use oauth2
This commit is contained in:
parent
970448f2dc
commit
076b6ba503
@ -7,7 +7,6 @@ RUN apk --no-cache add \
|
||||
openssl \
|
||||
openssl-dev \
|
||||
lua-dev \
|
||||
openldap-dev \
|
||||
libsodium-dev \
|
||||
linux-pam-dev \
|
||||
zlib-dev \
|
||||
@ -41,7 +40,6 @@ RUN cd /tmp/dovecot && \
|
||||
--with-ssl=openssl \
|
||||
--with-sodium \
|
||||
--without-sql \
|
||||
--with-ldap \
|
||||
--with-lzma \
|
||||
--with-lz4 \
|
||||
--with-icu \
|
||||
@ -54,7 +52,6 @@ RUN cd /tmp/dovecot && \
|
||||
|
||||
RUN cd /tmp/pigeonhole && \
|
||||
./configure --prefix '' \
|
||||
--with-ldap=yes \
|
||||
--with-dovecot=/lib/dovecot \
|
||||
--disable-static && \
|
||||
make && make install
|
||||
@ -79,7 +76,6 @@ RUN apk --no-cache add \
|
||||
ssmtp \
|
||||
ca-certificates \
|
||||
lua \
|
||||
lua-ldap \
|
||||
inotify-tools
|
||||
|
||||
RUN addgroup -g 150 dovecot
|
||||
|
@ -1,3 +0,0 @@
|
||||
#!/usr/bin/with-contenv sh
|
||||
|
||||
s6-svc -t /var/run/s6/services/dovecot
|
@ -1,3 +0,0 @@
|
||||
[template]
|
||||
src = "app-passwords-lookup.lua.tmpl"
|
||||
dest = "/etc/dovecot/app-passwords-lookup.lua"
|
@ -1,3 +0,0 @@
|
||||
[template]
|
||||
src = "auth-ldap.conf.ext.tmpl"
|
||||
dest = "/etc/dovecot/conf.d/auth-ldap.conf.ext"
|
3
rootfs/etc/confd/conf.d/auth-oauth2.conf.ext.toml
Normal file
3
rootfs/etc/confd/conf.d/auth-oauth2.conf.ext.toml
Normal file
@ -0,0 +1,3 @@
|
||||
[template]
|
||||
src = "auth-oauth2.conf.ext.tmpl"
|
||||
dest = "/etc/dovecot/conf.d/auth-oauth2.conf.ext"
|
@ -1,3 +0,0 @@
|
||||
[template]
|
||||
src = "dovecot-ldap.conf.ext.tmpl"
|
||||
dest = "/etc/dovecot/dovecot-ldap.conf.ext"
|
3
rootfs/etc/confd/conf.d/dovecot-oauth2.conf.ext.toml
Normal file
3
rootfs/etc/confd/conf.d/dovecot-oauth2.conf.ext.toml
Normal file
@ -0,0 +1,3 @@
|
||||
[template]
|
||||
src = "dovecot-oauth2.conf.ext.tmpl"
|
||||
dest = "/etc/dovecot/dovecot-oauth2.conf.ext"
|
@ -1,4 +1,4 @@
|
||||
auth_username_chars = {{getenv "ALLOWED_USERNAME_CHARS" "äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@"}}
|
||||
auth_username_format = %Lu
|
||||
auth_mechanisms = {{getenv "AUTH_MECHANISMS" "plain"}}
|
||||
!include auth-ldap.conf.ext
|
||||
!include auth-oauth2.conf.ext
|
||||
|
@ -1,6 +1,6 @@
|
||||
ssl = yes
|
||||
ssl_cert = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.crt
|
||||
ssl_key = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.key
|
||||
ssl_cert = </etc/ssl/mail/tls.crt
|
||||
ssl_key = </etc/ssl/mail/tls.key
|
||||
ssl_dh=</etc/ssl/mail/dh.pem
|
||||
ssl_min_protocol = {{getenv "SSL_MIN_PROTOCOL" "TLSv1.2"}}
|
||||
ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"}}
|
||||
|
@ -3,6 +3,6 @@ protocol sieve {
|
||||
}
|
||||
|
||||
plugin {
|
||||
sieve = ldap:/etc/dovecot/sieve-ldap.conf;bindir=~/.sieve-bin/
|
||||
sieve = bindir=~/.sieve-bin/
|
||||
sieve_after = /var/lib/vmail/sieve-after/
|
||||
}
|
||||
|
@ -1,55 +0,0 @@
|
||||
require "lualdap"
|
||||
|
||||
function auth_passdb_lookup(req)
|
||||
local ldap_host = "{{ getenv "LDAP_HOST" }}"
|
||||
local ldap_bin_dn = "{{ getenv "LDAP_BIND_DN" }}"
|
||||
local ldap_bind_password = "{{ getenv "LDAP_BIND_PASSWORD" }}"
|
||||
local ldap_use_tls = {{ if eq (getenv "LDAP_USE_TLS") "yes" }}true{{ else }}false{{ end }}
|
||||
|
||||
ld = assert (lualdap.open_simple(
|
||||
ldap_host,
|
||||
ldap_bin_dn,
|
||||
ldap_bind_password,
|
||||
