoutside.rnr
Does what I'm trying to do make sense? If so, how do I fix it? Do I have to stop using dovecot sasl in postfix and switch to cyrus sasl?
-- Ranbir
On Mon, 2015-12-14 at 09:10 -0600, Manuel Delgado wrote:
This is more a postfix question but I have done this configs before in a BETA-Lab and it's a real pain. I'll be glad to help if I can.
I my environment I had postfix directly authenticating SASL with the IPA server (FreeIPA) using Cyrus SASL libs. In IPA the service most be registered with principal smtp/HOSTNAME.
I managed to get past the SASL GSSAPI errors in postfix and now I'm seeing this in dovecot whenever postfix tries to deliver a message via lmtp:
Dec 14 17:24:49 mailman02 dovecot: auth: Debug: password( ranbir@theinside.rnr,DESKTOP): passdb doesn't support credential lookups Dec 14 17:24:49 mailman02 dovecot: auth: Debug: password( ranbir@theinside.rnr,DESKTOP): Credentials: Dec 14 17:24:49 mailman02 dovecot: auth: Debug: client passdb out: OK 1 user=ranbir@theinside.rnr Dec 14 17:24:49 mailman02 dovecot: imap(ranbir@theinside.rnr): Debug: acl vfile: file /var/spool/mail/thesandhufamily.ca/ranbir/Maildir/.Sent/dovecot-acl not found Dec 14 17:24:49 mailman02 dovecot: lmtp(15525): Debug: none: root=, index=, indexpvt=, control=, inbox=, alt= Dec 14 17:24:49 mailman02 dovecot: lmtp(15525): Connect from POSTFIX Dec 14 17:24:49 mailman02 dovecot: auth: Debug: master in: USER 2 ranbir@thesandhufamily.ca service=lmtp lip=DOVEC OT lport=24 rip=POSTFIX rport=56214 Dec 14 17:24:49 mailman02 dovecot: auth-worker(15521): Debug: passwd( ranbir@thesandhufamily.ca,POSTFIX): lookup Dec 14 17:24:50 mailman02 dovecot: auth-worker(15521): passwd( ranbir@thesandhufamily.ca,POSTFIX): unknown user Dec 14 17:24:50 mailman02 dovecot: auth: Debug: userdb out: NOTFOUND 2
Obviously postfix replies the with a "user doesn't exist" message.
I've tried creating a ldap_aliases file (and I added the config in main.cf) which should allow postfix to do a bind to my freeipa box, but postfix appears to never even try the ldap lookup. A manual testworks OK, so I know the ldap_alises file was done correctly.
Is it possible in Dovecot to translate the mail address lookup from postfix into just a "uid" search? If I could do that, Dovecot would find "ranbir" and report back to postfix the user exists.
-- Ranbir
On Mon, 2015-12-14 at 17:53 -0500, Ranbir wrote:
Is it possible in Dovecot to translate the mail address lookup from postfix into just a "uid" search? If I could do that, Dovecot would find "ranbir" and report back to postfix the user exists.
I sent this and then realized I could just strip the domain in Dovecot with "auth_username_format = %Ln". Doh!
Anyway, I figured it all out. I now have my IPA joined Dovecot + Postfix system using GSSAPI and PLAIN. The passwd database is using pam (i.e. sss) and the user database is configured to use password-file. I stuck with the password-file for the userdb because it was simply much easier to add the mail location for my public imap folders to it than adding them to my IPA server which would have required me to extend the LDAP schema. I've struggled enough as it is! :P
-- Ranbir
participants (2)
-
Manuel Delgado
-
Ranbir