Dovecot can make use of Kerberos authentication and enjoying Single-Sign-On when checking emails via IMAP. This post shows you how you enable this feature. With IPA its rather simple to do so.
First enroll your mail server to the IPA domain with ipa-client-install as described in various previously posted articles.
Creating a Kerberos Service Priciple
Ensure you have a Kerberos ticket as admin user
ipa1:~# kinit admin Password for admin@EXAMPLE.COM: ipa1:~#
ipa1:~# ipa service-add imap/mail.example.com --------------------------------------------- Added service "imap/mail.example.com@EXAMPLE.COM" --------------------------------------------- Principal name: imap/mail.example.com@EXAMPLE.CCOM Principal alias: imap/mail.example.com@EXAMPLE.COM Managed by: mail.example.com ipa1:~#
Fetch and install the Kerberos Keytab for Dovecot
Log in to your mailserver and get a Kerberos ticket as well:
mail:~# kinit admin Password for admin@EXAMPLE.COM: mail:~#
Fetch the Keytab:
mail:~# ipa-getkeytab -s ipa1.example.com -p imap/mail.example.com -k /etc/dovecot/dovecot-krb5.keytab Keytab successfully retrieved and stored in: /etc/dovecot/dovecot-krb5.keytab mail:~#
A common mistake is to have the wrong ownership and access rights on the keytab file.
mail:~# chown dovecot:dovecot /etc/dovecot/dovecot-krb5.keytab mail:~# chmod 600 /etc/dovecot/dovecot-krb5.keytab
Edit the following lines in /etc/dovecot/conf.d/10-auth.conf
auth_krb5_keytab = /etc/dovecot/dovecot-krb5.keytab auth_mechanisms = plain gssapi login auth_gssapi_hostname = mail.example.com auth_realms = EXAMPLE.COM auth_default_realm = EXAMPLE.COM
A note about auth_mechanisms: Usually you dont want to use Kerberos only authentication but plain (over TLS/SSL) as well.
In /var/log/maillog check if you see messages similar to this:
Feb 19 11:43:25 mail dovecot: imap-login: Login: user=
, method=GSSAPI, rip=10.10.10.10, lip=192.168.0.10, mpid=5195, TLS, session=<asdfasdfasdf>
How about LDAP?
Since identity lookup is done with sssd, LDAP integration is not needed in such a case, there is not benefit using LDAP.
6 thoughts on “Integrate Dovecot IMAP with (Free)IPA using Kerberos SSO”
I have a similar configuration, in this case I integrated a freeradius server into freeipa. Everything works fine, for 24 hours, then I have to re-issue the ipa-getkeytab because the ticket expires and the service stops. How can I overcome this?.
No clue. Maybe it has something to do with the Radius integration?. You may ask that question in the FreeIPA mail list, see https://email@example.com/
Using SquirrelMail if the user password is expired the dovecot logs show:
auth: Debug: client passdb out: FAIL 1 firstname.lastname@example.org code=pass_expired reason=Password expired original_user=ouruser
Apr 26 11:46:50 imap-login: Debug: Ignoring unknown passdb extra field: original_user
Apr 26 11:46:50 imap-login: Info: Aborted login (password expired): user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=
Apr 26 11:47:47 auth-worker(599372): Debug: conn unix:auth-worker (pid=599371,uid=495): Disconnected: Connection closed (fd=-1)
But the SquirrelMail page just shows: Unknown user or password incorrect.
Not sure if there’s a work around but it’d be nice to tell the user to change their password.
That’s a common problem for all non-PAM/SSSD systems and AFAIK there is no workaround available.
Thanks, I tried the Dovecot mailing list and got no reply after several days.
Also if a user was over the system quota there was no way to tell on the webmail page that they were over quota but the dovecot logs show imap(ouruser): Error: mkdir(/path/to/ouruser/mail/.imap) failed: Disk quota exceeded.
I take it there would be a security risk if the web page displayed a warning that could be generalized to inform the user to either check their quota or password reset being needed?
Yes, that would be indeed a security risk because of information disclosure, an attacker will get the information that the username is correct. What you can do is sending an email to the user prior the quota is exhausted or the password is expired. Another possibility is to send that information via a separate communication channel such as SMS