Merge branch 'next'
This commit is contained in:
commit
08562ad823
88
Dockerfile
88
Dockerfile
@ -1,13 +1,84 @@
|
|||||||
|
FROM alpine:3.8 as builder
|
||||||
|
|
||||||
|
RUN apk --no-cache add \
|
||||||
|
rpcgen \
|
||||||
|
g++ \
|
||||||
|
make \
|
||||||
|
libressl \
|
||||||
|
libressl-dev \
|
||||||
|
lua-dev \
|
||||||
|
openldap-dev \
|
||||||
|
libsodium-dev \
|
||||||
|
linux-pam-dev \
|
||||||
|
zlib-dev \
|
||||||
|
bzip2-dev \
|
||||||
|
xz-dev \
|
||||||
|
lz4-dev \
|
||||||
|
icu-dev \
|
||||||
|
inotify-tools-dev
|
||||||
|
|
||||||
|
RUN mkdir /tmp/dovecot
|
||||||
|
RUN wget -qO- https://www.dovecot.org/releases/2.3/dovecot-2.3.0.tar.gz | tar -xz -C /tmp/dovecot --strip 2
|
||||||
|
|
||||||
|
RUN mkdir /tmp/pigeonhole
|
||||||
|
RUN wget -qO- https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.0.1.tar.gz | tar -xz -C /tmp/pigeonhole --strip 1
|
||||||
|
|
||||||
|
RUN cd /tmp/dovecot && \
|
||||||
|
./configure --prefix '' \
|
||||||
|
--with-notify=inotify \
|
||||||
|
--with-lua \
|
||||||
|
--with-zlib \
|
||||||
|
--with-bzlib \
|
||||||
|
--with-pam \
|
||||||
|
--with-ssl=openssl \
|
||||||
|
--with-sodium \
|
||||||
|
--without-sql \
|
||||||
|
--with-ldap \
|
||||||
|
--with-lzma \
|
||||||
|
--with-lz4 \
|
||||||
|
--with-icu \
|
||||||
|
--without-shadow \
|
||||||
|
--with-ssldir=/etc/ssl/mail \
|
||||||
|
--with-rundir=/run/dovecot \
|
||||||
|
--disable-static && \
|
||||||
|
make && \
|
||||||
|
make install
|
||||||
|
|
||||||
|
RUN cd /tmp/pigeonhole && \
|
||||||
|
./configure --prefix '' \
|
||||||
|
--with-ldap=yes \
|
||||||
|
--with-dovecot=/lib/dovecot \
|
||||||
|
--disable-static && \
|
||||||
|
make && make install
|
||||||
|
|
||||||
FROM thallian/confd-env:latest
|
FROM thallian/confd-env:latest
|
||||||
|
|
||||||
RUN apk add --no-cache \
|
COPY --from=builder /lib/dovecot/ /lib/dovecot/
|
||||||
dovecot \
|
COPY --from=builder /libexec/dovecot/ /libexec/dovecot/
|
||||||
dovecot-ldap \
|
COPY --from=builder /bin/doveadm /bin/doveadm
|
||||||
dovecot-pigeonhole-plugin \
|
COPY --from=builder /bin/doveconf /bin/doveconf
|
||||||
dovecot-pigeonhole-plugin-ldap \
|
COPY --from=builder /bin/dsync /bin/dsync
|
||||||
|
COPY --from=builder /sbin/dovecot /sbin/dovecot
|
||||||
|
COPY --from=builder /bin/sieve* /bin/
|
||||||
|
|
||||||
|
RUN apk --no-cache add \
|
||||||
|
libsodium \
|
||||||
|
libbz2 \
|
||||||
|
zlib \
|
||||||
|
lz4 \
|
||||||
|
linux-pam \
|
||||||
libressl \
|
libressl \
|
||||||
ssmtp \
|
ssmtp \
|
||||||
ca-certificates
|
ca-certificates \
|
||||||
|
lua \
|
||||||
|
lua-ldap \
|
||||||
|
inotify-tools
|
||||||
|
|
||||||
|
RUN addgroup -g 150 dovecot
|
||||||
|
RUN adduser -u 140 -h /dev/null -H -s /sbin/nologin -D -G dovecot dovecot
|
||||||
|
|
||||||
|
RUN addgroup -g 151 dovenull
|
||||||
|
RUN adduser -u 141 -h /dev/null -H -s /sbin/nologin -D -G dovenull dovenull
|
||||||
|
|
||||||
