diff --git a/Dockerfile b/Dockerfile index 8bd6ca2..b1588a1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,84 @@ +FROM alpine:3.8 as builder + +RUN apk --no-cache add \ + rpcgen \ + g++ \ + make \ + libressl \ + libressl-dev \ + lua-dev \ + openldap-dev \ + libsodium-dev \ + linux-pam-dev \ + zlib-dev \ + bzip2-dev \ + xz-dev \ + lz4-dev \ + icu-dev \ + inotify-tools-dev + +RUN mkdir /tmp/dovecot +RUN wget -qO- https://www.dovecot.org/releases/2.3/dovecot-2.3.0.tar.gz | tar -xz -C /tmp/dovecot --strip 2 + +RUN mkdir /tmp/pigeonhole +RUN wget -qO- https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.0.1.tar.gz | tar -xz -C /tmp/pigeonhole --strip 1 + +RUN cd /tmp/dovecot && \ + ./configure --prefix '' \ + --with-notify=inotify \ + --with-lua \ + --with-zlib \ + --with-bzlib \ + --with-pam \ + --with-ssl=openssl \ + --with-sodium \ + --without-sql \ + --with-ldap \ + --with-lzma \ + --with-lz4 \ + --with-icu \ + --without-shadow \ + --with-ssldir=/etc/ssl/mail \ + --with-rundir=/run/dovecot \ + --disable-static && \ + make && \ + make install + +RUN cd /tmp/pigeonhole && \ + ./configure --prefix '' \ + --with-ldap=yes \ + --with-dovecot=/lib/dovecot \ + --disable-static && \ + make && make install + FROM thallian/confd-env:latest -RUN apk add --no-cache \ - dovecot \ - dovecot-ldap \ - dovecot-pigeonhole-plugin \ - dovecot-pigeonhole-plugin-ldap \ +COPY --from=builder /lib/dovecot/ /lib/dovecot/ +COPY --from=builder /libexec/dovecot/ /libexec/dovecot/ +COPY --from=builder /bin/doveadm /bin/doveadm +COPY --from=builder /bin/doveconf /bin/doveconf +COPY --from=builder /bin/dsync /bin/dsync +COPY --from=builder /sbin/dovecot /sbin/dovecot +COPY --from=builder /bin/sieve* /bin/ + +RUN apk --no-cache add \ + libsodium \ + libbz2 \ + zlib \ + lz4 \ + linux-pam \ libressl \ ssmtp \ - ca-certificates + ca-certificates \ + lua \ + lua-ldap \ + inotify-tools + +RUN addgroup -g 150 dovecot +RUN adduser -u 140 -h /dev/null -H -s /sbin/nologin -D -G dovecot dovecot + +RUN addgroup -g 151 dovenull +RUN adduser -u 141 -h /dev/null -H -s /sbin/nologin -D -G dovenull dovenull RUN addgroup -g 2222 access RUN addgroup dovecot access @@ -15,11 +86,14 @@ RUN addgroup dovecot access RUN addgroup -g 1111 vmail RUN adduser -u 1111 -h /var/lib/vmail -D -G vmail vmail +RUN mkdir -p /etc/dovecot/conf.d RUN mkdir /var/lib/vmail/sieve-after/ -RUN chown vmail:vmail /var/lib/vmail/sieve-after/ + +RUN chown -R vmail:vmail /var/lib/vmail/sieve-after/ EXPOSE 143 4190 6334 7777 VOLUME /var/lib/vmail/mail/ /etc/ssl/mail ADD /rootfs / + diff --git a/README.md b/README.md index d99c1d5..9104bc1 100644 --- a/README.md +++ b/README.md @@ -29,8 +29,8 @@ Which authentication mechanism to use for the smtp relay. Whether to use starttls for the smtp relay. -## LDAP_URI -Complete uri for the authentication ldap host. +## LDAP_HOST +Ldap hostname (can include the port). ## LDAP_SIEVE_HOST Has to be the same as `LDAP_URI` but in a different format (like `ldap:389`). @@ -73,10 +73,11 @@ The ldap attribute which contains