use oauth2

2021-08-22 22:45:28 +02:00 · 2021-08-22 22:45:28 +02:00 · 076b6ba503
commit 076b6ba503
parent 970448f2dc
16 changed files with 26 additions and 99 deletions
--- a/4
+++ b/4
@ -7,7 +7,6 @@ RUN apk --no-cache add \
    openssl \
    openssl-dev \
    lua-dev \
-    openldap-dev \
    libsodium-dev \
    linux-pam-dev \
    zlib-dev \
@ -41,7 +40,6 @@ RUN cd /tmp/dovecot && \
    --with-ssl=openssl \
    --with-sodium \
    --without-sql \
-    --with-ldap \
    --with-lzma \
    --with-lz4 \
    --with-icu \
@ -54,7 +52,6 @@ RUN cd /tmp/dovecot && \

 RUN cd /tmp/pigeonhole && \
    ./configure --prefix '' \
-    --with-ldap=yes \
    --with-dovecot=/lib/dovecot \
    --disable-static && \
    make && make install
@ -79,7 +76,6 @@ RUN apk --no-cache add \
    ssmtp \
    ca-certificates \
    lua \
-    lua-ldap \
    inotify-tools

 RUN addgroup -g 150 dovecot
--- a/rootfs/bin/restart-services
+++ b/rootfs/bin/restart-services
@ -1,3 +0,0 @@
-#!/usr/bin/with-contenv sh
-
-s6-svc -t /var/run/s6/services/dovecot
--- a/rootfs/etc/confd/conf.d/app-passwords-lookup.lua.toml
+++ b/rootfs/etc/confd/conf.d/app-passwords-lookup.lua.toml
@ -1,3 +0,0 @@
-[template]
-src = "app-passwords-lookup.lua.tmpl"
-dest = "/etc/dovecot/app-passwords-lookup.lua"
--- a/rootfs/etc/confd/conf.d/auth-ldap.conf.ext.toml
+++ b/rootfs/etc/confd/conf.d/auth-ldap.conf.ext.toml
@ -1,3 +0,0 @@
-[template]
-src = "auth-ldap.conf.ext.tmpl"
-dest = "/etc/dovecot/conf.d/auth-ldap.conf.ext"
--- a/rootfs/etc/confd/conf.d/auth-oauth2.conf.ext.toml
+++ b/rootfs/etc/confd/conf.d/auth-oauth2.conf.ext.toml
@ -0,0 +1,3 @@
+[template]
+src = "auth-oauth2.conf.ext.tmpl"
+dest = "/etc/dovecot/conf.d/auth-oauth2.conf.ext"
--- a/rootfs/etc/confd/conf.d/dovecot-ldap.conf.ext.toml
+++ b/rootfs/etc/confd/conf.d/dovecot-ldap.conf.ext.toml
@ -1,3 +0,0 @@
-[template]
-src = "dovecot-ldap.conf.ext.tmpl"
-dest = "/etc/dovecot/dovecot-ldap.conf.ext"
--- a/rootfs/etc/confd/conf.d/dovecot-oauth2.conf.ext.toml
+++ b/rootfs/etc/confd/conf.d/dovecot-oauth2.conf.ext.toml
@ -0,0 +1,3 @@
+[template]
+src = "dovecot-oauth2.conf.ext.tmpl"
+dest = "/etc/dovecot/dovecot-oauth2.conf.ext"
--- a/rootfs/etc/confd/templates/10-auth.conf.tmpl
+++ b/rootfs/etc/confd/templates/10-auth.conf.tmpl
@ -1,4 +1,4 @@
 auth_username_chars = {{getenv "ALLOWED_USERNAME_CHARS" "äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@"}}
 auth_username_format = %Lu
 auth_mechanisms = {{getenv "AUTH_MECHANISMS" "plain"}}
-!include auth-ldap.conf.ext
+!include auth-oauth2.conf.ext
--- a/rootfs/etc/confd/templates/10-ssl.conf.tmpl
+++ b/rootfs/etc/confd/templates/10-ssl.conf.tmpl
@ -1,6 +1,6 @@
 ssl = yes
-ssl_cert = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.crt
-ssl_key = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.key
+ssl_cert = </etc/ssl/mail/tls.crt
+ssl_key = </etc/ssl/mail/tls.key
 ssl_dh=</etc/ssl/mail/dh.pem
 ssl_min_protocol = {{getenv "SSL_MIN_PROTOCOL" "TLSv1.2"}}
 ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"}}
--- a/rootfs/etc/confd/templates/90-sieve.conf.tmpl
+++ b/rootfs/etc/confd/templates/90-sieve.conf.tmpl
@ -3,6 +3,6 @@ protocol sieve {
 }

