Configuring Dovecot to authenticate FreeIPA users using Kerberos (with Single Sign On)

monitorI have also posted this article on the project wiki which is linked here

The below details will walk you through how to add a Red Hat Enterprise Linux 6.2 system to an IPA domain, and then configure Dovecot to allow single sign on to user mailboxes with IMAP/S.

Details of this example are as follows

   Domain name:
   IPA Server:
   Dovecot Server:
   IPA Client:
   IPA User: user1 and user2

Please Note: This guide describes using SSL combined with Dovecot to deliver IMAPS support. This guide is not designed to cover how to create a valid SSL vertificate. This guide uses the default dovecot generated certificate and it is HIGHLY recommended that if you wish to deploy this into a production environment, that you replace this certificate with your own trusted/validated certificate

Add system to IPA Domain (ensure DNS is working correctly otherwise this step will fail)

# ipa-client-install -U -p admin -w mysecretpassword

Install Dovecot and set service to start on boot

# yum install dovecot
# chkconfig dovecot on

Edit /etc/dovecot/dovecot.conf to allow imap


#protocols = imap pop3 lmtp

and replace with

protocols = imap

Edit /etc/dovecot/conf.d/10-auth.conf to configure kerberos authentication

Enter the below lines at the end of the file /etc/dovecot/conf.d/10-auth.conf

userdb {
  driver = static
  args = uid=dovecot gid=dovecot home=/var/spool/mail/%u

Next, find the below lines (these will be in various locations inside the file)

auth_mechanisms = plain
#auth_gssapi_hostname =
#auth_krb5_keytab =
#auth_realms =
#auth_default_realm =

and replace with

auth_mechanisms = gssapi
auth_gssapi_hostname =
auth_krb5_keytab = /etc/dovecot/krb5.keytab
auth_realms =
auth_default_realm =

Create new IPA group for mailbox access

From your IPA server, create a new group for your users to store their mailbox

[root@ds01 ~]# ipa group-add
 Group name: mailusers
 Description: Mail User Group
 Added group "mailusers"
 Group name: mailusers
 Description: Mail User Group
 GID: 1427200003
[root@ds01 ~]#

Add users to “mailusers” group

Add your users to the new group

[root@ds01 ~]# ipa group-add-member mailusers
[member user]: user1
[member group]: 
  Group name: mailusers
  Description: Mail User Group
  GID: 1427200003
  Member users: user1
Number of members added 1
[root@ds01 ~]#

Create new directory for user mailboxes

Create a new directory to be used as your mail store for the server. Also remember to change the group membership to allow your “mailusers” to be able to write to the folder.

mkdir /mail
chmod 770 /mail
chgrp mailusers /mail
chcon -t user_home_t /mail

Note: If you wish to use file system quotas or add high availability to your solution, having this folder on a shared file system would be very beneficial.

Edit /etc/dovecot/conf.d/10-mail.conf to configure the mailbox location


#mail_location =

and replace with

mail_location = mbox:/mail/%u/:INBOX=/var/mail/%u

Generate a kerberos keytab for Dovecot IMAP access

On the IPA server run:

# kinit admin
Password for admin@EXAMPLE.COM:
# ipa service-add imap/

If successful, you will see the below output

Added service "imap/"
  Principal: imap/
  Managed by:

On the Dovecot server run:

# ipa-getkeytab -s -p imap/ -k /etc/dovecot/krb5.keytab

if successful, you will see the below output:

Keytab successfully retrieved and stored in: /etc/dovecot/krb5.keytab

Change the permissions of the keytab to allow Dovecot to read the file (Note, this should be kept secure, so only grant enough privileges as absolutely necessary.)

# chown root:dovecot /etc/dovecot/krb5.keytab
# chmod 640 /etc/dovecot/krb5.keytab

Restart Dovecot

# service dovecot restart
Stopping Dovecot IMAP: ................                           [  OK  ]
Starting Dovecot IMAP: .                                          [  OK  ]

Send a test email to your user

From your Dovecot server, run the following command:

# echo Hello | mail -s Hello

Configure Thunderbird to connect to IMAP Server

  1. Open Thunderbird
  2. Click the Edit Menu and select Account Settings
  3. Under Account Actions (Bottom left), select “Add Mail Account”
  4. Enter Name (user1), Email Address( and leave password blank, then click continue
  5. Verify the username is user1 (not, Set the imcoming server to, select IMAP, Set port to 993, and select SSL/TLS. Then click Manual Setup
  6. Select Server Settings under your new mail account
  7. Select Kerberos/GSSAPI as the Authentication Method, then click OK
  8. Click Get Mail and you will be presented to accept an SSL Certificate.
  9. Once you have accepted the SSL Certificate, you will see your test email you sent in the previous step.

Verify your authentication on the Dovecot server

# tail /var/log/maillog
Feb 10 13:31:22 mail01 dovecot: imap-login: Login: user=<>, method=GSSAPI, rip=, lip=, mpid=1835, TLS

If everything has worked successfully, you will see in your logs that your user has connected using the method GSSAPI and has validated their session over TLS.