From 17962c243a2eb7ae40dab7885578736f4d106a72 Mon Sep 17 00:00:00 2001 From: William Desportes Date: Tue, 8 Dec 2020 15:07:01 +0100 Subject: [PATCH 1/2] Implement more sasl config options Follow up of: https://github.com/tomav/docker-mailserver/pull/980 Ref: https://github.com/tomav/docker-mailserver/issues/1704 --- README.md | 24 ++++++++++++++++++++++++ mailserver.env | 11 +++++++++++ target/start-mailserver.sh | 17 +++++++++++++++++ 3 files changed, 52 insertions(+) diff --git a/README.md b/README.md index 44c83ab0..74d62838 100644 --- a/README.md +++ b/README.md @@ -808,6 +808,30 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1` - empty or 0 => `ldap://` will be used - 1 => `ldaps://` will be used +##### SASLAUTHD_LDAP_START_TLS + +- **empty** => `no` +- `yes` => Enable `ldap_start_tls` option + +##### SASLAUTHD_LDAP_TLS_CHECK_PEER + +- **empty** => `no` +- `yes` => Enable `ldap_tls_check_peer` option + +##### SASLAUTHD_LDAP_TLS_CACERT_DIR + +Path to directory with CA (Certificate Authority) certificates. + +- **empty** => Nothing is added to the configuration +- Any value => Fills the `ldap_tls_cacert_dir` option + +##### SASLAUTHD_LDAP_TLS_CACERT_FILE + +File containing CA (Certificate Authority) certificate(s). + +- **empty** => Nothing is added to the configuration +- Any value => Fills the `ldap_tls_cacert_file` option + ##### SASLAUTHD_LDAP_BIND_DN - empty => anonymous bind diff --git a/mailserver.env b/mailserver.env index b0fa8591..eb9f7e11 100644 --- a/mailserver.env +++ b/mailserver.env @@ -343,8 +343,19 @@ SASLAUTHD_LDAP_START_TLS= # empty => no # yes => Require and verify server certificate +# If yes you must/could specify SASLAUTHD_LDAP_TLS_CACERT_FILE or SASLAUTHD_LDAP_TLS_CACERT_DIR. SASLAUTHD_LDAP_TLS_CHECK_PEER= +# File containing CA (Certificate Authority) certificate(s). +# empty => Nothing is added to the configuration +# Any value => Fills the `ldap_tls_cacert_file` option +SASLAUTHD_LDAP_TLS_CACERT_FILE= + +# Path to directory with CA (Certificate Authority) certificates. +# empty => Nothing is added to the configuration +# Any value => Fills the `ldap_tls_cacert_dir` option +SASLAUTHD_LDAP_TLS_CACERT_DIR= + # empty => No sasl_passwd will be created # string => `/etc/postfix/sasl_passwd` will be created with the string as password SASL_PASSWD= diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index 9cb951b0..7862440b 100755 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -918,6 +918,20 @@ function _setup_saslauthd [[ -z ${SASLAUTHD_LDAP_START_TLS} ]] && SASLAUTHD_LDAP_START_TLS=no [[ -z ${SASLAUTHD_LDAP_TLS_CHECK_PEER} ]] && SASLAUTHD_LDAP_TLS_CHECK_PEER=no + if [[ -z ${SASLAUTHD_LDAP_TLS_CACERT_FILE} ]] + then + SASLAUTHD_LDAP_TLS_CACERT_FILE="" + else + SASLAUTHD_LDAP_TLS_CACERT_FILE="ldap_tls_cacert_file: ${SASLAUTHD_LDAP_TLS_CACERT_FILE}" + fi + + if [[ -z ${SASLAUTHD_LDAP_TLS_CACERT_DIR} ]] + then + SASLAUTHD_LDAP_TLS_CACERT_DIR="" + else + SASLAUTHD_LDAP_TLS_CACERT_DIR="ldap_tls_cacert_dir: ${SASLAUTHD_LDAP_TLS_CACERT_DIR}" + fi + if [[ ! -f /etc/saslauthd.conf ]] then _notify 'inf' "Creating /etc/saslauthd.conf" @@ -934,6 +948,9 @@ ldap_filter: ${SASLAUTHD_LDAP_FILTER} ldap_start_tls: ${SASLAUTHD_LDAP_START_TLS} ldap_tls_check_peer: ${SASLAUTHD_LDAP_TLS_CHECK_PEER} +${SASLAUTHD_LDAP_TLS_CACERT_FILE} +${SASLAUTHD_LDAP_TLS_CACERT_DIR} + ldap_referrals: yes log_level: 10 EOF From e58020029e035573b36d3610cd31f64deb84dfa4 Mon Sep 17 00:00:00 2001 From: William Desportes Date: Tue, 8 Dec 2020 15:29:49 +0100 Subject: [PATCH 2/2] Add more sasl LDAP config options - SASLAUTHD_LDAP_PASSWORD_ATTR => ldap_password_attr - SASLAUTHD_LDAP_AUTH_METHOD => ldap_auth_method - SASLAUTHD_LDAP_MECH => ldap_mech --- README.md | 20 ++++++++++++++++++++ mailserver.env | 15 +++++++++++++++ target/start-mailserver.sh | 19 ++++++++++++++++++- 3 files changed, 53 