 plugin {
-  sieve = ldap:/etc/dovecot/sieve-ldap.conf;bindir=~/.sieve-bin/
+  sieve = bindir=~/.sieve-bin/
  sieve_after = /var/lib/vmail/sieve-after/
 }
--- a/rootfs/etc/confd/templates/app-passwords-lookup.lua.tmpl
+++ b/rootfs/etc/confd/templates/app-passwords-lookup.lua.tmpl
@ -1,55 +0,0 @@
-require "lualdap"
-
-function auth_passdb_lookup(req)
-    local ldap_host = "{{ getenv "LDAP_HOST" }}"
-    local ldap_bin_dn = "{{ getenv "LDAP_BIND_DN" }}"
-    local ldap_bind_password = "{{ getenv "LDAP_BIND_PASSWORD" }}"
-    local ldap_use_tls = {{ if eq (getenv "LDAP_USE_TLS") "yes" }}true{{ else }}false{{ end }}
-
-    ld = assert (lualdap.open_simple(
-        ldap_host,
-        ldap_bin_dn,
-        ldap_bind_password,
-        ldap_use_tls))
-
-    local username = req.user
-    local ldap_pass_filter = "{{ getenv "LDAP_PASS_FILTER" }}"
-    local ldap_pass_filter_formatted = ldap_pass_filter:gsub("%%u", username)
-    local ldap_base_dn = "{{ getenv "LDAP_BASE_DN" }}"
-
-    local user_count = 0
-    for dn, attribs in ld:search { base = ldap_base_dn, scope = "subtree", filter = ldap_pass_filter_formatted } do
-        user_count = user_count + 1
-    end
-
-    local return_code = dovecot.auth.PASSDB_RESULT_NEXT
-    local return_text = ""
-
-    local user_exists = user_count == 1
-    if user_exists then
-        local app_base_dn = "{{ getenv "LDAP_APP_PASSWORDS_BASE_DN" }}"
-        local app_base_dn_formatted = app_base_dn:gsub("%%u", username)
-        local app_pass_filter = "{{ getenv "LDAP_APP_PASSWORDS_FILTER" }}"
-        local ldap_user_attribute = "{{ getenv "LDAP_USER_ATTRIBUTE" "cn" }}"
-
-        local user_password = req.password
-
-        for dn, attribs in ld:search { base = app_base_dn_formatted, scope = "subtree", filter = app_pass_filter } do
-            req:log_info(string.format("trying %s...", dn))
-
-            local test_conn = lualdap.open_simple(
-                ldap_host,
-                dn,
-                user_password,
-                ldap_use_tls)
-            if test_conn ~= nil then
-                req:log_info(string.format("%s suceeded!", dn))
-                return dovecot.auth.PASSDB_RESULT_OK, string.format("password=%s user=%s", user_password, username)
-            end
-        end
-    else
-        return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
-    end
-
-    return return_code, return_text
-end
--- a/rootfs/etc/confd/templates/auth-ldap.conf.ext.tmpl
+++ b/rootfs/etc/confd/templates/auth-ldap.conf.ext.tmpl
@ -1,14 +0,0 @@
-passdb {
-  driver = ldap
-  args = /etc/dovecot/dovecot-ldap.conf.ext
-}
-
-passdb {
-   driver = lua
-   args = file=/etc/dovecot/app-passwords-lookup.lua
-}
-
-userdb {
-  driver = static
-  args = uid=vmail gid=vmail home=/var/lib/vmail/mail/%d/%n
-}
--- a/rootfs/etc/confd/templates/auth-oauth2.conf.ext.tmpl
+++ b/rootfs/etc/confd/templates/auth-oauth2.conf.ext.tmpl
@ -0,0 +1,10 @@
+passdb {
+  driver = oauth2
+  mechanisms = xoauth2 oauthbearer
+  args = /etc/dovecot/dovecot-oauth2.conf.ext
+}
+
+userdb {
+  driver = static
+  args = uid=vmail gid=vmail home=/var/lib/vmail/mail/%d/%n
+}
--- a/rootfs/etc/confd/templates/dovecot-ldap.conf.ext.tmpl
+++ b/rootfs/etc/confd/templates/dovecot-ldap.conf.ext.tmpl
@ -1,9 +0,0 @@
-uris = ldap://{{getenv "LDAP_HOST"}}
-dn = {{getenv "LDAP_BIND_DN"}}
-dnpass = {{getenv "LDAP_BIND_PASSWORD"}}
-tls = {{getenv "LDAP_USE_TLS" "yes"}}
-auth_bind = yes
-base = {{getenv "LDAP_BASE_DN"}}
-scope = {{getenv "LDAP_SCOPE" "subtree"}}
-pass_attrs = {{getenv "LDAP_USER_ATTRIBUTE" "cn"}}=user,{{getenv "LDAP_PASSWORD_ATTRIBUTE" "userPassword"}}=password
-pass_filter = {{getenv "LDAP_PASS_FILTER"}}
--- a/rootfs/etc/confd/templates/dovecot-oauth2.conf.ext.tmpl
+++ b/rootfs/etc/confd/templates/dovecot-oauth2.conf.ext.tmpl
@ -0,0 +1,6 @@
+tokeninfo_url = {{ getenv "TOKENINFO_URL" }}
+introspection_url = {{ getenv "INTROSPECTION_URL" }}
+#force_introspection = yes
+username_attribute = email
+tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
+
--- a/rootfs/var/spool/incron/root
+++ b/rootfs/var/spool/incron/root
@ -1 +0,0 @@
-/etc/ssl/mail IN_ATTRIB /bin/restart-services
				`@ -1 +0,0 @@`
				`/etc/ssl/mail IN_ATTRIB /bin/restart-services`