RUN addgroup -g 2222 access
|
RUN addgroup -g 2222 access
|
||||||
RUN addgroup dovecot access
|
RUN addgroup dovecot access
|
||||||
@ -15,11 +86,14 @@ RUN addgroup dovecot access
|
|||||||
RUN addgroup -g 1111 vmail
|
RUN addgroup -g 1111 vmail
|
||||||
RUN adduser -u 1111 -h /var/lib/vmail -D -G vmail vmail
|
RUN adduser -u 1111 -h /var/lib/vmail -D -G vmail vmail
|
||||||
|
|
||||||
|
RUN mkdir -p /etc/dovecot/conf.d
|
||||||
RUN mkdir /var/lib/vmail/sieve-after/
|
RUN mkdir /var/lib/vmail/sieve-after/
|
||||||
RUN chown vmail:vmail /var/lib/vmail/sieve-after/
|
|
||||||
|
RUN chown -R vmail:vmail /var/lib/vmail/sieve-after/
|
||||||
|
|
||||||
EXPOSE 143 4190 6334 7777
|
EXPOSE 143 4190 6334 7777
|
||||||
|
|
||||||
VOLUME /var/lib/vmail/mail/ /etc/ssl/mail
|
VOLUME /var/lib/vmail/mail/ /etc/ssl/mail
|
||||||
|
|
||||||
ADD /rootfs /
|
ADD /rootfs /
|
||||||
|
|
||||||
|
24
README.md
24
README.md
@ -29,8 +29,8 @@ Which authentication mechanism to use for the smtp relay.
|
|||||||
|
|
||||||
Whether to use starttls for the smtp relay.
|
Whether to use starttls for the smtp relay.
|
||||||
|
|
||||||
## LDAP_URI
|
## LDAP_HOST
|
||||||
Complete uri for the authentication ldap host.
|
Ldap hostname (can include the port).
|
||||||
|
|
||||||
## LDAP_SIEVE_HOST
|
## LDAP_SIEVE_HOST
|
||||||
Has to be the same as `LDAP_URI` but in a different format (like `ldap:389`).
|
Has to be the same as `LDAP_URI` but in a different format (like `ldap:389`).
|
||||||
@ -73,10 +73,11 @@ The ldap attribute which contains the sieve rules.
|
|||||||
|
|
||||||
Whether to use tls when connecting to the ldap host.
|
Whether to use tls when connecting to the ldap host.
|
||||||
|
|
||||||
## LDAP_DEFAULT_PASSSCHEME
|
## LDAP_APP_PASSWORDS_BASE_DN
|
||||||
- default: SSHA
|
Base DN to look for app passwords for a user.
|
||||||
|
|
||||||
Default password scheme used on the ldap host.
|
## LDAP_APP_PASSWORDS_FILTER
|
||||||
|
Specifies the filter on what counts as an app password.
|
||||||
|
|
||||||
## ALLOWED_USERNAME_CHARS
|
## ALLOWED_USERNAME_CHARS
|
||||||
- default: äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
|
- default: äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
|
||||||
@ -84,7 +85,7 @@ Default password scheme used on the ldap host.
|
|||||||
List of characters allowed in a username.
|
List of characters allowed in a username.
|
||||||
|
|
||||||
## AUTH_MECHANISMS
|
## AUTH_MECHANISMS
|
||||||
- default: plain login
|
- default: plain
|
||||||
|
|
||||||
Space seperated list of supported [authentication mechanisms](http://wiki2.dovecot.org/Authentication/Mechanisms).
|
Space seperated list of supported [authentication mechanisms](http://wiki2.dovecot.org/Authentication/Mechanisms).
|
||||||
|
|
||||||
@ -96,16 +97,19 @@ Name of the certificate domain.
|
|||||||
|
|
||||||
Length of the Diffie-Helman key in bits.
|
Length of the Diffie-Helman key in bits.
