Install and configure DKIM with Postfix on RHEL7

Introduction DKIM (Domain Keys Identified Mail) is a measure against email spoofing, Phishing and SPAM mails. Its easy to implement as you will learn in this article. DKIM signs emails on the outgoing SMTP server, the receiving SMTP can verify the signature by looking up the mail._domainkey TXT DNS record of the respective domain to check if the email originates from that domain or if it is forged. This howto can be used to implement DKIM on a SMTP server ….Read More

Integrate Dovecot IMAP with (Free)IPA using Kerberos SSO

Dovecot can make use of Kerberos authentication and enjoying Single-Sign-On when checking emails via IMAP. This post shows you how you enable this feature. With IPA its rather simple to do so. First enroll your mail server to the IPA domain with ipa-client-install as described in various previously posted articles. Creating a Kerberos Service Priciple Ensure you have a Kerberos ticket as admin user ipa1:~# kinit admin Password for admin@EXAMPLE.COM: ipa1:~# ipa1:~# ipa service-add imap/mail.example.com ——————————————— Added service “imap/mail.example.com@EXAMPLE.COM” ——————————————— ….Read More

FreeIPA and Selective 2FA with Kerberos Authentication Indicators

One of the major new features in FreeIPA 4.4 is the introduction of Authentication Indicators in Kerberos tickets. This allows you to selectively enforce 2FA. Usecases Usually a Linux environment consists on a lot of different services. Some of them are security sensitive such as payroll systems while others are more relaxed such as simple Intranet Webservers. Some services do not nicely play with 2FA, see https://blog.delouw.ch/2015/04/09/2fa-with-free-ipa-the-good-the-bad-and-the-ugly/. With Authentication Indicators you can allow users accessing this services without 2FA while ….Read More

Using (Free)IPA ID-Views with LDAP for your legacy servers

Having pain with user authentication on your old legacy Unix servers? Here comes the solution: ID-Views via LDAP. If you need to preserve UID/GID or other stuff like shell on some legacy servers but want to have the benefits of a centrally managed identity management, then ID-Views is the answer. Since legacy servers usually do not have SSSD on board, such as traditional Unix Systems, you can also use LDAP to authenticate such users. Use cases You have different users ….Read More

Integrate IPA in your Web application i.e. WordPress

Tired of log in to your favorite Web application? Integrate it with IPA, kerberize it! This blog post will guide you trough the kerberization of WordPress running on RHEL7 or Fedora. The magic is done by mod_intercept_form_submit and mod_auth_gssapi Assumptions You have a running IPA or FreeIPA infrastructure Your Kerberos REALM is EXAMPLE.COM The hostname where your WordPress instance is running is wptest.example.com WordPress is installed in /var/www/html and ready to run You are using a Linux Workstation with Kerberos, ….Read More

Setting up IPA with a specific CA cert subject

If you are doing experiments with IPA where you install and reinstall IPA servers, you may notice SSL certificate errors when connecting to an IPA server using Firefox. The reason is that always the same Organization and serial is used when the CA cert is created. Normal users are usually only affected when using the same Realm and DNS subdomain for the test and production environment which is not recommended anyway. Reproducing the issue 1. Set up IPA with ipa-server-install. ….Read More

Updating Fedora to version 23 – how to workaround some issues

After upgrading two machines from Fedora 22 to 23 I stumbled upon some severe issues. Most of them are easy to solve. This weekend I’ve found some time to upgrade my headless router and one of my workstations. Unfortunately is did not went that smooth like the past few upgrades. No initrd created and grub config lacks initrd reference This seems to be connected to the Plymouth issue as described here: Common F23 bugs. On my headless machine I only ….Read More

2FA with (Free) IPA. The good, the bad and the ugly

Two factor authentication (2FA) is more and more emerging which is good to enhance security. Since the release of IPA4 it comes with 2FA included. Over time I made a lot of experiments and experience I wanted to share with you. Its is easy to set up and maintain as long as you use it only for system authentication. If you are using such things as webmail, it fails. This post shows you the capabilities as they are of today. ….Read More