the sieve rules. Whether to use tls when connecting to the ldap host. -## LDAP_DEFAULT_PASSSCHEME -- default: SSHA +## LDAP_APP_PASSWORDS_BASE_DN +Base DN to look for app passwords for a user. -Default password scheme used on the ldap host. +## LDAP_APP_PASSWORDS_FILTER +Specifies the filter on what counts as an app password. ## ALLOWED_USERNAME_CHARS - default: äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ @@ -84,7 +85,7 @@ Default password scheme used on the ldap host. List of characters allowed in a username. ## AUTH_MECHANISMS -- default: plain login +- default: plain Space seperated list of supported [authentication mechanisms](http://wiki2.dovecot.org/Authentication/Mechanisms). @@ -96,16 +97,19 @@ Name of the certificate domain. Length of the Diffie-Helman key in bits. -## SSL_PROTOCOLS -- default: !SSLv2 !SSLv3 +## SSL_MIN_PROTOCOL +- default: TLSv1 -Space seperated list of allowed ssl protocols (`!`disables a protocol). +Ssl minimum protocol version. ## SSL_CIPHERLIST -- default: ALL:!ADH:!LOW:!SSLv2:!EXP:!aNULL:!RC4:+HIGH:+MEDIUM +- default: ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH Colon seperated list of supported ciphers (`!`disables a cipher). +Go [here](https://www.openssl.org/docs/manmaster/man1/ciphers.html) for a list +of ciphers. + ## IMAP_MAX_USER_CONNECTIONS - default: 10 diff --git a/rootfs/etc/confd/conf.d/app-passwords-lookup.lua.toml b/rootfs/etc/confd/conf.d/app-passwords-lookup.lua.toml new file mode 100644 index 0000000..07b70b0 --- /dev/null +++ b/rootfs/etc/confd/conf.d/app-passwords-lookup.lua.toml @@ -0,0 +1,3 @@ +[template] +src = "app-passwords-lookup.lua.tmpl" +dest = "/etc/dovecot/app-passwords-lookup.lua" diff --git a/rootfs/etc/confd/templates/10-auth.conf.tmpl b/rootfs/etc/confd/templates/10-auth.conf.tmpl index e40f07c..f7c7b0f 100644 --- a/rootfs/etc/confd/templates/10-auth.conf.tmpl +++ b/rootfs/etc/confd/templates/10-auth.conf.tmpl @@ -1,4 +1,4 @@ auth_username_chars = {{getenv "ALLOWED_USERNAME_CHARS" "äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@"}} auth_username_format = %Lu -auth_mechanisms = {{getenv "AUTH_MECHANISMS" "plain login"}} +auth_mechanisms = {{getenv "AUTH_MECHANISMS" "plain"}} !include auth-ldap.conf.ext diff --git a/rootfs/etc/confd/templates/10-mail.conf.tmpl b/rootfs/etc/confd/templates/10-mail.conf.tmpl index fb1f0f4..3c064c3 100644 --- a/rootfs/etc/confd/templates/10-mail.conf.tmpl +++ b/rootfs/etc/confd/templates/10-mail.conf.tmpl @@ -6,19 +6,21 @@ namespace inbox { auto = subscribe special_use = \Junk } - + mailbox Trash { auto = subscribe special_use = \Trash } - + mailbox Sent { auto = subscribe special_use = \Sent } - + mailbox Drafts { auto = subscribe special_use = \Drafts } } + +mail_plugin_dir = /lib/dovecot diff --git a/rootfs/etc/confd/templates/10-ssl.conf.tmpl b/rootfs/etc/confd/templates/10-ssl.conf.tmpl index 3d11a67..34c079e 100644 --- a/rootfs/etc/confd/templates/10-ssl.conf.tmpl +++ b/rootfs/etc/confd/templates/10-ssl.conf.tmpl @@ -1,7 +1,7 @@ ssl = yes ssl_cert =