use oauth2

This commit is contained in:
Sebastian Hugentobler 2021-08-22 22:45:28 +02:00
parent 970448f2dc
commit 076b6ba503
Signed by: shu
GPG Key ID: BB32CF3CA052C2F0
16 changed files with 26 additions and 99 deletions

View File

@ -7,7 +7,6 @@ RUN apk --no-cache add \
openssl \ openssl \
openssl-dev \ openssl-dev \
lua-dev \ lua-dev \
openldap-dev \
libsodium-dev \ libsodium-dev \
linux-pam-dev \ linux-pam-dev \
zlib-dev \ zlib-dev \
@ -41,7 +40,6 @@ RUN cd /tmp/dovecot && \
--with-ssl=openssl \ --with-ssl=openssl \
--with-sodium \ --with-sodium \
--without-sql \ --without-sql \
--with-ldap \
--with-lzma \ --with-lzma \
--with-lz4 \ --with-lz4 \
--with-icu \ --with-icu \
@ -54,7 +52,6 @@ RUN cd /tmp/dovecot && \
RUN cd /tmp/pigeonhole && \ RUN cd /tmp/pigeonhole && \
./configure --prefix '' \ ./configure --prefix '' \
--with-ldap=yes \
--with-dovecot=/lib/dovecot \ --with-dovecot=/lib/dovecot \
--disable-static && \ --disable-static && \
make && make install make && make install
@ -79,7 +76,6 @@ RUN apk --no-cache add \
ssmtp \ ssmtp \
ca-certificates \ ca-certificates \
lua \ lua \
lua-ldap \
inotify-tools inotify-tools
RUN addgroup -g 150 dovecot RUN addgroup -g 150 dovecot

View File

@ -1,3 +0,0 @@
#!/usr/bin/with-contenv sh
s6-svc -t /var/run/s6/services/dovecot

View File

@ -1,3 +0,0 @@
[template]
src = "app-passwords-lookup.lua.tmpl"
dest = "/etc/dovecot/app-passwords-lookup.lua"

View File

@ -1,3 +0,0 @@
[template]
src = "auth-ldap.conf.ext.tmpl"
dest = "/etc/dovecot/conf.d/auth-ldap.conf.ext"

View File

@ -0,0 +1,3 @@
[template]
src = "auth-oauth2.conf.ext.tmpl"
dest = "/etc/dovecot/conf.d/auth-oauth2.conf.ext"

View File

@ -1,3 +0,0 @@
[template]
src = "dovecot-ldap.conf.ext.tmpl"
dest = "/etc/dovecot/dovecot-ldap.conf.ext"

View File

@ -0,0 +1,3 @@
[template]
src = "dovecot-oauth2.conf.ext.tmpl"
dest = "/etc/dovecot/dovecot-oauth2.conf.ext"

View File

@ -1,4 +1,4 @@
auth_username_chars = {{getenv "ALLOWED_USERNAME_CHARS" "äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@"}} auth_username_chars = {{getenv "ALLOWED_USERNAME_CHARS" "äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@"}}
auth_username_format = %Lu auth_username_format = %Lu
auth_mechanisms = {{getenv "AUTH_MECHANISMS" "plain"}} auth_mechanisms = {{getenv "AUTH_MECHANISMS" "plain"}}
!include auth-ldap.conf.ext !include auth-oauth2.conf.ext

View File

@ -1,6 +1,6 @@
ssl = yes ssl = yes
ssl_cert = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.crt ssl_cert = </etc/ssl/mail/tls.crt
ssl_key = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.key ssl_key = </etc/ssl/mail/tls.key
ssl_dh=</etc/ssl/mail/dh.pem ssl_dh=</etc/ssl/mail/dh.pem
ssl_min_protocol = {{getenv "SSL_MIN_PROTOCOL" "TLSv1.2"}} ssl_min_protocol = {{getenv "SSL_MIN_PROTOCOL" "TLSv1.2"}}
ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"}} ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"}}

