Fix ldap related critical Problems (#644)

* Fix Dovecot Ldap Problems
* Fix typo within DEFAULT_VARS Definitions
* Fix wrong ldap hosts value within the bats test
* Fix override_config for strings containing &
* Fix erroneous removal of an conditional within the postfix override function
* Renamed Test 129, to be clear that this belongs to ldap
* Fix mail_with_ldap setting dn pass explicit
* Add 3 env variables for ldap: LDAP_QUERY_FILTER_{USER,GROUP,ALIAS}
* Update README.md
This commit is contained in:
alinmear 2017-07-03 13:16:16 +02:00 committed by Thomas VIAL
parent 1effcdebd7
commit 21fb3f3c86
4 changed files with 190 additions and 80 deletions

View file

@ -107,6 +107,12 @@ run:
-e LDAP_SERVER_HOST=ldap \ -e LDAP_SERVER_HOST=ldap \
-e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \ -e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
-e LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \ -e LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \
-e LDAP_BIND_PW=admin \
-e LDAP_QUERY_FILTER_USER="(&(mail=%s)(mailEnabled=TRUE))" \
-e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \
-e LDAP_QUERY_FILTER_ALIAS="(&(mailAlias=%s)(mailEnabled=TRUE))" \
-e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
-e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
-e ENABLE_SASLAUTHD=1 \ -e ENABLE_SASLAUTHD=1 \
-e SASLAUTHD_MECHANISMS=ldap \ -e SASLAUTHD_MECHANISMS=ldap \
-e SASLAUTHD_LDAP_SERVER=ldap \ -e SASLAUTHD_LDAP_SERVER=ldap \

