7x31
/
mailcow-dockerized
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Dovecot] group auth files

This commit is contained in:
FreddleSpl0it 2023-05-16 09:56:23 +02:00
parent 2f97e6efe8
commit 694e122ce0
No known key found for this signature in database
GPG Key ID: 00E14E7634F4BEC5
3 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
data/Dockerfiles/dovecot/docker-entrypoint.sh
View File

@ -28,7 +28,7 @@ ${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
# Create missing directories # Create missing directories
[[ ! -d /etc/dovecot/sql/ ]] && mkdir -p /etc/dovecot/sql/ [[ ! -d /etc/dovecot/sql/ ]] && mkdir -p /etc/dovecot/sql/
[[ ! -d /etc/dovecot/lua/ ]] && mkdir -p /etc/dovecot/lua/ [[ ! -d /etc/dovecot/auth/ ]] && mkdir -p /etc/dovecot/auth/
[[ ! -d /var/vmail/_garbage ]] && mkdir -p /var/vmail/_garbage [[ ! -d /var/vmail/_garbage ]] && mkdir -p /var/vmail/_garbage
[[ ! -d /var/vmail/sieve ]] && mkdir -p /var/vmail/sieve [[ ! -d /var/vmail/sieve ]] && mkdir -p /var/vmail/sieve
[[ ! -d /etc/sogo ]] && mkdir -p /etc/sogo [[ ! -d /etc/sogo ]] && mkdir -p /etc/sogo
@ -128,7 +128,7 @@ user_query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format
iterate_query = SELECT username FROM mailbox WHERE active = '1' OR active = '2'; iterate_query = SELECT username FROM mailbox WHERE active = '1' OR active = '2';
EOF EOF
cat <<EOF > /etc/dovecot/lua/passwd-verify.lua cat <<EOF > /etc/dovecot/auth/passwd-verify.lua
function auth_password_verify(request, password) function auth_password_verify(request, password)
if request.domain == nil then if request.domain == nil then
return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user" return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
@ -173,10 +173,10 @@ function auth_password_verify(request, password)
-- check against app passwds for imap and smtp -- check against app passwds for imap and smtp
-- app passwords are only available for imap, smtp, sieve and pop3 when using sasl -- app passwords are only available for imap, smtp, sieve and pop3 when using sasl
if request.service == "smtp" or request.service == "imap" or request.service == "sieve" or request.service == "pop3" then if request.service == "smtp" or request.service == "imap" or request.service == "sieve" or request.service == "pop3" then
skip_sasl_log = true skip_sasl_log = false
req.protocol = {} req.protocol = {}
if tostring(req.real_rip) ~= "__IPV4_SOGO__" then if tostring(req.real_rip) ~= "__IPV4_SOGO__" then
skip_sasl_log = false skip_sasl_log = true
req.protocol[request.service] = true req.protocol[request.service] = true
end end
req_json = json.encode(req) req_json = json.encode(req)
@ -194,7 +194,7 @@ function auth_password_verify(request, password)
} }
local api_response = json.decode(table.concat(res)) local api_response = json.decode(table.concat(res))
if api_response.role == 'user' then if api_response.role == 'user' then
if skip_sasl_log == true then if skip_sasl_log == false then
con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip) con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip))) VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip)))
end end
@ -213,10 +213,10 @@ end
EOF EOF
# Replace patterns in app-passdb.lua # Replace patterns in app-passdb.lua
sed -i "s/__DBUSER__/${DBUSER}/g" /etc/dovecot/lua/passwd-verify.lua sed -i "s/__DBUSER__/${DBUSER}/g" /etc/dovecot/auth/passwd-verify.lua
sed -i "s/__DBPASS__/${DBPASS}/g" /etc/dovecot/lua/passwd-verify.lua sed -i "s/__DBPASS__/${DBPASS}/g" /etc/dovecot/auth/passwd-verify.lua
sed -i "s/__DBNAME__/${DBNAME}/g" /etc/dovecot/lua/passwd-verify.lua sed -i "s/__DBNAME__/${DBNAME}/g" /etc/dovecot/auth/passwd-verify.lua
sed -i "s/__IPV4_SOGO__/${IPV4_NETWORK}.248/g" /etc/dovecot/lua/passwd-verify.lua sed -i "s/__IPV4_SOGO__/${IPV4_NETWORK}.248/g" /etc/dovecot/auth/passwd-verify.lua
# Migrate old sieve_after file # Migrate old sieve_after file
@ -333,8 +333,8 @@ done
# Fix permissions # Fix permissions
chown root:root /etc/dovecot/sql/*.conf chown root:root /etc/dovecot/sql/*.conf
chown root:dovecot /etc/dovecot/sql/dovecot-dict-sql-sieve* /etc/dovecot/sql/dovecot-dict-sql-quota* /etc/dovecot/lua/passwd-verify.lua chown root:dovecot /etc/dovecot/sql/dovecot-dict-sql-sieve* /etc/dovecot/sql/dovecot-dict-sql-quota* /etc/dovecot/auth/passwd-verify.lua
chmod 640 /etc/dovecot/sql/*.conf /etc/dovecot/lua/passwd-verify.lua chmod 640 /etc/dovecot/sql/*.conf /etc/dovecot/auth/passwd-verify.lua
chown -R vmail:vmail /var/vmail/sieve chown -R vmail:vmail /var/vmail/sieve
chown -R vmail:vmail /var/volatile chown -R vmail:vmail /var/volatile
chown -R vmail:vmail /var/vmail_index chown -R vmail:vmail /var/vmail_index
@ -403,6 +403,6 @@ done
# For some strange, unknown and stupid reason, Dovecot may run into a race condition, when this file is not touched before it is read by dovecot/auth # For some strange, unknown and stupid reason, Dovecot may run into a race condition, when this file is not touched before it is read by dovecot/auth
# May be related to something inside Docker, I seriously don't know # May be related to something inside Docker, I seriously don't know
touch /etc/dovecot/lua/passwd-verify.lua touch /etc/dovecot/auth/passwd-verify.lua
exec "$@" exec "$@"

2
data/conf/dovecot/auth/mailcowauth.php
View File

@ -42,7 +42,7 @@ require_once 'functions.inc.php';
require_once 'functions.auth.inc.php'; require_once 'functions.auth.inc.php';
require_once 'sessions.inc.php'; require_once 'sessions.inc.php';
// Init Keycloak Provider // Init provider
$iam_provider = identity_provider('init'); $iam_provider = identity_provider('init');
$result = check_login($post['username'], $post['password'], $post['protocol'], true); $result = check_login($post['username'], $post['password'], $post['protocol'], true);

4
data/conf/dovecot/dovecot.conf
View File

@ -47,7 +47,7 @@ mail_shared_explicit_inbox = yes
mail_prefetch_count = 30 mail_prefetch_count = 30
passdb { passdb {
driver = lua driver = lua
args = file=/etc/dovecot/lua/passwd-verify.lua blocking=yes args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes
result_success = return-ok result_success = return-ok
result_failure = continue result_failure = continue
result_internalfail = continue result_internalfail = continue
@ -63,7 +63,7 @@ passdb {
# a return of the following passdb is mandatory # a return of the following passdb is mandatory
passdb { passdb {
driver = lua driver = lua
args = file=/etc/dovecot/lua/passwd-verify.lua blocking=yes args = file=/etc/dovecot/auth/passwd-verify.lua blocking=yes
} }
# Set doveadm_password=your-secret-password in data/conf/dovecot/extra.conf (create if missing) # Set doveadm_password=your-secret-password in data/conf/dovecot/extra.conf (create if missing)
service doveadm { service doveadm {