config: ensure SASL socket file is not inside a volume mount (#3131)

This commit is contained in:
Georg Lauterbach 2023-03-03 23:42:55 +01:00 committed by GitHub
parent 9a9380150e
commit f0edcc28d9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 34 additions and 27 deletions

View file

@ -53,7 +53,7 @@ EOF
# --- Dovecot -----------------------------------
# -----------------------------------------------
COPY target/dovecot/auth-passwdfile.inc target/dovecot/auth-master.inc target/dovecot/??-*.conf /etc/dovecot/conf.d/
COPY target/dovecot/*.inc target/dovecot/*.conf /etc/dovecot/conf.d/
COPY target/dovecot/sieve/ /etc/dovecot/sieve/
COPY target/dovecot/dovecot-purge.cron /etc/cron.d/dovecot-purge.disabled
RUN chmod 0 /etc/cron.d/dovecot-purge.disabled

View file

@ -45,19 +45,7 @@ service pop3-login {
}
}
service lmtp {
unix_listener lmtp {
mode = 0660
group = postfix
}
# Create inet listener only if you can't use the above UNIX socket
#inet_listener lmtp {
# Avoid making LMTP visible for the entire internet
#address =
#port =
#}
}
!include lmtp-master.inc
service imap {
# Most of the memory goes to mmap()ing files. You may need to increase this
@ -100,10 +88,10 @@ service auth {
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = docker
group = docker
unix_listener /dev/shm/sasl-auth.sock {
mode = 0660
user = postfix
group = postfix
}
# Auth process is run as this user.

View file

@ -0,0 +1,13 @@
service lmtp {
unix_listener lmtp {
mode = 0660
group = postfix
}
# Create inet listener only if you can't use the above UNIX socket
# and avoid making LMTP visible for the entire internet
#inet_listener lmtp {
# address = 127.0.0.1
# port = 24
#}
}

View file

@ -77,7 +77,7 @@ postscreen_bare_newline_action = enforce
# SASL
smtpd_sasl_auth_enable = no
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_path = /dev/shm/sasl-auth.sock
smtpd_sasl_type = dovecot
smtpd_sasl_security_options = noanonymous

View file

@ -19,7 +19,6 @@ submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_reject_unlisted_recipient=no
-o smtpd_sasl_authenticated_header=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
@ -33,7 +32,6 @@ smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_reject_unlisted_recipient=no
-o smtpd_sasl_authenticated_header=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

View file

@ -109,6 +109,9 @@ function _setup_apply_fixes_after_configuration
_log 'debug' 'Checking /var/mail permissions'
_chown_var_mail_if_necessary || _shutdown 'Failed to fix /var/mail permissions'
_log 'trace' 'Remove left-over files and directories from older versions'
rm -rf /var/spool/postfix/{dev,etc,lib,usr,private/auth}
}
function _run_user_patches

View file

@ -3,12 +3,17 @@
# This user script will be executed between configuration and starting daemons
# To enable it you must save it in your config directory as "user-patches.sh"
##
echo "[user-patches.sh] Changing Dovecot LMTP service listener from a unix socket to TCP on port 24"
sedfile -i \
-e "s|unix_listener lmtp|inet_listener lmtp|" \
-e "s|mode = 0660|address = 0.0.0.0|" \
-e "s|group = postfix|port = 24|" \
/etc/dovecot/conf.d/10-master.conf
cat >/etc/dovecot/conf.d/lmtp-master.inc << EOF
service lmtp {
inet_listener lmtp {
address = 127.0.0.1
port = 24
}
}
EOF
### Before / After ###
@ -21,7 +26,7 @@ sedfile -i \
# service lmtp {
# inet_listener lmtp {
# address = 0.0.0.0
# address = 127.0.0.1
# port = 24
# }
# }