Added support for Dovecot and Postfix LDAP TLS (#800)

* Allow setup of LDAP STARTTLS for Dovecot and Postfix * Added tests for TLS config override * Add missing Postfix TLS options * Added missing new line at the end of the file * Added STARTTLS tests for Postfix config
2024-01-19 02:48:50 +00:00 · 2018-01-25 22:38:41 +01:00 · 2018-01-25 22:38:41 +01:00 · d270fcdd40
parent eea4ec1dbc
commit d270fcdd40
12 changed files with 30 additions and 1 deletions
--- a/2
+++ b/2
@ -128,6 +128,7 @@ run:
 		-v "`pwd`/test":/tmp/docker-mailserver-test \
 		-e ENABLE_LDAP=1 \
 		-e LDAP_SERVER_HOST=ldap \
+		-e LDAP_START_TLS=no \
 		-e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
 		-e LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \
 		-e LDAP_BIND_PW=admin \
@ -135,6 +136,7 @@ run:
 		-e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \
 		-e LDAP_QUERY_FILTER_ALIAS="(&(mailAlias=%s)(mailEnabled=TRUE))" \
 		-e LDAP_QUERY_FILTER_DOMAIN="(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))" \
+		-e DOVECOT_TLS=no \
 		-e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
 		-e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
 		-e ENABLE_SASLAUTHD=1 \
--- a/README.md
+++ b/README.md
@ -268,6 +268,11 @@ Otherwise, `iptables` won't be able to ban IPs.
    - A second container for the ldap service is necessary (e.g. [docker-openldap](https://github.com/osixia/docker-openldap))
    - For preparing the ldap server to use in combination with this continer [this](http://acidx.net/wordpress/2014/06/installing-a-mailserver-with-postfix-dovecot-sasl-ldap-roundcube/) article may be helpful

+##### LDAP_START_TLS
+
+  - **empty** => no
+  - yes => LDAP over TLS enabled for Postfix
+
 ##### LDAP_SERVER_HOST

  - **empty** => mail.domain.com
@ -304,6 +309,11 @@ Otherwise, `iptables` won't be able to ban IPs.
  - e.g. `"(&(mailAlias=%s)(mailEnabled=TRUE))"`
  - => Specify how ldap should be asked for aliases

+##### DOVECOT_TLS
+
+  - **empty** => no
+  - yes => LDAP over TLS enabled for Dovecot
+
 ##### DOVECOT_USER_FILTER

  - e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"`
--- a/target/dovecot/dovecot-ldap.conf.ext
+++ b/target/dovecot/dovecot-ldap.conf.ext
@ -3,6 +3,7 @@ default_pass_scheme = SSHA
 dn                  = cn=admin,dc=domain,dc=com
 dnpass              = admin
 hosts               = mail.domain.com
+tls                 = no
 ldap_version        = 3
 pass_attrs          = uniqueIdentifier=user,userPassword=password
 pass_filter         = (&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))
--- a/target/postfix/ldap-aliases.cf
+++ b/target/postfix/ldap-aliases.cf
@ -5,4 +5,5 @@ query_filter     = (&(mailAlias=%s)(mailEnabled=TRUE))
 result_attribute = mail
 search_base      = ou=people,dc=domain,dc=com
 server_host      = mail.domain.com
+start_tls        = no
 version          = 3
--- a/target/postfix/ldap-domains.cf
+++ b/target/postfix/ldap-domains.cf
@ -5,4 +5,5 @@ query_filter     = (&(|(mail=*@%s)(mailalias=*@%s))(mailEnabled=TRUE))
 result_attribute = mail
 search_base      = ou=people,dc=domain,dc=com
 server_host      = mail.domain.com
-version          = 3
+start_tls        = no
+version          = 3
--- a/target/postfix/ldap-groups.cf
+++ b/target/postfix/ldap-groups.cf
@ -5,4 +5,5 @@ query_filter             = (&(mailGroupMember=%s)(mailEnabled=TRUE))
 result_attribute         = mail
 search_base              = ou=people,dc=domain,dc=com
 server_host              = mail.domain.com
+start_tls                = no
 version                  = 3
--- a/target/postfix/ldap-users.cf
+++ b/target/postfix/ldap-users.cf
@ -5,4 +5,5 @@ query_filter     = (&(mail=%s)(mailEnabled=TRUE))
 result_attribute = mail
 search_base      = ou=people,dc=domain,dc=com
 server_host      = mail.domain.com
+start_tls        = no
 version          = 3
--- a/test/config/dovecot-lmtp/dovecot-ldap.conf.ext
+++ b/test/config/dovecot-lmtp/dovecot-ldap.conf.ext
@ -3,6 +3,7 @@ default_pass_scheme = SSHA
 dn                  = cn=admin,dc=domain,dc=com
 dnpass              = admin
 hosts               = mail.domain.com
+tls                 = no
 ldap_version        = 3
 pass_attrs          = uniqueIdentifier=user,userPassword=password
 pass_filter         = (&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))
--- a/test/config/ldap-aliases.cf
+++ b/test/config/ldap-aliases.cf
@ -6,4 +6,5 @@ query_filter     = (&(mailAlias=%s)(mailEnabled=TRUE))
 result_attribute = mail
 search_base      = ou=people,dc=domain,dc=com
 server_host      = mail.domain.com
+start_tls        = no
 version          = 3
--- a/test/config/ldap-groups.cf
+++ b/test/config/ldap-groups.cf
@ -6,4 +6,5 @@ query_filter             = (&(mailGroupMember=%s)(mailEnabled=TRUE))
 result_attribute         = mail
 search_base              = ou=people,dc=domain,dc=com
 server_host              = mail.domain.com
+start_tls                = no
 version                  = 3
--- a/test/config/ldap-users.cf
+++ b/test/config/ldap-users.cf
@ -6,4 +6,5 @@ query_filter     = (&(mail=%s)(mailEnabled=TRUE))
 result_attribute = mail
 search_base      = ou=people,dc=domain,dc=com
 server_host      = mail.domain.com
+start_tls        = no
 version          = 3
--- a/test/tests.bats
+++ b/test/tests.bats
@ -1177,6 +1177,8 @@ load 'test_helper/bats-assert/load'
@test "checking postfix: ldap config overwrites success" {
 run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-users.cf"
 assert_success
+ run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-users.cf"
+ assert_success
 run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf"
 assert_success
 run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf"
@ -1184,6 +1186,8 @@ load 'test_helper/bats-assert/load'

 run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-groups.cf"
 assert_success
+ run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-groups.cf"
+ assert_success
 run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf"
 assert_success
 run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf"
@ -1191,6 +1195,8 @@ load 'test_helper/bats-assert/load'

 run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-aliases.cf"
 assert_success
+ run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-aliases.cf"
+ assert_success
 run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf"
 assert_success
 run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf"
@ -1231,6 +1237,8 @@ load 'test_helper/bats-assert/load'
@test "checking dovecot: ldap config overwrites success" {
  run docker exec mail_with_ldap /bin/sh -c "grep 'hosts = ldap' /etc/dovecot/dovecot-ldap.conf.ext"
  assert_success
+  run docker exec mail_with_ldap /bin/sh -c "grep 'tls = no' /etc/dovecot/dovecot-ldap.conf.ext"
+  assert_success
  run docker exec mail_with_ldap /bin/sh -c "grep 'base = ou=people,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext"
  assert_success
  run docker exec mail_with_ldap /bin/sh -c "grep 'dn = cn=admin,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext"