On 1 November 2012 15:07, Stephen Ingram <sbing...@gmail.com> wrote: > On Wed, Oct 31, 2012 at 6:25 PM, Peter Brown <rendhal...@gmail.com> wrote: > > On 1 November 2012 08:20, Stephen Ingram <sbing...@gmail.com> wrote: > >> > >> On Tue, Oct 30, 2012 at 6:34 PM, Peter Brown <rendhal...@gmail.com> > wrote: > >> > Hi everyone, > >> > > >> > I have been trying to work out how to achieve this. > >> > I have freeipa 3.0.0 setup on a Fedora 18 server and I have postfix > and > >> > dovecot on my new mail server authenticating against Freeipa. > >> > One last thing I would love to do it pull down the virtual users and > >> > aliases > >> > for the domains my mailserver will be serving from freeipa. > >> > Is this possible? > >> > Is this all automatic due to sssd looking up the user details in the > ds? > >> > Does it do the same for domains and email aliases or will I need extra > >> > lookups to achieve this. > >> > >> I've recently built an entire mail system around FreeIPA and it works > >> great. There are two parts to be concerned with: > >> > >> 1. Authentication - With Postfix, this is handled by saslauthd which > >> can authenticate against Kerberos (using or not using sssd). I used > >> Cyrus-IMAP for the mailstore which also uses saslauthd. Doveccot has > >> it's own sasl built in which can authenticate against Kerberos or > >> LDAP, thus it should work with IPA. > > > > > > I have dovecot authing against freeipa (via pam)and I setup a sasl auth > > instance in dovecot and have postfix authing against that. > > I figured why setup another sasl auth daemon when dovecot can do it for > me > > so they effectively use the same authentication source. > > > >> 2. Configuration - With Postfix, you can set all different areas (e.g. > >> virtual, aliases, etc.) to use LDAP lookup of configuration > >> information. You are typically searching for the email address (mail > >> attribute in IPA) and your search will generally return the userid > >> (uid attribute) of where the mail is to be stored. I don't believe > >> that Dovecot or Cyrus-IMAP have any way of maintaining any > >> configuration in LDAP so you generally have to setup mailboxes and > >> authorization information by hand using their tools. > > > > > > I have most of that worked out but getting delivery addresses for domains > > that aren't the base is proving tricky. > > It's looking like I will need to add some extra schemas to the ds so i > can > > add the delivery domain to each user and somehow use that to construct > the > > delivery address. > > I am not sure I can do that though. > > I didn't really have to add anything except for one extra attribute. > You can group your users into user groups representing the domains > they belong to such that Postfix can query whether or not to accept > for a domain or not. I added mailAlternateAddress for aliases rather > than user multi-value attribute mail so I can have a "master" email > address for each user. It was easy to do with the existing schema > (mailRecipient objectclass). BTW if you haven't already figured it > out, postmap -q is your friend when setting up your LDAP config in > Postfix. Just keep adjusting everything until you get the answer you > (and Postfix) expect. >
I discovered that attribute when I was digging around in the ldif files and I was just wondering why they didn't use that for setting aliases. It would certainly make my ldap queries for postfix a lot simpler. I added the mailRecipient class to the defaults for users and tried to use the ipa user-mod --setattr=mailAlternateAddress= and it is telling me ipa: ERROR: attribute "mailAlternateAddress" not allowed I have also trying to set a few other non standard attributes that seem to be in the default schemas already and they all give me the same error. Am I missing something? > I am half tempted to add the extra components of 389-ds and see it that > will > > let me do what I need. > > > > On a side note the freeipa lads seem to be working out how to add > > multitenancy support so it will be capable of serving multiple separate > > Kerberos principals. > > That would help a lot but I need to cobble something together now. > > Yes, if you want unique uid's within each domain you'll have to wait > for that. I gave up on that notion and simply require unique uids for > every user regardless of domain and deliver to single domain style > mail store setup. > yeah that's tempting but I need to have separate domains. > Steve >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users