From d270fcdd40de9d2b0159a0c99e27fe60acea457e Mon Sep 17 00:00:00 2001 From: Mathieu Brunot Date: Thu, 25 Jan 2018 22:38:41 +0100 Subject: [PATCH] Added support for Dovecot and Postfix LDAP TLS (#800) * Allow setup of LDAP STARTTLS for Dovecot and Postfix * Added tests for TLS config override * Add missing Postfix TLS options * Added missing new line at the end of the file * Added STARTTLS tests for Postfix config --- Makefile | 2 ++ README.md | 10 ++++++++++ target/dovecot/dovecot-ldap.conf.ext | 1 + target/postfix/ldap-aliases.cf | 1 + target/postfix/ldap-domains.cf | 3 ++- target/postfix/ldap-groups.cf | 1 + target/postfix/ldap-users.cf | 1 + test/config/dovecot-lmtp/dovecot-ldap.conf.ext | 1 + test/config/ldap-aliases.cf | 1 + test/config/ldap-groups.cf | 1 + test/config/ldap-users.cf | 1 + test/tests.bats | 8 ++++++++ 12 files changed, 30 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 47df3a16..e1525d32 100644 --- a/Makefile +++ b/Makefile @@ -128,6 +128,7 @@ run: -v "`pwd`/test":/tmp/docker-mailserver-test \ -e ENABLE_LDAP=1 \ -e LDAP_SERVER_HOST=ldap \ + -e LDAP_START_TLS=no \ -e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \ -e LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \ -e LDAP_BIND_PW=admin \ @@ -135,6 +136,7 @@ run: -e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \ -e LDAP_QUERY_FILTER_ALIAS="(&(mailAlias=%s)(mailEnabled=TRUE))" \ -e LDAP_QUERY_FILTER_DOMAIN="(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))" \ + -e DOVECOT_TLS=no \ -e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \ -e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \ -e ENABLE_SASLAUTHD=1 \ diff --git a/README.md b/README.md index df9d4041..3138138f 100644 --- a/README.md +++ b/README.md @@ -268,6 +268,11 @@ Otherwise, `iptables` won't be able to ban IPs. - A second container for the ldap service is necessary (e.g. [docker-openldap](https://github.com/osixia/docker-openldap)) - For preparing the ldap server to use in combination with this continer [this](http://acidx.net/wordpress/2014/06/installing-a-mailserver-with-postfix-dovecot-sasl-ldap-roundcube/) article may be helpful +##### LDAP_START_TLS + + - **empty** => no + - yes => LDAP over TLS enabled for Postfix + ##### LDAP_SERVER_HOST - **empty** => mail.domain.com @@ -304,6 +309,11 @@ Otherwise, `iptables` won't be able to ban IPs. - e.g. `"(&(mailAlias=%s)(mailEnabled=TRUE))"` - => Specify how ldap should be asked for aliases +##### DOVECOT_TLS + + - **empty** => no + - yes => LDAP over TLS enabled for Dovecot + ##### DOVECOT_USER_FILTER - e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"` diff --git a/target/dovecot/dovecot-ldap.conf.ext b/target/dovecot/dovecot-ldap.conf.ext index aa4e10cc..573b52d8 100644 --- a/target/dovecot/dovecot-ldap.conf.ext +++ b/target/dovecot/dovecot-ldap.conf.ext @@ -3,6 +3,7 @@ default_pass_scheme = SSHA dn = cn=admin,dc=domain,dc=com dnpass = admin hosts = mail.domain.com +tls = no ldap_version = 3 pass_attrs = uniqueIdentifier=user,userPassword=password pass_filter = (&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n)) diff --git a/target/postfix/ldap-aliases.cf b/target/postfix/ldap-aliases.cf index a3f77eaf..73bfe722 100644 --- a/target/postfix/ldap-aliases.cf +++ b/target/postfix/ldap-aliases.cf @@ -5,4 +5,5 @@ query_filter = (&(mailAlias=%s)(mailEnabled=TRUE)) result_attribute = mail search_base = ou=people,dc=domain,dc=com server_host = mail.domain.com +start_tls = no version = 3 diff --git a/target/postfix/ldap-domains.cf b/target/postfix/ldap-domains.cf index 83b48e06..5edd2441 100644 --- a/target/postfix/ldap-domains.cf +++ b/target/postfix/ldap-domains.cf @@ -5,4 +5,5 @@ query_filter = (&(|(mail=*@%s)(mailalias=*@%s))(mailEnabled=TRUE)) result_attribute = mail search_base = ou=people,dc=domain,dc=com server_host = mail.domain.com -version = 3 \ No newline at end of file +start_tls = no +version = 3 diff --git a/target/postfix/ldap-groups.cf b/target/postfix/ldap-groups.cf index 5ac2e06a..914e31a1 100644 --- a/target/postfix/ldap-groups.cf +++ b/target/postfix/ldap-groups.cf @@ -5,4 +5,5 @@ query_filter = (&(mailGroupMember=%s)(mailEnabled=TRUE)) result_attribute = mail search_base = ou=people,dc=domain,dc=com server_host = mail.domain.com +start_tls = no version = 3 diff --git a/target/postfix/ldap-users.cf b/target/postfix/ldap-users.cf index f837a04c..a7b29cb6 100644 --- a/target/postfix/ldap-users.cf +++ b/target/postfix/ldap-users.cf @@ -5,4 +5,5 @@ query_filter = (&(mail=%s)(mailEnabled=TRUE)) result_attribute = mail search_base = ou=people,dc=domain,dc=com server_host = mail.domain.com +start_tls = no version = 3 diff --git a/test/config/dovecot-lmtp/dovecot-ldap.conf.ext b/test/config/dovecot-lmtp/dovecot-ldap.conf.ext index aa4e10cc..573b52d8 100644 --- a/test/config/dovecot-lmtp/dovecot-ldap.conf.ext +++ b/test/config/dovecot-lmtp/dovecot-ldap.conf.ext @@ -3,6 +3,7 @@ default_pass_scheme = SSHA dn = cn=admin,dc=domain,dc=com dnpass = admin hosts = mail.domain.com +tls = no ldap_version = 3 pass_attrs = uniqueIdentifier=user,userPassword=password pass_filter = (&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n)) diff --git a/test/config/ldap-aliases.cf b/test/config/ldap-aliases.cf index f51f2d08..a4579393 100644 --- a/test/config/ldap-aliases.cf +++ b/test/config/ldap-aliases.cf @@ -6,4 +6,5 @@ query_filter = (&(mailAlias=%s)(mailEnabled=TRUE)) result_attribute = mail search_base = ou=people,dc=domain,dc=com server_host = mail.domain.com +start_tls = no version = 3 diff --git a/test/config/ldap-groups.cf b/test/config/ldap-groups.cf index b51d96c6..6712db9e 100644 --- a/test/config/ldap-groups.cf +++ b/test/config/ldap-groups.cf @@ -6,4 +6,5 @@ query_filter = (&(mailGroupMember=%s)(mailEnabled=TRUE)) result_attribute = mail search_base = ou=people,dc=domain,dc=com server_host = mail.domain.com +start_tls = no version = 3 diff --git a/test/config/ldap-users.cf b/test/config/ldap-users.cf index fa915ccb..92cd2ed5 100644 --- a/test/config/ldap-users.cf +++ b/test/config/ldap-users.cf @@ -6,4 +6,5 @@ query_filter = (&(mail=%s)(mailEnabled=TRUE)) result_attribute = mail search_base = ou=people,dc=domain,dc=com server_host = mail.domain.com +start_tls = no version = 3 diff --git a/test/tests.bats b/test/tests.bats index 46967c4b..d6cc26be 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -1177,6 +1177,8 @@ load 'test_helper/bats-assert/load' @test "checking postfix: ldap config overwrites success" { run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-users.cf" assert_success + run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-users.cf" + assert_success run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf" assert_success run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf" @@ -1184,6 +1186,8 @@ load 'test_helper/bats-assert/load' run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-groups.cf" assert_success + run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-groups.cf" + assert_success run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf" assert_success run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf" @@ -1191,6 +1195,8 @@ load 'test_helper/bats-assert/load' run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-aliases.cf" assert_success + run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-aliases.cf" + assert_success run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf" assert_success run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf" @@ -1231,6 +1237,8 @@ load 'test_helper/bats-assert/load' @test "checking dovecot: ldap config overwrites success" { run docker exec mail_with_ldap /bin/sh -c "grep 'hosts = ldap' /etc/dovecot/dovecot-ldap.conf.ext" assert_success + run docker exec mail_with_ldap /bin/sh -c "grep 'tls = no' /etc/dovecot/dovecot-ldap.conf.ext" + assert_success run docker exec mail_with_ldap /bin/sh -c "grep 'base = ou=people,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext" assert_success run docker exec mail_with_ldap /bin/sh -c "grep 'dn = cn=admin,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext"