Merge branch 'next'
This commit is contained in:
commit
08562ad823
88
Dockerfile
88
Dockerfile
@ -1,13 +1,84 @@
|
||||
FROM alpine:3.8 as builder
|
||||
|
||||
RUN apk --no-cache add \
|
||||
rpcgen \
|
||||
g++ \
|
||||
make \
|
||||
libressl \
|
||||
libressl-dev \
|
||||
lua-dev \
|
||||
openldap-dev \
|
||||
libsodium-dev \
|
||||
linux-pam-dev \
|
||||
zlib-dev \
|
||||
bzip2-dev \
|
||||
xz-dev \
|
||||
lz4-dev \
|
||||
icu-dev \
|
||||
inotify-tools-dev
|
||||
|
||||
RUN mkdir /tmp/dovecot
|
||||
RUN wget -qO- https://www.dovecot.org/releases/2.3/dovecot-2.3.0.tar.gz | tar -xz -C /tmp/dovecot --strip 2
|
||||
|
||||
RUN mkdir /tmp/pigeonhole
|
||||
RUN wget -qO- https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.0.1.tar.gz | tar -xz -C /tmp/pigeonhole --strip 1
|
||||
|
||||
RUN cd /tmp/dovecot && \
|
||||
./configure --prefix '' \
|
||||
--with-notify=inotify \
|
||||
--with-lua \
|
||||
--with-zlib \
|
||||
--with-bzlib \
|
||||
--with-pam \
|
||||
--with-ssl=openssl \
|
||||
--with-sodium \
|
||||
--without-sql \
|
||||
--with-ldap \
|
||||
--with-lzma \
|
||||
--with-lz4 \
|
||||
--with-icu \
|
||||
--without-shadow \
|
||||
--with-ssldir=/etc/ssl/mail \
|
||||
--with-rundir=/run/dovecot \
|
||||
--disable-static && \
|
||||
make && \
|
||||
make install
|
||||
|
||||
RUN cd /tmp/pigeonhole && \
|
||||
./configure --prefix '' \
|
||||
--with-ldap=yes \
|
||||
--with-dovecot=/lib/dovecot \
|
||||
--disable-static && \
|
||||
make && make install
|
||||
|
||||
FROM thallian/confd-env:latest
|
||||
|
||||
RUN apk add --no-cache \
|
||||
dovecot \
|
||||
dovecot-ldap \
|
||||
dovecot-pigeonhole-plugin \
|
||||
dovecot-pigeonhole-plugin-ldap \
|
||||
COPY --from=builder /lib/dovecot/ /lib/dovecot/
|
||||
COPY --from=builder /libexec/dovecot/ /libexec/dovecot/
|
||||
COPY --from=builder /bin/doveadm /bin/doveadm
|
||||
COPY --from=builder /bin/doveconf /bin/doveconf
|
||||
COPY --from=builder /bin/dsync /bin/dsync
|
||||
COPY --from=builder /sbin/dovecot /sbin/dovecot
|
||||
COPY --from=builder /bin/sieve* /bin/
|
||||
|
||||
RUN apk --no-cache add \
|
||||
libsodium \
|
||||
libbz2 \
|
||||
zlib \
|
||||
lz4 \
|
||||
linux-pam \
|
||||
libressl \
|
||||
ssmtp \
|
||||
ca-certificates
|
||||
ca-certificates \
|
||||
lua \
|
||||
lua-ldap \
|
||||
inotify-tools
|
||||
|
||||
RUN addgroup -g 150 dovecot
|
||||
RUN adduser -u 140 -h /dev/null -H -s /sbin/nologin -D -G dovecot dovecot
|
||||
|
||||
RUN addgroup -g 151 dovenull
|
||||
RUN adduser -u 141 -h /dev/null -H -s /sbin/nologin -D -G dovenull dovenull
|
||||
|
||||
RUN addgroup -g 2222 access
|
||||
RUN addgroup dovecot access
|
||||
@ -15,11 +86,14 @@ RUN addgroup dovecot access
|
||||
RUN addgroup -g 1111 vmail
|
||||
RUN adduser -u 1111 -h /var/lib/vmail -D -G vmail vmail
|
||||
|
||||
RUN mkdir -p /etc/dovecot/conf.d
|
||||
RUN mkdir /var/lib/vmail/sieve-after/
|
||||
RUN chown vmail:vmail /var/lib/vmail/sieve-after/
|
||||
|
||||
RUN chown -R vmail:vmail /var/lib/vmail/sieve-after/
|
||||
|
||||
EXPOSE 143 4190 6334 7777
|
||||
|
||||
VOLUME /var/lib/vmail/mail/ /etc/ssl/mail
|
||||
|
||||
ADD /rootfs /
|
||||
|
||||
|
24
README.md
24
README.md
@ -29,8 +29,8 @@ Which authentication mechanism to use for the smtp relay.