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 74d62838..75677aef 100644 --- a/README.md +++ b/README.md @@ -854,11 +854,31 @@ File containing CA (Certificate Authority) certificate(s). - e.g. for active directory: `(&(sAMAccountName=%U)(objectClass=person))` - e.g. for openldap: `(&(uid=%U)(objectClass=person))` +##### SASLAUTHD_LDAP_PASSWORD_ATTR + +Specify what password attribute to use for password verification. + +- **empty** => Nothing is added to the configuration but the documentation says it is `userPassword` by default. +- Any value => Fills the `ldap_password_attr` option + ##### SASL_PASSWD - **empty** => No sasl_passwd will be created - string => `/etc/postfix/sasl_passwd` will be created with the string as password +##### SASLAUTHD_LDAP_AUTH_METHOD + +- **empty** => `bind` will be used as a default value +- `fastbind` => The fastbind method is used +- `custom` => The custom method uses userPassword attribute to verify the password + +##### SASLAUTHD_LDAP_MECH + +Specify the authentication mechanism for SASL bind. + +- **empty** => Nothing is added to the configuration +- Any value => Fills the `ldap_mech` option + #### SRS (Sender Rewriting Scheme) ##### SRS_SENDER_CLASSES diff --git a/mailserver.env b/mailserver.env index eb9f7e11..94c37391 100644 --- a/mailserver.env +++ b/mailserver.env @@ -356,10 +356,25 @@ SASLAUTHD_LDAP_TLS_CACERT_FILE= # Any value => Fills the `ldap_tls_cacert_dir` option SASLAUTHD_LDAP_TLS_CACERT_DIR= +# Specify what password attribute to use for password verification. +# empty => Nothing is added to the configuration but the documentation says it is `userPassword` by default. +# Any value => Fills the `ldap_password_attr` option +SASLAUTHD_LDAP_PASSWORD_ATTR= + # empty => No sasl_passwd will be created # string => `/etc/postfix/sasl_passwd` will be created with the string as password SASL_PASSWD= +# empty => `bind` will be used as a default value +# `fastbind` => The fastbind method is used +# `custom` => The custom method uses userPassword attribute to verify the password +SASLAUTHD_LDAP_AUTH_METHOD= + +# Specify the authentication mechanism for SASL bind +# empty => Nothing is added to the configuration +# Any value => Fills the `ldap_mech` option +SASLAUTHD_LDAP_MECH= + # ––––––––––––––––––––––––––––––––––––––––––––––– # ––– SRS Section ––––––––––––––––––––––––––––––– # ––––––––––––––––––––––––––––––––––––––––––––––– diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index 7862440b..666c4b75 100755 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -917,6 +917,7 @@ function _setup_saslauthd [[ -z ${SASLAUTHD_LDAP_START_TLS} ]] && SASLAUTHD_LDAP_START_TLS=no [[ -z ${SASLAUTHD_LDAP_TLS_CHECK_PEER} ]] && SASLAUTHD_LDAP_TLS_CHECK_PEER=no + [[ -z ${SASLAUTHD_LDAP_AUTH_METHOD} ]] && SASLAUTHD_LDAP_AUTH_METHOD=bind if [[ -z ${SASLAUTHD_LDAP_TLS_CACERT_FILE} ]] then @@ -932,13 +933,27 @@ function _setup_saslauthd SASLAUTHD_LDAP_TLS_CACERT_DIR="ldap_tls_cacert_dir: ${SASLAUTHD_LDAP_TLS_CACERT_DIR}" fi + if [[ -z ${SASLAUTHD_LDAP_PASSWORD_ATTR} ]] + then + SASLAUTHD_LDAP_PASSWORD_ATTR="" + else + SASLAUTHD_LDAP_PASSWORD_ATTR="ldap_password_attr: ${SASLAUTHD_LDAP_PASSWORD_ATTR}" + fi + + if [[ -z ${SASLAUTHD_LDAP_MECH} ]] + then + SASLAUTHD_LDAP_MECH="" + else + SASLAUTHD_LDAP_MECH="ldap_mech: ${SASLAUTHD_LDAP_MECH}" + fi + if [[ ! -f /etc/saslauthd.conf ]] then _notify 'inf' "Creating /etc/saslauthd.conf" cat > /etc/saslauthd.conf << EOF ldap_servers: ${SASLAUTHD_LDAP_PROTO}${SASLAUTHD_LDAP_SERVER} -ldap_auth_method: bind +ldap_auth_method: ${SASLAUTHD_LDAP_AUTH_METHOD} ldap_bind_dn: ${SASLAUTHD_LDAP_BIND_DN} ldap_bind_pw: ${SASLAUTHD_LDAP_PASSWORD} @@ -950,6 +965,8 @@ ldap_tls_check_peer: ${SASLAUTHD_LDAP_TLS_CHECK_PEER} ${SASLAUTHD_LDAP_TLS_CACERT_FILE} ${SASLAUTHD_LDAP_TLS_CACERT_DIR} +${SASLAUTHD_LDAP_PASSWORD_ATTR} +${SASLAUTHD_LDAP_MECH} ldap_referrals: yes log_level: 10