|
||||||
|
|
||||||
## SSL_PROTOCOLS
|
## SSL_MIN_PROTOCOL
|
||||||
- default: !SSLv2 !SSLv3
|
- default: TLSv1
|
||||||
|
|
||||||
Space seperated list of allowed ssl protocols (`!`disables a protocol).
|
Ssl minimum protocol version.
|
||||||
|
|
||||||
## SSL_CIPHERLIST
|
## SSL_CIPHERLIST
|
||||||
- default: ALL:!ADH:!LOW:!SSLv2:!EXP:!aNULL:!RC4:+HIGH:+MEDIUM
|
- default: ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
||||||
|
|
||||||
Colon seperated list of supported ciphers (`!`disables a cipher).
|
Colon seperated list of supported ciphers (`!`disables a cipher).
|
||||||
|
|
||||||
|
Go [here](https://www.openssl.org/docs/manmaster/man1/ciphers.html) for a list
|
||||||
|
of ciphers.
|
||||||
|
|
||||||
## IMAP_MAX_USER_CONNECTIONS
|
## IMAP_MAX_USER_CONNECTIONS
|
||||||
- default: 10
|
- default: 10
|
||||||
|
|
||||||
|
3
rootfs/etc/confd/conf.d/app-passwords-lookup.lua.toml
Normal file
3
rootfs/etc/confd/conf.d/app-passwords-lookup.lua.toml
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
[template]
|
||||||
|
src = "app-passwords-lookup.lua.tmpl"
|
||||||
|
dest = "/etc/dovecot/app-passwords-lookup.lua"
|
@ -1,4 +1,4 @@
|
|||||||
auth_username_chars = {{getenv "ALLOWED_USERNAME_CHARS" "äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@"}}
|
auth_username_chars = {{getenv "ALLOWED_USERNAME_CHARS" "äöüabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@"}}
|
||||||
auth_username_format = %Lu
|
auth_username_format = %Lu
|
||||||
auth_mechanisms = {{getenv "AUTH_MECHANISMS" "plain login"}}
|
auth_mechanisms = {{getenv "AUTH_MECHANISMS" "plain"}}
|
||||||
!include auth-ldap.conf.ext
|
!include auth-ldap.conf.ext
|
||||||
|
@ -22,3 +22,5 @@ namespace inbox {
|
|||||||
special_use = \Drafts
|
special_use = \Drafts
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
mail_plugin_dir = /lib/dovecot
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
ssl = yes
|
ssl = yes
|
||||||
ssl_cert = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.crt
|
ssl_cert = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.crt
|
||||||
ssl_key = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.key
|
ssl_key = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.key
|
||||||
ssl_dh_parameters_length = {{getenv "SSL_DH_LENGTH" "2048"}}
|
ssl_dh=</etc/ssl/mail/dh.pem
|
||||||
ssl_protocols = {{getenv "SSL_PROTOCOLS" "!SSLv2 !SSLv3"}}
|
ssl_min_protocol = {{getenv "SSL_MIN_PROTOCOL" "TLSv1"}}
|
||||||
ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ALL:!ADH:!LOW:!SSLv2:!EXP:!aNULL:!RC4:+HIGH:+MEDIUM"}}
|
ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH "}}
|
||||||
ssl_prefer_server_ciphers = yes
|
ssl_prefer_server_ciphers = yes
|
||||||
|
55
rootfs/etc/confd/templates/app-passwords-lookup.lua.tmpl
Normal file
55
rootfs/etc/confd/templates/app-passwords-lookup.lua.tmpl
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
require "lualdap"
|
||||||
|
|
||||||
|
function auth_passdb_lookup(req)
|
||||||
|
local ldap_host = "{{ getenv "LDAP_HOST" }}"
|
||||||
|
local ldap_bin_dn = "{{ getenv "LDAP_BIND_DN" }}"
|
||||||
|
local ldap_bind_password = "{{ getenv "LDAP_BIND_PASSWORD" }}"
|
||||||
|
local ldap_use_tls = {{ if eq (getenv "LDAP_USE_TLS") "yes" }}true{{ else }}false{{ end }}
