Install and configure DKIM with Postfix on RHEL7

Introduction DKIM (Domain Keys Identified Mail) is a measure against email spoofing, Phishing and SPAM mails. Its easy to implement as you will learn in this article. DKIM signs emails on the outgoing SMTP server, the receiving SMTP can verify the signature by looking up the mail._domainkey TXT DNS record of the respective domain to check if the email originates from that domain or if it is forged. This howto can be used to implement DKIM on a SMTP server ….Read More

Integrate Dovecot IMAP with (Free)IPA using Kerberos SSO

Dovecot can make use of Kerberos authentication and enjoying Single-Sign-On when checking emails via IMAP. This post shows you how you enable this feature. With IPA its rather simple to do so. First enroll your mail server to the IPA domain with ipa-client-install as described in various previously posted articles. Creating a Kerberos Service Priciple Ensure you have a Kerberos ticket as admin user ipa1:~# kinit admin Password for admin@EXAMPLE.COM: ipa1:~# ipa1:~# ipa service-add imap/mail.example.com ——————————————— Added service “imap/mail.example.com@EXAMPLE.COM” ——————————————— ….Read More

Using IPA for user authentication and RBAC in Ansible Tower

Ansible is a great orchestration tool. Ansible Tower is the enterprise version of Ansible adding features like a WebUI, RestAPI and others. Tower has also some features like role-based access control allowing to control which user is allowed to run which playbooks on which infrastructure, servers and so on. In larger environments, this is not done manually but using a centrally managed Identity Management System such as Redhat IdM with IPA or Microsoft Active Directory. This post covers how to ….Read More

FreeIPA and Selective 2FA with Kerberos Authentication Indicators

One of the major new features in FreeIPA 4.4 is the introduction of Authentication Indicators in Kerberos tickets. This allows you to selectively enforce 2FA. Usecases Usually a Linux environment consists on a lot of different services. Some of them are security sensitive such as payroll systems while others are more relaxed such as simple Intranet Webservers. Some services do not nicely play with 2FA, see https://blog.delouw.ch/2015/04/09/2fa-with-free-ipa-the-good-the-bad-and-the-ugly/. With Authentication Indicators you can allow users accessing this services without 2FA while ….Read More

Migrating from CentOS7 to RHEL7

There are various reasons why to migrate from CentOS to RHEL. Quicker access to bugfixes and new minor releases as well as having a fully commercially supported system. There are different tutorial on the net how to migrate from RHEL to CentOS but almost no information about the other way round. It is quite simple and at the end of the day you have only Red Hat Packages installed. In 2012 I wrote an article about Migrating from CentOS6 to ….Read More

Using (Free)IPA ID-Views with LDAP for your legacy servers

Having pain with user authentication on your old legacy Unix servers? Here comes the solution: ID-Views via LDAP. If you need to preserve UID/GID or other stuff like shell on some legacy servers but want to have the benefits of a centrally managed identity management, then ID-Views is the answer. Since legacy servers usually do not have SSSD on board, such as traditional Unix Systems, you can also use LDAP to authenticate such users. Use cases You have different users ….Read More

Integrate IPA in your Web application i.e. WordPress

Tired of log in to your favorite Web application? Integrate it with IPA, kerberize it! This blog post will guide you trough the kerberization of WordPress running on RHEL7 or Fedora. The magic is done by mod_intercept_form_submit and mod_auth_gssapi Assumptions You have a running IPA or FreeIPA infrastructure Your Kerberos REALM is EXAMPLE.COM The hostname where your WordPress instance is running is wptest.example.com WordPress is installed in /var/www/html and ready to run You are using a Linux Workstation with Kerberos, ….Read More

Setting up IPA with a specific CA cert subject

If you are doing experiments with IPA where you install and reinstall IPA servers, you may notice SSL certificate errors when connecting to an IPA server using Firefox. The reason is that always the same Organization and serial is used when the CA cert is created. Normal users are usually only affected when using the same Realm and DNS subdomain for the test and production environment which is not recommended anyway. Reproducing the issue 1. Set up IPA with ipa-server-install. ….Read More