Merge branch 'next'

This commit is contained in:
Sebastian Hugentobler 2018-11-26 19:27:27 +01:00
commit 08562ad823
11 changed files with 174 additions and 26 deletions

View File

@ -1,13 +1,84 @@
FROM alpine:3.8 as builder
RUN apk --no-cache add \
rpcgen \
g++ \
make \
libressl \
libressl-dev \
lua-dev \
openldap-dev \
libsodium-dev \
linux-pam-dev \
zlib-dev \
bzip2-dev \
xz-dev \
lz4-dev \
icu-dev \
inotify-tools-dev
RUN mkdir /tmp/dovecot
RUN wget -qO- https://www.dovecot.org/releases/2.3/dovecot-2.3.0.tar.gz | tar -xz -C /tmp/dovecot --strip 2
RUN mkdir /tmp/pigeonhole
RUN wget -qO- https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.0.1.tar.gz | tar -xz -C /tmp/pigeonhole --strip 1
RUN cd /tmp/dovecot && \
./configure --prefix '' \
--with-notify=inotify \
--with-lua \
--with-zlib \
--with-bzlib \
--with-pam \
--with-ssl=openssl \
--with-sodium \
--without-sql \
--with-ldap \
--with-lzma \
--with-lz4 \
--with-icu \
--without-shadow \
--with-ssldir=/etc/ssl/mail \
--with-rundir=/run/dovecot \
--disable-static && \
make && \
make install
RUN cd /tmp/pigeonhole && \
./configure --prefix '' \
--with-ldap=yes \
--with-dovecot=/lib/dovecot \
--disable-static && \
make && make install
FROM thallian/confd-env:latest FROM thallian/confd-env:latest
RUN apk add --no-cache \ COPY --from=builder /lib/dovecot/ /lib/dovecot/
dovecot \ COPY --from=builder /libexec/dovecot/ /libexec/dovecot/
dovecot-ldap \ COPY --from=builder /bin/doveadm /bin/doveadm
dovecot-pigeonhole-plugin \ COPY --from=builder /bin/doveconf /bin/doveconf
dovecot-pigeonhole-plugin-ldap \ COPY --from=builder /bin/dsync /bin/dsync
COPY --from=builder /sbin/dovecot /sbin/dovecot
COPY --from=builder /bin/sieve* /bin/
RUN apk --no-cache add \
libsodium \
libbz2 \
zlib \
lz4 \
linux-pam \
libressl \ libressl \
ssmtp \ ssmtp \
ca-certificates ca-certificates \
lua \
lua-ldap \
inotify-tools
RUN addgroup -g 150 dovecot
RUN adduser -u 140 -h /dev/null -H -s /sbin/nologin -D -G dovecot dovecot
RUN addgroup -g 151 dovenull
RUN adduser -u 141 -h /dev/null -H -s /sbin/nologin -D -G dovenull dovenull
RUN addgroup -g 2222 access RUN addgroup -g 2222 access
RUN addgroup dovecot access RUN addgroup dovecot access
@ -15,11 +86,14 @@ RUN addgroup dovecot access
RUN addgroup -g 1111 vmail RUN addgroup -g 1111 vmail
RUN adduser -u 1111 -h /var/lib/vmail -D -G vmail vmail RUN adduser -u 1111 -h /var/lib/vmail -D -G vmail vmail
RUN mkdir -p /etc/dovecot/conf.d
RUN mkdir /var/lib/vmail/sieve-after/ RUN mkdir /var/lib/vmail/sieve-after/
RUN chown vmail:vmail /var/lib/vmail/sieve-after/
RUN chown -R vmail:vmail /var/lib/vmail/sieve-after/
EXPOSE 143 4190 6334 7777 EXPOSE 143 4190 6334 7777
VOLUME /var/lib/vmail/mail/ /etc/ssl/mail VOLUME /var/lib/vmail/mail/ /etc/ssl/mail
ADD /rootfs / ADD /rootfs /

View File

@ -29,8 +29,8 @@ Which authentication mechanism to use for the smtp relay.
Whether to use starttls for the smtp relay. Whether to use starttls for the smtp relay.
## LDAP_URI ## LDAP_HOST
Complete uri for the authentication ldap host. Ldap hostname (can include the port).
## LDAP_SIEVE_HOST ## LDAP_SIEVE_HOST
Has to be the same as `LDAP_URI` but in a different format (like `ldap:389`). Has to be the same as `LDAP_URI` but in a different format (like `ldap:389`).
@ -73,10 +73,11 @@ The ldap attribute which contains the sieve rules.
Whether to use tls when connecting to the ldap host. Whether to use tls when connecting to the ldap host.
## LDAP_DEFAULT_PASSSCHEME ## LDAP_APP_PASSWORDS_BASE_DN
- default: SSHA Base DN to look for app passwords for a user.
Default password scheme used on the ldap host. ## LDAP_APP_PASSWORDS_FILTER
Specifies the filter on what counts as an app password.
## ALLOWED_USERNAME_CHARS ## ALLOWED_USERNAME_CHARS
- default: äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ - default: äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
@ -84,7 +85,7 @@ Default password scheme used on the ldap host.
List of characters allowed in a username. List of characters allowed in a username.
## AUTH_MECHANISMS ## AUTH_MECHANISMS
- default: plain login - default: plain
Space seperated list of supported [authentication mechanisms](http://wiki2.dovecot.org/Authentication/Mechanisms). Space seperated list of supported [authentication mechanisms](http://wiki2.dovecot.org/Authentication/Mechanisms).
@ -96,16 +97,19 @@ Name of the certificate domain.
Length of the Diffie-Helman key in bits. Length of the Diffie-Helman key in bits.
## SSL_PROTOCOLS ## SSL_MIN_PROTOCOL
- default: !SSLv2 !SSLv3 - default: TLSv1
Space seperated list of allowed ssl protocols (`!`disables a protocol). Ssl minimum protocol version.
## SSL_CIPHERLIST ## SSL_CIPHERLIST
- default: ALL:!ADH:!LOW:!SSLv2:!EXP:!aNULL:!RC4:+HIGH:+MEDIUM - default: ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
Colon seperated list of supported ciphers (`!`disables a cipher). Colon seperated list of supported ciphers (`!`disables a cipher).
Go [here](https://www.openssl.org/docs/manmaster/man1/ciphers.html) for a list
of ciphers.
## IMAP_MAX_USER_CONNECTIONS ## IMAP_MAX_USER_CONNECTIONS
- default: 10 - default: 10

View File

@ -0,0 +1,3 @@
[template]
src = "app-passwords-lookup.lua.tmpl"
dest = "/etc/dovecot/app-passwords-lookup.lua"

View File

@ -1,4 +1,4 @@
auth_username_chars = {{getenv "ALLOWED_USERNAME_CHARS" "äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@"}} auth_username_chars = {{getenv "ALLOWED_USERNAME_CHARS" "äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@"}}
auth_username_format = %Lu auth_username_format = %Lu
auth_mechanisms = {{getenv "AUTH_MECHANISMS" "plain login"}} auth_mechanisms = {{getenv "AUTH_MECHANISMS" "plain"}}
!include auth-ldap.conf.ext !include auth-ldap.conf.ext

View File

@ -22,3 +22,5 @@ namespace inbox {
special_use = \Drafts special_use = \Drafts
} }
} }
mail_plugin_dir = /lib/dovecot