|
||||||
|
|
||||||
|
ld = assert (lualdap.open_simple(
|
||||||
|
ldap_host,
|
||||||
|
ldap_bin_dn,
|
||||||
|
ldap_bind_password,
|
||||||
|
ldap_use_tls))
|
||||||
|
|
||||||
|
local username = req.user
|
||||||
|
local ldap_pass_filter = "{{ getenv "LDAP_PASS_FILTER" }}"
|
||||||
|
local ldap_pass_filter_formatted = ldap_pass_filter:gsub("%%u", username)
|
||||||
|
local ldap_base_dn = "{{ getenv "LDAP_BASE_DN" }}"
|
||||||
|
|
||||||
|
local user_count = 0
|
||||||
|
for dn, attribs in ld:search { base = ldap_base_dn, scope = "subtree", filter = ldap_pass_filter_formatted } do
|
||||||
|
user_count = user_count + 1
|
||||||
|
end
|
||||||
|
|
||||||
|
local return_code = dovecot.auth.PASSDB_RESULT_NEXT
|
||||||
|
local return_text = ""
|
||||||
|
|
||||||
|
local user_exists = user_count == 1
|
||||||
|
if user_exists then
|
||||||
|
local app_base_dn = "{{ getenv "LDAP_APP_PASSWORDS_BASE_DN" }}"
|
||||||
|
local app_base_dn_formatted = app_base_dn:gsub("%%u", username)
|
||||||
|
local app_pass_filter = "{{ getenv "LDAP_APP_PASSWORDS_FILTER" }}"
|
||||||
|
local ldap_user_attribute = "{{ getenv "LDAP_USER_ATTRIBUTE" "cn" }}"
|
||||||
|
|
||||||
|
local user_password = req.password
|
||||||
|
|
||||||
|
for dn, attribs in ld:search { base = app_base_dn_formatted, scope = "subtree", filter = app_pass_filter } do
|
||||||
|
req:log_info(string.format("trying %s...", dn))
|
||||||
|
|
||||||
|
local test_conn = lualdap.open_simple(
|
||||||
|
ldap_host,
|
||||||
|
dn,
|
||||||
|
user_password,
|
||||||
|
ldap_use_tls)
|
||||||
|
if test_conn ~= nil then
|
||||||
|
req:log_info(string.format("%s suceeded!", dn))
|
||||||
|
return dovecot.auth.PASSDB_RESULT_OK, string.format("password=%s user=%s", user_password, username)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
else
|
||||||
|
return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
|
||||||
|
end
|
||||||
|
|
||||||
|
return return_code, return_text
|
||||||
|
end
|
@ -3,6 +3,11 @@ passdb {
|
|||||||
args = /etc/dovecot/dovecot-ldap.conf.ext
|
args = /etc/dovecot/dovecot-ldap.conf.ext
|
||||||
}
|
}
|
||||||
|
|
||||||
|
passdb {
|
||||||
|
driver = lua
|
||||||
|
args = file=/etc/dovecot/app-passwords-lookup.lua
|
||||||
|
}
|
||||||
|
|
||||||
userdb {
|
userdb {
|
||||||
driver = static
|
driver = static
|
||||||
args = uid=vmail gid=vmail home=/var/lib/vmail/mail/%d/%n
|
args = uid=vmail gid=vmail home=/var/lib/vmail/mail/%d/%n
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
uris = {{getenv "LDAP_URI"}}
|
uris = ldap://{{getenv "LDAP_HOST"}}
|
||||||
dn = {{getenv "LDAP_BIND_DN"}}
|
dn = {{getenv "LDAP_BIND_DN"}}
|
||||||
dnpass = {{getenv "LDAP_BIND_PASSWORD"}}
|
dnpass = {{getenv "LDAP_BIND_PASSWORD"}}
|
||||||
tls = {{getenv "LDAP_USE_TLS" "yes"}}
|
tls = {{getenv "LDAP_USE_TLS" "yes"}}
|
||||||
|
5
rootfs/etc/cont-init.d/02-dhparam
Normal file
5
rootfs/etc/cont-init.d/02-dhparam
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
#!/usr/bin/with-contenv sh
|
||||||
|
|
||||||
|
if [ ! -f /etc/ssl/mail/dh.pem ]; then
|
||||||
|
openssl dhparam -out /etc/ssl/mail/dh.pem ${SSL_DH_LENGTH:-2048}
|
||||||
|
fi
|
Loading…
Reference in New Issue
Block a user