From e27e13c1b3bbd0be7d4d52b521818cdbbab1834c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Franz=20Keferb=C3=B6ck?= Date: Sat, 2 Jun 2018 21:16:16 +0200 Subject: [PATCH] Add saslauthd option for ldap_start_tls & ldap_tls_check_peer - (Solves: #979, #980) --- .env.dist | 9 +++++++++ docker-compose.elk.yml.dist | 2 ++ docker-compose.yml.dist | 2 ++ target/start-mailserver.sh | 5 +++++ 4 files changed, 18 insertions(+) diff --git a/.env.dist b/.env.dist index 8222f4d8..76606cda 100644 --- a/.env.dist +++ b/.env.dist @@ -261,6 +261,15 @@ SASLAUTHD_LDAP_SEARCH_BASE= # e.g. for openldap: `(&(uid=%U)(objectClass=person))` SASLAUTHD_LDAP_FILTER= +# empty => no +# yes => LDAP over TLS enabled for SASL +# Must not be used together with SASLAUTHD_LDAP_SSL=1_ +SASLAUTHD_LDAP_START_TLS= + +# empty => no +# yes => Require and verify server certificate +SASLAUTHD_LDAP_TLS_CHECK_PEER= + # empty => No sasl_passwd will be created # string => `/etc/postfix/sasl_passwd` will be created with the string as password SASL_PASSWD= diff --git a/docker-compose.elk.yml.dist b/docker-compose.elk.yml.dist index 4613ac86..c9e042f9 100644 --- a/docker-compose.elk.yml.dist +++ b/docker-compose.elk.yml.dist @@ -68,6 +68,8 @@ services: - SASLAUTHD_LDAP_PASSWORD=${SASLAUTHD_LDAP_PASSWORD} - SASLAUTHD_LDAP_SEARCH_BASE=${SASLAUTHD_LDAP_SEARCH_BASE} - SASLAUTHD_LDAP_FILTER=${SASLAUTHD_LDAP_FILTER} + - SASLAUTHD_LDAP_START_TLS=${SASLAUTHD_LDAP_START_TLS} + - SASLAUTHD_LDAP_TLS_CHECK_PEER=${SASLAUTHD_LDAP_TLS_CHECK_PEER} - SASL_PASSWD=${SASL_PASSWD} cap_add: - NET_ADMIN diff --git a/docker-compose.yml.dist b/docker-compose.yml.dist index a1a17a19..5a6f84f1 100644 --- a/docker-compose.yml.dist +++ b/docker-compose.yml.dist @@ -68,6 +68,8 @@ services: - SASLAUTHD_LDAP_PASSWORD=${SASLAUTHD_LDAP_PASSWORD} - SASLAUTHD_LDAP_SEARCH_BASE=${SASLAUTHD_LDAP_SEARCH_BASE} - SASLAUTHD_LDAP_FILTER=${SASLAUTHD_LDAP_FILTER} + - SASLAUTHD_LDAP_START_TLS=${SASLAUTHD_LDAP_START_TLS} + - SASLAUTHD_LDAP_TLS_CHECK_PEER=${SASLAUTHD_LDAP_TLS_CHECK_PEER} - SASL_PASSWD=${SASL_PASSWD} - SRS_EXCLUDE_DOMAINS=${SRS_EXCLUDE_DOMAINS} - SRS_SECRET=${SRS_SECRET} diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index 65953566..9f305edd 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -695,6 +695,8 @@ function _setup_saslauthd() { [ -z "$SASLAUTHD_LDAP_SERVER" ] && SASLAUTHD_LDAP_SERVER=localhost [ -z "$SASLAUTHD_LDAP_FILTER" ] && SASLAUTHD_LDAP_FILTER='(&(uniqueIdentifier=%u)(mailEnabled=TRUE))' ([ -z "$SASLAUTHD_LDAP_SSL" ] || [ $SASLAUTHD_LDAP_SSL == 0 ]) && SASLAUTHD_LDAP_PROTO='ldap://' || SASLAUTHD_LDAP_PROTO='ldaps://' + [ -z "$SASLAUTHD_LDAP_START_TLS" ] && SASLAUTHD_LDAP_START_TLS=no + [ -z "$SASLAUTHD_LDAP_TLS_CHECK_PEER" ] && SASLAUTHD_LDAP_TLS_CHECK_PEER=no if [ ! -f /etc/saslauthd.conf ]; then notify 'inf' "Creating /etc/saslauthd.conf" @@ -708,6 +710,9 @@ ldap_bind_pw: ${SASLAUTHD_LDAP_PASSWORD} ldap_search_base: ${SASLAUTHD_LDAP_SEARCH_BASE} ldap_filter: ${SASLAUTHD_LDAP_FILTER} +ldap_start_tls: $SASLAUTHD_LDAP_START_TLS +ldap_tls_check_peer: $SASLAUTHD_LDAP_TLS_CHECK_PEER + ldap_referrals: yes log_level: 10 EOF