|
||||
|
||||
Whether to use starttls for the smtp relay.
|
||||
|
||||
## LDAP_URI
|
||||
Complete uri for the authentication ldap host.
|
||||
## LDAP_HOST
|
||||
Ldap hostname (can include the port).
|
||||
|
||||
## LDAP_SIEVE_HOST
|
||||
Has to be the same as `LDAP_URI` but in a different format (like `ldap:389`).
|
||||
@ -73,10 +73,11 @@ The ldap attribute which contains the sieve rules.
|
||||
|
||||
Whether to use tls when connecting to the ldap host.
|
||||
|
||||
## LDAP_DEFAULT_PASSSCHEME
|
||||
- default: SSHA
|
||||
## LDAP_APP_PASSWORDS_BASE_DN
|
||||
Base DN to look for app passwords for a user.
|
||||
|
||||
Default password scheme used on the ldap host.
|
||||
## LDAP_APP_PASSWORDS_FILTER
|
||||
Specifies the filter on what counts as an app password.
|
||||
|
||||
## ALLOWED_USERNAME_CHARS
|
||||
- default: äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
|
||||
@ -84,7 +85,7 @@ Default password scheme used on the ldap host.
|
||||
List of characters allowed in a username.
|
||||
|
||||
## AUTH_MECHANISMS
|
||||
- default: plain login
|
||||
- default: plain
|
||||
|
||||
Space seperated list of supported [authentication mechanisms](http://wiki2.dovecot.org/Authentication/Mechanisms).
|
||||
|
||||
@ -96,16 +97,19 @@ Name of the certificate domain.
|
||||
|
||||
Length of the Diffie-Helman key in bits.
|
||||
|
||||
## SSL_PROTOCOLS
|
||||
- default: !SSLv2 !SSLv3
|
||||
## SSL_MIN_PROTOCOL
|
||||
- default: TLSv1
|
||||
|
||||
Space seperated list of allowed ssl protocols (`!`disables a protocol).
|
||||
Ssl minimum protocol version.
|
||||
|
||||
## SSL_CIPHERLIST
|
||||
- default: ALL:!ADH:!LOW:!SSLv2:!EXP:!aNULL:!RC4:+HIGH:+MEDIUM
|
||||
- default: ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
||||
|
||||
Colon seperated list of supported ciphers (`!`disables a cipher).
|
||||
|
||||
Go [here](https://www.openssl.org/docs/manmaster/man1/ciphers.html) for a list
|
||||
of ciphers.
|
||||
|
||||
## IMAP_MAX_USER_CONNECTIONS
|
||||
- default: 10
|
||||
|
||||
|
3
rootfs/etc/confd/conf.d/app-passwords-lookup.lua.toml
Normal file
3
rootfs/etc/confd/conf.d/app-passwords-lookup.lua.toml
Normal file
@ -0,0 +1,3 @@
|
||||
[template]
|
||||
src = "app-passwords-lookup.lua.tmpl"
|
||||
dest = "/etc/dovecot/app-passwords-lookup.lua"
|
@ -1,4 +1,4 @@
|
||||
auth_username_chars = {{getenv "ALLOWED_USERNAME_CHARS" "äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@"}}
|
||||
auth_username_format = %Lu
|
||||
auth_mechanisms = {{getenv "AUTH_MECHANISMS" "plain login"}}
|
||||
auth_mechanisms = {{getenv "AUTH_MECHANISMS" "plain"}}
|
||||
!include auth-ldap.conf.ext
|
||||
|
@ -6,19 +6,21 @@ namespace inbox {
|
||||
auto = subscribe
|
||||
special_use = \Junk
|
||||
}
|
||||
|
||||
|
||||
mailbox Trash {
|
||||
auto = subscribe
|
||||
special_use = \Trash
|
||||
}
|
||||
|
||||
|
||||
mailbox Sent {
|
||||
auto = subscribe
|
||||
special_use = \Sent
|
||||
}
|
||||
|
||||
|
||||
mailbox Drafts {
|
||||
auto = subscribe
|
||||
special_use = \Drafts
|
||||
}
|
||||
}
|
||||
|
||||
mail_plugin_dir = /lib/dovecot
|
||||
|
@ -1,7 +1,7 @@
|
||||
ssl = yes
|
||||
ssl_cert = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.crt
|
||||
ssl_key = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.key
|
||||
ssl_dh_parameters_length = {{getenv "SSL_DH_LENGTH" "2048"}}
|
||||
ssl_protocols = {{getenv "SSL_PROTOCOLS" "!SSLv2 !SSLv3"}}
|
||||
ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ALL:!ADH:!LOW:!SSLv2:!EXP:!aNULL:!RC4:+HIGH:+MEDIUM"}}