View File

@ -3,6 +3,6 @@ protocol sieve {
} }
plugin { plugin {
sieve = ldap:/etc/dovecot/sieve-ldap.conf;bindir=~/.sieve-bin/ sieve = bindir=~/.sieve-bin/
sieve_after = /var/lib/vmail/sieve-after/ sieve_after = /var/lib/vmail/sieve-after/
} }

View File

@ -1,55 +0,0 @@
require "lualdap"
function auth_passdb_lookup(req)
local ldap_host = "{{ getenv "LDAP_HOST" }}"
local ldap_bin_dn = "{{ getenv "LDAP_BIND_DN" }}"
local ldap_bind_password = "{{ getenv "LDAP_BIND_PASSWORD" }}"
local ldap_use_tls = {{ if eq (getenv "LDAP_USE_TLS") "yes" }}true{{ else }}false{{ end }}
ld = assert (lualdap.open_simple(
ldap_host,
ldap_bin_dn,
ldap_bind_password,
ldap_use_tls))
local username = req.user
local ldap_pass_filter = "{{ getenv "LDAP_PASS_FILTER" }}"
local ldap_pass_filter_formatted = ldap_pass_filter:gsub("%%u", username)
local ldap_base_dn = "{{ getenv "LDAP_BASE_DN" }}"
local user_count = 0
for dn, attribs in ld:search { base = ldap_base_dn, scope = "subtree", filter = ldap_pass_filter_formatted } do
user_count = user_count + 1
end
local return_code = dovecot.auth.PASSDB_RESULT_NEXT
local return_text = ""
local user_exists = user_count == 1
if user_exists then
local app_base_dn = "{{ getenv "LDAP_APP_PASSWORDS_BASE_DN" }}"
local app_base_dn_formatted = app_base_dn:gsub("%%u", username)
local app_pass_filter = "{{ getenv "LDAP_APP_PASSWORDS_FILTER" }}"
local ldap_user_attribute = "{{ getenv "LDAP_USER_ATTRIBUTE" "cn" }}"
local user_password = req.password
for dn, attribs in ld:search { base = app_base_dn_formatted, scope = "subtree", filter = app_pass_filter } do
req:log_info(string.format("trying %s...", dn))
local test_conn = lualdap.open_simple(
ldap_host,
dn,
user_password,
ldap_use_tls)
if test_conn ~= nil then
req:log_info(string.format("%s suceeded!", dn))
return dovecot.auth.PASSDB_RESULT_OK, string.format("password=%s user=%s", user_password, username)
end
end
else
return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
end
return return_code, return_text
end

View File

@ -1,14 +0,0 @@
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
passdb {
driver = lua
args = file=/etc/dovecot/app-passwords-lookup.lua
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/lib/vmail/mail/%d/%n
}

View File

@ -0,0 +1,10 @@
passdb {
driver = oauth2
mechanisms = xoauth2 oauthbearer
args = /etc/dovecot/dovecot-oauth2.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/lib/vmail/mail/%d/%n
}

View File

@ -1,9 +0,0 @@
uris = ldap://{{getenv "LDAP_HOST"}}
dn = {{getenv "LDAP_BIND_DN"}}
dnpass = {{getenv "LDAP_BIND_PASSWORD"}}
tls = {{getenv "LDAP_USE_TLS" "yes"}}
auth_bind = yes
base = {{getenv "LDAP_BASE_DN"}}
scope = {{getenv "LDAP_SCOPE" "subtree"}}
pass_attrs = {{getenv "LDAP_USER_ATTRIBUTE" "cn"}}=user,{{getenv "LDAP_PASSWORD_ATTRIBUTE" "userPassword"}}=password
pass_filter = {{getenv "LDAP_PASS_FILTER"}}

View File

@ -0,0 +1,6 @@
tokeninfo_url = {{ getenv "TOKENINFO_URL" }}
introspection_url = {{ getenv "INTROSPECTION_URL" }}
#force_introspection = yes
username_attribute = email
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt

View File

@ -1 +0,0 @@
/etc/ssl/mail IN_ATTRIB /bin/restart-services