ldap_use_tls))
|
||||
|
||||
local username = req.user
|
||||
local ldap_pass_filter = "{{ getenv "LDAP_PASS_FILTER" }}"
|
||||
local ldap_pass_filter_formatted = ldap_pass_filter:gsub("%%u", username)
|
||||
local ldap_base_dn = "{{ getenv "LDAP_BASE_DN" }}"
|
||||
|
||||
local user_count = 0
|
||||
for dn, attribs in ld:search { base = ldap_base_dn, scope = "subtree", filter = ldap_pass_filter_formatted } do
|
||||
user_count = user_count + 1
|
||||
end
|
||||
|
||||
local return_code = dovecot.auth.PASSDB_RESULT_NEXT
|
||||
local return_text = ""
|
||||
|
||||
local user_exists = user_count == 1
|
||||
if user_exists then
|
||||
local app_base_dn = "{{ getenv "LDAP_APP_PASSWORDS_BASE_DN" }}"
|
||||
local app_base_dn_formatted = app_base_dn:gsub("%%u", username)
|
||||
local app_pass_filter = "{{ getenv "LDAP_APP_PASSWORDS_FILTER" }}"
|
||||
local ldap_user_attribute = "{{ getenv "LDAP_USER_ATTRIBUTE" "cn" }}"
|
||||
|
||||
local user_password = req.password
|
||||
|
||||
for dn, attribs in ld:search { base = app_base_dn_formatted, scope = "subtree", filter = app_pass_filter } do
|
||||
req:log_info(string.format("trying %s...", dn))
|
||||
|
||||
local test_conn = lualdap.open_simple(
|
||||
ldap_host,
|
||||
dn,
|
||||
user_password,
|
||||
ldap_use_tls)
|
||||
if test_conn ~= nil then
|
||||
req:log_info(string.format("%s suceeded!", dn))
|
||||
return dovecot.auth.PASSDB_RESULT_OK, string.format("password=%s user=%s", user_password, username)
|
||||
end
|
||||
end
|
||||
else
|
||||
return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
|
||||
end
|
||||
|
||||
return return_code, return_text
|
||||
end
|
@ -1,14 +0,0 @@
|
||||
passdb {
|
||||
driver = ldap
|
||||
args = /etc/dovecot/dovecot-ldap.conf.ext
|
||||
}
|
||||
|
||||
passdb {
|
||||
driver = lua
|
||||
args = file=/etc/dovecot/app-passwords-lookup.lua
|
||||
}
|
||||
|
||||
userdb {
|
||||
driver = static
|
||||
args = uid=vmail gid=vmail home=/var/lib/vmail/mail/%d/%n
|
||||
}
|
10
rootfs/etc/confd/templates/auth-oauth2.conf.ext.tmpl
Normal file
10
rootfs/etc/confd/templates/auth-oauth2.conf.ext.tmpl
Normal file
@ -0,0 +1,10 @@
|
||||
passdb {
|
||||
driver = oauth2
|
||||
mechanisms = xoauth2 oauthbearer
|
||||
args = /etc/dovecot/dovecot-oauth2.conf.ext
|
||||
}
|
||||
|
||||
userdb {
|
||||
driver = static
|
||||
args = uid=vmail gid=vmail home=/var/lib/vmail/mail/%d/%n
|
||||
}
|
@ -1,9 +0,0 @@
|
||||
uris = ldap://{{getenv "LDAP_HOST"}}
|
||||
dn = {{getenv "LDAP_BIND_DN"}}
|
||||
dnpass = {{getenv "LDAP_BIND_PASSWORD"}}
|
||||
tls = {{getenv "LDAP_USE_TLS" "yes"}}
|
||||
auth_bind = yes
|
||||
base = {{getenv "LDAP_BASE_DN"}}
|
||||
scope = {{getenv "LDAP_SCOPE" "subtree"}}
|
||||
pass_attrs = {{getenv "LDAP_USER_ATTRIBUTE" "cn"}}=user,{{getenv "LDAP_PASSWORD_ATTRIBUTE" "userPassword"}}=password
|
||||
pass_filter = {{getenv "LDAP_PASS_FILTER"}}
|
6
rootfs/etc/confd/templates/dovecot-oauth2.conf.ext.tmpl
Normal file
6
rootfs/etc/confd/templates/dovecot-oauth2.conf.ext.tmpl
Normal file
@ -0,0 +1,6 @@
|
||||
tokeninfo_url = {{ getenv "TOKENINFO_URL" }}
|
||||
introspection_url = {{ getenv "INTROSPECTION_URL" }}
|
||||
#force_introspection = yes
|
||||
username_attribute = email
|
||||
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
|
||||
|
@ -1 +0,0 @@
|
||||
/etc/ssl/mail IN_ATTRIB /bin/restart-services
|
Loading…
Reference in New Issue
Block a user