|
||||
ssl_dh=</etc/ssl/mail/dh.pem
|
||||
ssl_min_protocol = {{getenv "SSL_MIN_PROTOCOL" "TLSv1"}}
|
||||
ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH "}}
|
||||
ssl_prefer_server_ciphers = yes
|
||||
|
55
rootfs/etc/confd/templates/app-passwords-lookup.lua.tmpl
Normal file
55
rootfs/etc/confd/templates/app-passwords-lookup.lua.tmpl
Normal file
@ -0,0 +1,55 @@
|
||||
require "lualdap"
|
||||
|
||||
function auth_passdb_lookup(req)
|
||||
local ldap_host = "{{ getenv "LDAP_HOST" }}"
|
||||
local ldap_bin_dn = "{{ getenv "LDAP_BIND_DN" }}"
|
||||
local ldap_bind_password = "{{ getenv "LDAP_BIND_PASSWORD" }}"
|
||||
local ldap_use_tls = {{ if eq (getenv "LDAP_USE_TLS") "yes" }}true{{ else }}false{{ end }}
|
||||
|
||||
ld = assert (lualdap.open_simple(
|
||||
ldap_host,
|
||||
ldap_bin_dn,
|
||||
ldap_bind_password,
|
||||
ldap_use_tls))
|
||||
|
||||
local username = req.user
|
||||
local ldap_pass_filter = "{{ getenv "LDAP_PASS_FILTER" }}"
|
||||
local ldap_pass_filter_formatted = ldap_pass_filter:gsub("%%u", username)
|
||||
local ldap_base_dn = "{{ getenv "LDAP_BASE_DN" }}"
|
||||
|
||||
local user_count = 0
|
||||
for dn, attribs in ld:search { base = ldap_base_dn, scope = "subtree", filter = ldap_pass_filter_formatted } do
|
||||
user_count = user_count + 1
|
||||
end
|
||||
|
||||
local return_code = dovecot.auth.PASSDB_RESULT_NEXT
|
||||
local return_text = ""
|
||||
|
||||
local user_exists = user_count == 1
|
||||
if user_exists then
|
||||
local app_base_dn = "{{ getenv "LDAP_APP_PASSWORDS_BASE_DN" }}"
|
||||
local app_base_dn_formatted = app_base_dn:gsub("%%u", username)
|
||||
local app_pass_filter = "{{ getenv "LDAP_APP_PASSWORDS_FILTER" }}"
|
||||
local ldap_user_attribute = "{{ getenv "LDAP_USER_ATTRIBUTE" "cn" }}"
|
||||
|
||||
local user_password = req.password
|
||||
|
||||
for dn, attribs in ld:search { base = app_base_dn_formatted, scope = "subtree", filter = app_pass_filter } do
|
||||
req:log_info(string.format("trying %s...", dn))
|
||||
|
||||
local test_conn = lualdap.open_simple(
|
||||
ldap_host,
|
||||
dn,
|
||||
user_password,
|
||||
ldap_use_tls)
|
||||
if test_conn ~= nil then
|
||||
req:log_info(string.format("%s suceeded!", dn))
|
||||
return dovecot.auth.PASSDB_RESULT_OK, string.format("password=%s user=%s", user_password, username)
|
||||
end
|
||||
end
|
||||
else
|
||||
return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
|
||||
end
|
||||
|
||||
return return_code, return_text
|
||||
end
|
@ -3,6 +3,11 @@ passdb {
|
||||
args = /etc/dovecot/dovecot-ldap.conf.ext
|
||||
}
|
||||
|
||||
passdb {
|
||||
driver = lua
|
||||
args = file=/etc/dovecot/app-passwords-lookup.lua
|
||||
}
|
||||
|
||||
userdb {
|
||||
driver = static
|
||||
args = uid=vmail gid=vmail home=/var/lib/vmail/mail/%d/%n
|
||||
|
@ -1,4 +1,4 @@
|
||||
uris = {{getenv "LDAP_URI"}}
|
||||
uris = ldap://{{getenv "LDAP_HOST"}}
|
||||
dn = {{getenv "LDAP_BIND_DN"}}
|
||||
dnpass = {{getenv "LDAP_BIND_PASSWORD"}}
|
||||
tls = {{getenv "LDAP_USE_TLS" "yes"}}
|
||||
|
5
rootfs/etc/cont-init.d/02-dhparam
Normal file
5
rootfs/etc/cont-init.d/02-dhparam
Normal file
@ -0,0 +1,5 @@
|
||||
#!/usr/bin/with-contenv sh
|
||||
|
||||
if [ ! -f /etc/ssl/mail/dh.pem ]; then
|
||||
openssl dhparam -out /etc/ssl/mail/dh.pem ${SSL_DH_LENGTH:-2048}
|
||||
fi
|
@ -1 +1 @@
|
||||
/var/lib/vmail/mail true vmail 0640 0750
|
||||
/var/lib/vmail/mail true vmail 0640 0750
|
||||
|
Loading…
Reference in New Issue
Block a user