103
README.md
View file

@ -79,6 +79,60 @@ volumes:
driver: local driver: local
``` ```
__for ldap setup__:
```yaml
version: '2'
services:
mail:
image: tvial/docker-mailserver:latest
hostname: mail
domainname: domain.com
container_name: mail
ports:
- "25:25"
- "143:143"
- "587:587"
- "993:993"
volumes:
- maildata:/var/mail
- mailstate:/var/mail-state
- ./config/:/tmp/docker-mailserver/
environment:
- ENABLE_SPAMASSASSIN=1
- ENABLE_CLAMAV=1
- ENABLE_FAIL2BAN=1
- ENABLE_POSTGREY=1
- ONE_DIR=1
- DMS_DEBUG=0
- ENABLE_LDAP=1
- LDAP_SERVER_HOST=ldap # your ldap container/IP/ServerName
- LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain
- LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain
- LDAP_BIND_PW=admin
- LDAP_QUERY_FILTER_USER="(&(mail=%s)(mailEnabled=TRUE))"
- LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))"
- LDAP_QUERY_FILTER_ALIAS="(&(mailAlias=%s)(mailEnabled=TRUE))"
- DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"
- DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"
- ENABLE_SASLAUTHD=1
- SASLAUTHD_MECHANISMS=ldap
- SASLAUTHD_LDAP_SERVER=ldap
- SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain
- SASLAUTHD_LDAP_PASSWORD=admin
- SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain
- POSTMASTER_ADDRESS=postmaster@localhost.localdomain
cap_add:
- NET_ADMIN
volumes:
maildata:
driver: local
mailstate:
driver: local
```
#### Create your mail accounts #### Create your mail accounts
Don't forget to adapt MAIL_USER and MAIL_PASS to your needs Don't forget to adapt MAIL_USER and MAIL_PASS to your needs
@ -212,6 +266,29 @@ Otherwise, `iptables` won't be able to ban IPs.
- **empty** => admin - **empty** => admin
- => Specify the password to bind against ldap - => Specify the password to bind against ldap
##### LDAP_QUERY_FILTER_USER
- e.g. `"(&(mail=%s)(mailEnabled=TRUE))"`
- => Specify how ldap should be asked for users
##### LDAP_QUERY_FILTER_GROUP
- e.g. `"(&(mailGroupMember=%s)(mailEnabled=TRUE))"`
- => Specify how ldap should be asked for groups
##### LDAP_QUERY_FILTER_ALIAS
- e.g. `"(&(mailAlias=%s)(mailEnabled=TRUE))"`
- => Specify how ldap should be asked for aliases
##### DOVECOT_USER_FILTER
- e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"`
##### DOVECOT_PASS_FILTER
- e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"`
##### OVERRIDE_HOSTNAME ##### OVERRIDE_HOSTNAME
- **empty** => uses the `hostname` command to get the mail server's canonical hostname - **empty** => uses the `hostname` command to get the mail server's canonical hostname
@ -253,10 +330,10 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1`
##### SASLAUTHD_MECHANISMS ##### SASLAUTHD_MECHANISMS
- empty => pam - empty => pam
- ldap => authenticate against ldap server - `ldap` => authenticate against ldap server
- shadow => authenticate against local user db - `shadow` => authenticate against local user db
- mysql => authenticate against mysql db - `mysql` => authenticate against mysql db
- rimap => authenticate against imap server - `rimap` => authenticate against imap server
- NOTE: can be a list of mechanisms like pam ldap shadow - NOTE: can be a list of mechanisms like pam ldap shadow
##### SASLAUTHD_MECH_OPTIONS ##### SASLAUTHD_MECH_OPTIONS
@ -270,8 +347,8 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1`
##### SASLAUTHD_LDAP_SSL ##### SASLAUTHD_LDAP_SSL
- empty or 0 => ldap:// will be used - empty or 0 => `ldap://` will be used
- 1 => ldaps:// will be used - 1 => `ldaps://` will be used
##### SASLAUTHD_LDAP_BIND_DN ##### SASLAUTHD_LDAP_BIND_DN
@ -291,9 +368,9 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1`
##### SASLAUTHD_LDAP_FILTER ##### SASLAUTHD_LDAP_FILTER
- empty => default filter (&(uniqueIdentifier=%u)(mailEnabled=TRUE)) - empty => default filter `(&(uniqueIdentifier=%u)(mailEnabled=TRUE))`
- e.g. for active directory: (&(sAMAccountName=%U)(objectClass=person)) - e.g. for active directory: `(&(sAMAccountName=%U)(objectClass=person))`
- e.g. for openldap: (&(uid=%U)(objectClass=person)) - e.g. for openldap: `(&(uid=%U)(objectClass=person))`
##### SASL_PASSWD ##### SASL_PASSWD
@ -331,14 +408,16 @@ Set how many days a virusmail will stay on the server before being deleted
##### ENABLE_POSTFIX_VIRTUAL_TRANSPORT ##### ENABLE_POSTFIX_VIRTUAL_TRANSPORT
This Option is activating the Usage of POSTFIX_DAGENT to specify a ltmp client different from default dovecot socket. This Option is activating the Usage of POSTFIX_DAGENT to specify a ltmp client different from default dovecot socket.
- **empty** => disabled - **empty** => disabled
- 1 => enabled - 1 => enabled
##### POSTFIX_DAGENT ##### POSTFIX_DAGENT
Enabled by ENABLE_POSTFIX_VIRTUAL_TRANSPORT. Specify the final delivery of postfix Enabled by ENABLE_POSTFIX_VIRTUAL_TRANSPORT. Specify the final delivery of postfix
