Added support for Dovecot and Postfix LDAP TLS (#800)

* Allow setup of LDAP STARTTLS for Dovecot and Postfix

* Added tests for TLS config override

* Add missing Postfix TLS options

* Added missing new line at the end of the file

* Added STARTTLS tests for Postfix config
This commit is contained in:
Mathieu Brunot 2018-01-25 22:38:41 +01:00 committed by Johan Smits
parent eea4ec1dbc
commit d270fcdd40
12 changed files with 30 additions and 1 deletions

View file

@ -128,6 +128,7 @@ run:
-v "`pwd`/test":/tmp/docker-mailserver-test \ -v "`pwd`/test":/tmp/docker-mailserver-test \
-e ENABLE_LDAP=1 \ -e ENABLE_LDAP=1 \
-e LDAP_SERVER_HOST=ldap \ -e LDAP_SERVER_HOST=ldap \
-e LDAP_START_TLS=no \
-e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \ -e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
-e LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \ -e LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \
-e LDAP_BIND_PW=admin \ -e LDAP_BIND_PW=admin \
@ -135,6 +136,7 @@ run:
-e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \ -e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \
-e LDAP_QUERY_FILTER_ALIAS="(&(mailAlias=%s)(mailEnabled=TRUE))" \ -e LDAP_QUERY_FILTER_ALIAS="(&(mailAlias=%s)(mailEnabled=TRUE))" \
-e LDAP_QUERY_FILTER_DOMAIN="(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))" \ -e LDAP_QUERY_FILTER_DOMAIN="(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))" \
-e DOVECOT_TLS=no \
-e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \ -e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
-e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \ -e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
-e ENABLE_SASLAUTHD=1 \ -e ENABLE_SASLAUTHD=1 \

View file

@ -268,6 +268,11 @@ Otherwise, `iptables` won't be able to ban IPs.
- A second container for the ldap service is necessary (e.g. [docker-openldap](https://github.com/osixia/docker-openldap)) - A second container for the ldap service is necessary (e.g. [docker-openldap](https://github.com/osixia/docker-openldap))
- For preparing the ldap server to use in combination with this continer [this](http://acidx.net/wordpress/2014/06/installing-a-mailserver-with-postfix-dovecot-sasl-ldap-roundcube/) article may be helpful - For preparing the ldap server to use in combination with this continer [this](http://acidx.net/wordpress/2014/06/installing-a-mailserver-with-postfix-dovecot-sasl-ldap-roundcube/) article may be helpful
##### LDAP_START_TLS
- **empty** => no
- yes => LDAP over TLS enabled for Postfix
##### LDAP_SERVER_HOST ##### LDAP_SERVER_HOST
- **empty** => mail.domain.com - **empty** => mail.domain.com
@ -304,6 +309,11 @@ Otherwise, `iptables` won't be able to ban IPs.
- e.g. `"(&(mailAlias=%s)(mailEnabled=TRUE))"` - e.g. `"(&(mailAlias=%s)(mailEnabled=TRUE))"`
- => Specify how ldap should be asked for aliases - => Specify how ldap should be asked for aliases
##### DOVECOT_TLS
- **empty** => no
- yes => LDAP over TLS enabled for Dovecot
##### DOVECOT_USER_FILTER ##### DOVECOT_USER_FILTER
- e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"` - e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"`

View file

@ -3,6 +3,7 @@ default_pass_scheme = SSHA
dn = cn=admin,dc=domain,dc=com dn = cn=admin,dc=domain,dc=com
dnpass = admin dnpass = admin
hosts = mail.domain.com hosts = mail.domain.com
tls = no
ldap_version = 3 ldap_version = 3
pass_attrs = uniqueIdentifier=user,userPassword=password pass_attrs = uniqueIdentifier=user,userPassword=password
pass_filter = (&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n)) pass_filter = (&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))

View file

@ -5,4 +5,5 @@ query_filter = (&(mailAlias=%s)(mailEnabled=TRUE))
result_attribute = mail result_attribute = mail
search_base = ou=people,dc=domain,dc=com search_base = ou=people,dc=domain,dc=com
server_host = mail.domain.com server_host = mail.domain.com
start_tls = no
version = 3 version = 3