View File

@ -1,7 +1,7 @@
ssl = yes ssl = yes
ssl_cert = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.crt ssl_cert = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.crt
ssl_key = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.key ssl_key = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.key
ssl_dh_parameters_length = {{getenv "SSL_DH_LENGTH" "2048"}} ssl_dh=</etc/ssl/mail/dh.pem
ssl_protocols = {{getenv "SSL_PROTOCOLS" "!SSLv2 !SSLv3"}} ssl_min_protocol = {{getenv "SSL_MIN_PROTOCOL" "TLSv1"}}
ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ALL:!ADH:!LOW:!SSLv2:!EXP:!aNULL:!RC4:+HIGH:+MEDIUM"}} ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH "}}
ssl_prefer_server_ciphers = yes ssl_prefer_server_ciphers = yes

View File

@ -0,0 +1,55 @@
require "lualdap"
function auth_passdb_lookup(req)
local ldap_host = "{{ getenv "LDAP_HOST" }}"
local ldap_bin_dn = "{{ getenv "LDAP_BIND_DN" }}"
local ldap_bind_password = "{{ getenv "LDAP_BIND_PASSWORD" }}"
local ldap_use_tls = {{ if eq (getenv "LDAP_USE_TLS") "yes" }}true{{ else }}false{{ end }}
ld = assert (lualdap.open_simple(
ldap_host,
ldap_bin_dn,
ldap_bind_password,
ldap_use_tls))
local username = req.user
local ldap_pass_filter = "{{ getenv "LDAP_PASS_FILTER" }}"
local ldap_pass_filter_formatted = ldap_pass_filter:gsub("%%u", username)
local ldap_base_dn = "{{ getenv "LDAP_BASE_DN" }}"
local user_count = 0
for dn, attribs in ld:search { base = ldap_base_dn, scope = "subtree", filter = ldap_pass_filter_formatted } do
user_count = user_count + 1
end
local return_code = dovecot.auth.PASSDB_RESULT_NEXT
local return_text = ""
local user_exists = user_count == 1
if user_exists then
local app_base_dn = "{{ getenv "LDAP_APP_PASSWORDS_BASE_DN" }}"
local app_base_dn_formatted = app_base_dn:gsub("%%u", username)
local app_pass_filter = "{{ getenv "LDAP_APP_PASSWORDS_FILTER" }}"
local ldap_user_attribute = "{{ getenv "LDAP_USER_ATTRIBUTE" "cn" }}"
local user_password = req.password
for dn, attribs in ld:search { base = app_base_dn_formatted, scope = "subtree", filter = app_pass_filter } do
req:log_info(string.format("trying %s...", dn))
local test_conn = lualdap.open_simple(
ldap_host,
dn,
user_password,
ldap_use_tls)
if test_conn ~= nil then
req:log_info(string.format("%s suceeded!", dn))
return dovecot.auth.PASSDB_RESULT_OK, string.format("password=%s user=%s", user_password, username)
end
end
else
return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
end
return return_code, return_text
end

View File

@ -3,6 +3,11 @@ passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext args = /etc/dovecot/dovecot-ldap.conf.ext
} }
passdb {
driver = lua
args = file=/etc/dovecot/app-passwords-lookup.lua
}
userdb { userdb {
driver = static driver = static
args = uid=vmail gid=vmail home=/var/lib/vmail/mail/%d/%n args = uid=vmail gid=vmail home=/var/lib/vmail/mail/%d/%n

View File

@ -1,4 +1,4 @@
uris = {{getenv "LDAP_URI"}} uris = ldap://{{getenv "LDAP_HOST"}}
dn = {{getenv "LDAP_BIND_DN"}} dn = {{getenv "LDAP_BIND_DN"}}
dnpass = {{getenv "LDAP_BIND_PASSWORD"}} dnpass = {{getenv "LDAP_BIND_PASSWORD"}}
tls = {{getenv "LDAP_USE_TLS" "yes"}} tls = {{getenv "LDAP_USE_TLS" "yes"}}

View File

@ -0,0 +1,5 @@
#!/usr/bin/with-contenv sh
if [ ! -f /etc/ssl/mail/dh.pem ]; then
openssl dhparam -out /etc/ssl/mail/dh.pem ${SSL_DH_LENGTH:-2048}
fi