Dovecot can make use of Kerberos authentication and enjoying Single-Sign-On when checking emails via IMAP. This post shows you how you enable this feature. With IPA its rather simple to do so.
First enroll your mail server to the IPA domain with ipa-client-install as described in various previously posted articles.
Creating a Kerberos Service Priciple
Ensure you have a Kerberos ticket as admin user
ipa1:~# kinit admin Password for admin@EXAMPLE.COM: ipa1:~#
ipa1:~# ipa service-add imap/mail.example.com --------------------------------------------- Added service "imap/mail.example.com@EXAMPLE.COM" --------------------------------------------- Principal name: imap/mail.example.com@EXAMPLE.CCOM Principal alias: imap/mail.example.com@EXAMPLE.COM Managed by: mail.example.com ipa1:~#
Fetch and install the Kerberos Keytab for Dovecot
Log in to your mailserver and get a Kerberos ticket as well:
mail:~# kinit admin Password for admin@EXAMPLE.COM: mail:~#
Fetch the Keytab:
mail:~# ipa-getkeytab -s ipa1.example.com -p imap/mail.example.com -k /etc/dovecot/dovecot-krb5.keytab Keytab successfully retrieved and stored in: /etc/dovecot/dovecot-krb5.keytab mail:~#
A common mistake is to have the wrong ownership and access rights on the keytab file.
mail:~# chown dovecot:dovecot /etc/dovecot/dovecot-krb5.keytab mail:~# chmod 600 /etc/dovecot/dovecot-krb5.keytab
Edit the following lines in /etc/dovecot/conf.d/10-auth.conf
auth_krb5_keytab = /etc/dovecot/dovecot-krb5.keytab auth_mechanisms = plain gssapi login auth_gssapi_hostname = mail.example.com auth_realms = EXAMPLE.COM auth_default_realm = EXAMPLE.COM
A note about auth_mechanisms: Usually you dont want to use Kerberos only authentication but plain (over TLS/SSL) as well.
Testing
In /var/log/maillog check if you see messages similar to this:
Feb 19 11:43:25 mail dovecot: imap-login: Login: user=, method=GSSAPI, rip=10.10.10.10, lip=192.168.0.10, mpid=5195, TLS, session=<asdfasdfasdf>
How about LDAP?
Since identity lookup is done with sssd, LDAP integration is not needed in such a case, there is not benefit using LDAP.
Greetings.
I have a similar configuration, in this case I integrated a freeradius server into freeipa. Everything works fine, for 24 hours, then I have to re-issue the ipa-getkeytab because the ticket expires and the service stops. How can I overcome this?.
No clue. Maybe it has something to do with the Radius integration?. You may ask that question in the FreeIPA mail list, see https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/
Thanks,
Luc