View file

@ -5,4 +5,5 @@ query_filter = (&(|(mail=*@%s)(mailalias=*@%s))(mailEnabled=TRUE))
result_attribute = mail result_attribute = mail
search_base = ou=people,dc=domain,dc=com search_base = ou=people,dc=domain,dc=com
server_host = mail.domain.com server_host = mail.domain.com
version = 3 start_tls = no
version = 3

View file

@ -5,4 +5,5 @@ query_filter = (&(mailGroupMember=%s)(mailEnabled=TRUE))
result_attribute = mail result_attribute = mail
search_base = ou=people,dc=domain,dc=com search_base = ou=people,dc=domain,dc=com
server_host = mail.domain.com server_host = mail.domain.com
start_tls = no
version = 3 version = 3

View file

@ -5,4 +5,5 @@ query_filter = (&(mail=%s)(mailEnabled=TRUE))
result_attribute = mail result_attribute = mail
search_base = ou=people,dc=domain,dc=com search_base = ou=people,dc=domain,dc=com
server_host = mail.domain.com server_host = mail.domain.com
start_tls = no
version = 3 version = 3

View file

@ -3,6 +3,7 @@ default_pass_scheme = SSHA
dn = cn=admin,dc=domain,dc=com dn = cn=admin,dc=domain,dc=com
dnpass = admin dnpass = admin
hosts = mail.domain.com hosts = mail.domain.com
tls = no
ldap_version = 3 ldap_version = 3
pass_attrs = uniqueIdentifier=user,userPassword=password pass_attrs = uniqueIdentifier=user,userPassword=password
pass_filter = (&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n)) pass_filter = (&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))

View file

@ -6,4 +6,5 @@ query_filter = (&(mailAlias=%s)(mailEnabled=TRUE))
result_attribute = mail result_attribute = mail
search_base = ou=people,dc=domain,dc=com search_base = ou=people,dc=domain,dc=com
server_host = mail.domain.com server_host = mail.domain.com
start_tls = no
version = 3 version = 3

View file

@ -6,4 +6,5 @@ query_filter = (&(mailGroupMember=%s)(mailEnabled=TRUE))
result_attribute = mail result_attribute = mail
search_base = ou=people,dc=domain,dc=com search_base = ou=people,dc=domain,dc=com
server_host = mail.domain.com server_host = mail.domain.com
start_tls = no
version = 3 version = 3

View file

@ -6,4 +6,5 @@ query_filter = (&(mail=%s)(mailEnabled=TRUE))
result_attribute = mail result_attribute = mail
search_base = ou=people,dc=domain,dc=com search_base = ou=people,dc=domain,dc=com
server_host = mail.domain.com server_host = mail.domain.com
start_tls = no
version = 3 version = 3

View file

@ -1177,6 +1177,8 @@ load 'test_helper/bats-assert/load'
@test "checking postfix: ldap config overwrites success" { @test "checking postfix: ldap config overwrites success" {
run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-users.cf" run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-users.cf"
assert_success assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-users.cf"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf" run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf"
assert_success assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf" run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf"
@ -1184,6 +1186,8 @@ load 'test_helper/bats-assert/load'
run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-groups.cf" run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-groups.cf"
assert_success assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-groups.cf"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf" run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf"
assert_success assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf" run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf"
@ -1191,6 +1195,8 @@ load 'test_helper/bats-assert/load'
run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-aliases.cf" run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-aliases.cf"
assert_success assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-aliases.cf"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf" run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf"
assert_success assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf" run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf"
@ -1231,6 +1237,8 @@ load 'test_helper/bats-assert/load'
@test "checking dovecot: ldap config overwrites success" { @test "checking dovecot: ldap config overwrites success" {
run docker exec mail_with_ldap /bin/sh -c "grep 'hosts = ldap' /etc/dovecot/dovecot-ldap.conf.ext" run docker exec mail_with_ldap /bin/sh -c "grep 'hosts = ldap' /etc/dovecot/dovecot-ldap.conf.ext"
assert_success assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'tls = no' /etc/dovecot/dovecot-ldap.conf.ext"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'base = ou=people,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext" run docker exec mail_with_ldap /bin/sh -c "grep 'base = ou=people,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext"
assert_success assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'dn = cn=admin,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext" run docker exec mail_with_ldap /bin/sh -c "grep 'dn = cn=admin,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext"