config: ensure SASL socket file is not inside a volume mount (#3131)

Dockerfile

@@ -53,7 +53,7 @@ EOF
 # --- Dovecot -----------------------------------
 # -----------------------------------------------
 
-COPY target/dovecot/auth-passwdfile.inc target/dovecot/auth-master.inc target/dovecot/??-*.conf /etc/dovecot/conf.d/
+COPY target/dovecot/*.inc target/dovecot/*.conf /etc/dovecot/conf.d/
 COPY target/dovecot/sieve/ /etc/dovecot/sieve/
 COPY target/dovecot/dovecot-purge.cron /etc/cron.d/dovecot-purge.disabled
 RUN chmod 0 /etc/cron.d/dovecot-purge.disabled

target/dovecot/10-master.conf

@@ -45,19 +45,7 @@ service pop3-login {
   }
 }
 
-service lmtp {
+!include lmtp-master.inc
-  unix_listener lmtp {
-    mode = 0660
-    group = postfix
-  }
-
-  # Create inet listener only if you can't use the above UNIX socket
-  #inet_listener lmtp {
-    # Avoid making LMTP visible for the entire internet
-    #address =
-    #port =
-  #}
-}
 
 service imap {
   # Most of the memory goes to mmap()ing files. You may need to increase this
@@ -100,10 +88,10 @@ service auth {
   }
 
   # Postfix smtp-auth
-  unix_listener /var/spool/postfix/private/auth {
+  unix_listener /dev/shm/sasl-auth.sock {
-    mode = 0666
+    mode = 0660
-    user = docker
+    user = postfix
-    group = docker
+    group = postfix
   }
 
   # Auth process is run as this user.

target/dovecot/lmtp-master.inc

@@ -0,0 +1,13 @@
+service lmtp {
+  unix_listener lmtp {
+    mode = 0660
+    group = postfix
+  }
+
+  # Create inet listener only if you can't use the above UNIX socket
+  # and avoid making LMTP visible for the entire internet
+  #inet_listener lmtp {
+  #  address = 127.0.0.1
+  #  port = 24
+  #}
+}

target/postfix/main.cf

@@ -77,7 +77,7 @@ postscreen_bare_newline_action = enforce
 
 # SASL
 smtpd_sasl_auth_enable = no
-smtpd_sasl_path = /var/spool/postfix/private/auth
+smtpd_sasl_path = /dev/shm/sasl-auth.sock
 smtpd_sasl_type = dovecot
 
 smtpd_sasl_security_options = noanonymous

target/postfix/master.cf

@@ -19,7 +19,6 @@ submission     inet  n       -       n       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_sasl_type=dovecot
-  -o smtpd_sasl_path=private/auth
   -o smtpd_reject_unlisted_recipient=no
   -o smtpd_sasl_authenticated_header=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
@@ -33,7 +32,6 @@ smtps          inet  n       -       n       -       -       smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_sasl_type=dovecot
-  -o smtpd_sasl_path=private/auth
   -o smtpd_reject_unlisted_recipient=no
   -o smtpd_sasl_authenticated_header=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject

target/scripts/startup/setup-stack.sh

@@ -109,6 +109,9 @@ function _setup_apply_fixes_after_configuration
 
   _log 'debug' 'Checking /var/mail permissions'
   _chown_var_mail_if_necessary || _shutdown 'Failed to fix /var/mail permissions'
+
+  _log 'trace' 'Remove left-over files and directories from older versions'
+  rm -rf /var/spool/postfix/{dev,etc,lib,usr,private/auth}
 }
 
 function _run_user_patches

test/config/dovecot-lmtp/user-patches.sh

@@ -3,12 +3,17 @@
 # This user script will be executed between configuration and starting daemons
 # To enable it you must save it in your config directory as "user-patches.sh"
 ##
+
 echo "[user-patches.sh] Changing Dovecot LMTP service listener from a unix socket to TCP on port 24"
-sedfile -i \
+
-  -e "s|unix_listener lmtp|inet_listener lmtp|" \
+cat >/etc/dovecot/conf.d/lmtp-master.inc << EOF
-  -e "s|mode = 0660|address = 0.0.0.0|" \
+service lmtp {
-  -e "s|group = postfix|port = 24|" \
+  inet_listener lmtp {
-  /etc/dovecot/conf.d/10-master.conf
+    address = 127.0.0.1
+    port = 24
+  }
+}
+EOF
 
 ### Before / After ###
 
@@ -21,7 +26,7 @@ sedfile -i \
 
 # service lmtp {
 #   inet_listener lmtp {
-#     address = 0.0.0.0
+#     address = 127.0.0.1
 #     port = 24
 #   }
 # }