- **empty**: fail - **empty**: fail
- lmtp:unix:private/dovecot-lmtp (use socket) - `lmtp:unix:private/dovecot-lmtp` (use socket)
- lmtps:inet:<host>:<port> (secure lmtp with starttls, take a look at https://sys4.de/en/blog/2014/11/17/sicheres-lmtp-mit-starttls-in-dovecot/) - `lmtps:inet:<host>:<port>` (secure lmtp with starttls, take a look at https://sys4.de/en/blog/2014/11/17/sicheres-lmtp-mit-starttls-in-dovecot/)
- lmtp:<kopano-host>:2003 (use kopano as mailstore) - `lmtp:<kopano-host>:2003` (use kopano as mailstore)
- etc. - etc.

View file

@ -353,7 +353,7 @@ function override_config() {
do do
[ -z $key ] && echo -e "\t no key provided" && return 1 [ -z $key ] && echo -e "\t no key provided" && return 1
sed -i -e "s|^${key}[[:space:]]\+.*|${key} = "${config_overrides[$key]}'|g' \ sed -i -e "s|^${key}[[:space:]]\+.*|${key} = ${config_overrides[$key]//&/\\&}|g" \
${f} ${f}
done done
fi fi
@ -574,15 +574,31 @@ function _setup_ldap() {
done done
notify 'inf' 'Starting to override configs' notify 'inf' 'Starting to override configs'
override_config "LDAP_" "/etc/postfix/ldap-users.cf /etc/postfix/ldap-groups.cf /etc/postfix/ldap-aliases.cf" for f in /etc/postfix/ldap-users.cf /etc/postfix/ldap-groups.cf /etc/postfix/ldap-aliases.cf
do
[[ $f =~ ldap-user ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_USER}"
[[ $f =~ ldap-group ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_GROUP}"
[[ $f =~ ldap-aliases ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_ALIAS}"
override_config "LDAP_" "${f}"
done
# @TODO: Environment Variables for DOVECOT ldap integration to configure for better control notify 'inf' "Configuring dovecot LDAP"
notify 'inf' "Configuring dovecot LDAP authentification"
sed -i -e 's|^hosts.*|hosts = '${LDAP_SERVER_HOST:="mail.domain.com"}'|g' \ declare -A _dovecot_ldap_mapping
-e 's|^base.*|base = '${LDAP_SEARCH_BASE:="ou=people,dc=domain,dc=com"}'|g' \
-e 's|^dn\s*=.*|dn = '${LDAP_BIND_DN:="cn=admin,dc=domain,dc=com"}'|g' \ _dovecot_ldap_mapping["DOVECOT_BASE"]="${DOVECOT_BASE:="${LDAP_SEARCH_BASE}"}"
-e 's|^dnpass\s*=.*|dnpass = '${LDAP_BIND_PW:="admin"}'|g' \ _dovecot_ldap_mapping["DOVECOT_DN"]="${DOVECOT_DN:="${LDAP_BIND_DN}"}"
/etc/dovecot/dovecot-ldap.conf.ext _dovecot_ldap_mapping["DOVECOT_DNPASS"]="${DOVECOT_DNPASS:="${LDAP_BIND_PW}"}"
_dovecot_ldap_mapping["DOVECOT_HOSTS"]="${DOVECOT_HOSTS:="${LDAP_SERVER_HOST}"}"
# Not sure whether this can be the same or not
# _dovecot_ldap_mapping["DOVECOT_PASS_FILTER"]="${DOVECOT_PASS_FILTER:="${LDAP_QUERY_FILTER_USER}"}"
# _dovecot_ldap_mapping["DOVECOT_USER_FILTER"]="${DOVECOT_USER_FILTER:="${LDAP_QUERY_FILTER_USER}"}"
for var in ${!_dovecot_ldap_mapping[@]}; do
export $var=${_dovecot_ldap_mapping[$var]}
done
override_config "DOVECOT_" "/etc/dovecot/dovecot-ldap.conf.ext"
# Add domainname to vhost. # Add domainname to vhost.
echo $DOMAINNAME >> /tmp/vhost.tmp echo $DOMAINNAME >> /tmp/vhost.tmp
@ -667,7 +683,7 @@ EOF
sed -i \ sed -i \
-e "/^[^#].*smtpd_sasl_type.*/s/^/#/g" \ -e "/^[^#].*smtpd_sasl_type.*/s/^/#/g" \
-e "/^[^#].*smtpd_sasl_path.*/s/^/#/g" \ -e "/^[^#].*smtpd_sasl_path.*/s/^/#/g" \
etc/postfix/master.cf /etc/postfix/master.cf
sed -i \ sed -i \
-e "s|^START=.*|START=yes|g" \ -e "s|^START=.*|START=yes|g" \

View file

@ -1088,7 +1088,7 @@ load 'test_helper/bats-assert/load'
assert_success assert_success
} }
@test "checking dovecot: mail delivery works" { @test "checking dovecot: ldap mail delivery works" {
run docker exec mail_with_ldap /bin/sh -c "sendmail -f user@external.tld some.user@localhost.localdomain < /tmp/docker-mailserver-test/email-templates/test-email.txt" run docker exec mail_with_ldap /bin/sh -c "sendmail -f user@external.tld some.user@localhost.localdomain < /tmp/docker-mailserver-test/email-templates/test-email.txt"
sleep 10 sleep 10
run docker exec mail_with_ldap /bin/sh -c "ls -A /var/mail/localhost.localdomain/some.user/new | wc -l" run docker exec mail_with_ldap /bin/sh -c "ls -A /var/mail/localhost.localdomain/some.user/new | wc -l"
@ -1096,6 +1096,15 @@ load 'test_helper/bats-assert/load'
assert_output 1 assert_output 1
} }
@test "checking dovecot: ldap config overwrites success" {
run docker exec mail_with_ldap /bin/sh -c "grep 'hosts = ldap' /etc/dovecot/dovecot-ldap.conf.ext"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'base = ou=people,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'dn = cn=admin,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext"
assert_success
}
# saslauthd # saslauthd
@test "checking saslauthd: sasl ldap authentication works" { @test "checking saslauthd: sasl ldap authentication works" {
run docker exec mail_with_ldap bash -c "testsaslauthd -u some.user -p secret" run docker exec mail_with_ldap bash -c "testsaslauthd -u some.user -p secret"