Integrate Dovecot IMAP with (Free)IPA using Kerberos SSO

Posted on by Luc de Louw

Dovecot can make use of Kerberos authentication and enjoying Single-Sign-On when checking emails via IMAP. This post shows you how you enable this feature. With IPA its rather simple to do so.

First enroll your mail server to the IPA domain with ipa-client-install as described in various previously posted articles.

Creating a Kerberos Service Priciple

Ensure you have a Kerberos ticket as admin user

ipa1:~# kinit admin
Password for admin@EXAMPLE.COM: 
ipa1:~#
ipa1:~# ipa service-add imap/mail.example.com
---------------------------------------------
Added service "imap/mail.example.com@EXAMPLE.COM"
---------------------------------------------
  Principal name: imap/mail.example.com@EXAMPLE.CCOM
  Principal alias: imap/mail.example.com@EXAMPLE.COM
  Managed by: mail.example.com
ipa1:~#

Fetch and install the Kerberos Keytab for Dovecot

Log in to your mailserver and get a Kerberos ticket as well:

mail:~# kinit admin
Password for admin@EXAMPLE.COM: 
mail:~#

Fetch the Keytab:

mail:~# ipa-getkeytab -s ipa1.example.com -p imap/mail.example.com -k /etc/dovecot/dovecot-krb5.keytab
Keytab successfully retrieved and stored in: /etc/dovecot/dovecot-krb5.keytab
mail:~#

A common mistake is to have the wrong ownership and access rights on the keytab file.

mail:~# chown dovecot:dovecot /etc/dovecot/dovecot-krb5.keytab
mail:~# chmod 600 /etc/dovecot/dovecot-krb5.keytab

Edit the following lines in /etc/dovecot/conf.d/10-auth.conf

auth_krb5_keytab = /etc/dovecot/dovecot-krb5.keytab
auth_mechanisms = plain gssapi login
auth_gssapi_hostname = mail.example.com
auth_realms = EXAMPLE.COM
auth_default_realm = EXAMPLE.COM

A note about auth_mechanisms: Usually you dont want to use Kerberos only authentication but plain (over TLS/SSL) as well.

Testing

In /var/log/maillog check if you see messages similar to this:

Feb 19 11:43:25 mail dovecot: imap-login: Login: user=, method=GSSAPI, rip=10.10.10.10, lip=192.168.0.10, mpid=5195, TLS, session=<asdfasdfasdf>

How about LDAP?

Since identity lookup is done with sssd, LDAP integration is not needed in such a case, there is not benefit using LDAP.

6 thoughts on “Integrate Dovecot IMAP with (Free)IPA using Kerberos SSO

  1. Guillermo says:

    Greetings.
    I have a similar configuration, in this case I integrated a freeradius server into freeipa. Everything works fine, for 24 hours, then I have to re-issue the ipa-getkeytab because the ticket expires and the service stops. How can I overcome this?.

    Reply
  2. RobbieTheK says:

    Using SquirrelMail if the user password is expired the dovecot logs show:

    auth: Debug: client passdb out: FAIL 1 user=ouruser@ourdomain.edu code=pass_expired reason=Password expired original_user=ouruser
    Apr 26 11:46:50 imap-login: Debug: Ignoring unknown passdb extra field: original_user
    Apr 26 11:46:50 imap-login: Info: Aborted login (password expired): user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=
    Apr 26 11:47:47 auth-worker(599372): Debug: conn unix:auth-worker (pid=599371,uid=495): Disconnected: Connection closed (fd=-1)

    But the SquirrelMail page just shows: Unknown user or password incorrect.

    Not sure if there’s a work around but it’d be nice to tell the user to change their password.

    Reply
    • Luc de Louw says:

      Hi,

      That’s a common problem for all non-PAM/SSSD systems and AFAIK there is no workaround available.

      Sorry,

      Luc

      Reply
      • RobbieTheK says:

        Thanks, I tried the Dovecot mailing list and got no reply after several days.

        Also if a user was over the system quota there was no way to tell on the webmail page that they were over quota but the dovecot logs show imap(ouruser): Error: mkdir(/path/to/ouruser/mail/.imap) failed: Disk quota exceeded.

        I take it there would be a security risk if the web page displayed a warning that could be generalized to inform the user to either check their quota or password reset being needed?

        Reply
        • Luc de Louw says:

          Hi,

          Yes, that would be indeed a security risk because of information disclosure, an attacker will get the information that the username is correct. What you can do is sending an email to the user prior the quota is exhausted or the password is expired. Another possibility is to send that information via a separate communication channel such as SMS

          Cheers,

          Luc

          Reply

Leave a Reply

Your email address will not be published.