From 0cd624368e4de7c4091915013fe699a7a8fc879c Mon Sep 17 00:00:00 2001 From: Keval Kapdee Date: Sun, 13 Aug 2023 17:48:40 +0100 Subject: [PATCH] Dovecot xoauth2 login --- Dockerfile | 7 +++++++ mailserver.env | 18 +++++++++++++++++- target/dovecot/10-auth.conf | 1 + target/dovecot/auth-oauth2.conf.ext | 12 ++++++++++++ target/dovecot/dovecot-oauth2.conf.ext | 3 +++ target/scripts/start-mailserver.sh | 5 +++-- target/scripts/startup/setup.d/oauth2.sh | 14 ++++++++++++++ target/scripts/startup/variables-stack.sh | 8 ++++++++ 8 files changed, 65 insertions(+), 3 deletions(-) create mode 100644 target/dovecot/auth-oauth2.conf.ext create mode 100644 target/dovecot/dovecot-oauth2.conf.ext create mode 100644 target/scripts/startup/setup.d/oauth2.sh diff --git a/Dockerfile b/Dockerfile index 4d0e3568..71f7e888 100644 --- a/Dockerfile +++ b/Dockerfile @@ -107,6 +107,13 @@ EOF COPY target/rspamd/local.d/ /etc/rspamd/local.d/ +# ----------------------------------------------- +# --- OAUTH2 ------------------------------------ +# ----------------------------------------------- + +COPY target/dovecot/auth-oauth2.conf.ext /etc/dovecot/conf.d +COPY target/dovecot/dovecot-oauth2.conf.ext /etc/dovecot + # ----------------------------------------------- # --- LDAP & SpamAssassin's Cron ---------------- # ----------------------------------------------- diff --git a/mailserver.env b/mailserver.env index e84157a2..8a4dc834 100644 --- a/mailserver.env +++ b/mailserver.env @@ -41,8 +41,8 @@ DMS_VMAIL_UID= DMS_VMAIL_GID= # **empty** => use FILE +# OAUTH2 => use OAUTH2 authentication (unstable and unfinished) # LDAP => use LDAP authentication -# OIDC => use OIDC authentication (not yet implemented) # FILE => use local files (this is used as the default) ACCOUNT_PROVISIONER= @@ -419,6 +419,22 @@ ENABLE_GETMAIL=0 # The number of minutes for the interval. Min: 1; Max: 30. GETMAIL_POLL=5 +# ----------------------------------------------- +# --- OAUTH2 Section ---------------------------- +# ----------------------------------------------- + +# empty => verySecretId +# Specify the OAuth2 client ID +OAUTH2_CLIENT_ID= + +# empty => verySecretSecret +# Specify the OAuth2 client secret +OAUTH2_CLIENT_SECRET= + +# empty => https://oauth2.domain.com/user_info?token= +# Specify the user info endpoint URL of the oauth2 provider +OAUTH2_TOKENINFO_URL= + # ----------------------------------------------- # --- LDAP Section ------------------------------ # ----------------------------------------------- diff --git a/target/dovecot/10-auth.conf b/target/dovecot/10-auth.conf index f71289e9..59e0e14f 100644 --- a/target/dovecot/10-auth.conf +++ b/target/dovecot/10-auth.conf @@ -121,6 +121,7 @@ auth_mechanisms = plain login #!include auth-system.conf.ext #!include auth-sql.conf.ext +#!include auth-oauth2.conf.ext #!include auth-ldap.conf.ext !include auth-passwdfile.inc #!include auth-checkpassword.conf.ext diff --git a/target/dovecot/auth-oauth2.conf.ext b/target/dovecot/auth-oauth2.conf.ext new file mode 100644 index 00000000..826ec20d --- /dev/null +++ b/target/dovecot/auth-oauth2.conf.ext @@ -0,0 +1,12 @@ +auth_mechanisms = $auth_mechanisms oauthbearer xoauth2 + +passdb { + driver = oauth2 + mechanisms = xoauth2 oauthbearer + args = /etc/dovecot/dovecot-oauth2.conf.ext +} + +userdb { + driver = static + args = uid=docker gid=docker home=/var/mail/%d/%u/home/ +} diff --git a/target/dovecot/dovecot-oauth2.conf.ext b/target/dovecot/dovecot-oauth2.conf.ext new file mode 100644 index 00000000..54ca80d6 --- /dev/null +++ b/target/dovecot/dovecot-oauth2.conf.ext @@ -0,0 +1,3 @@ +client_id = verySecretId +client_secret = verySecretSecret +tokeninfo_url = https://oauth2.domain.com/user_info?token= diff --git a/target/scripts/start-mailserver.sh b/target/scripts/start-mailserver.sh index 2129b74a..1dc27bf3 100755 --- a/target/scripts/start-mailserver.sh +++ b/target/scripts/start-mailserver.sh @@ -62,8 +62,9 @@ function _register_functions() { _register_setup_function '_setup_ldap' ;; - ( 'OIDC' ) - _dms_panic__fail_init 'OIDC user account provisioning - it is not yet implemented' + ( 'OAUTH2' ) + _environment_variables_oauth2 + _register_setup_function '_setup_oauth2' ;; ( * ) diff --git a/target/scripts/startup/setup.d/oauth2.sh b/target/scripts/startup/setup.d/oauth2.sh new file mode 100644 index 00000000..4a217c25 --- /dev/null +++ b/target/scripts/startup/setup.d/oauth2.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +function _setup_oauth2() { + _log 'debug' 'Setting up OAUTH2' + + sed -i -e '/\!include auth-oauth2\.conf\.ext/s/^#//' /etc/dovecot/conf.d/10-auth.conf + sed -i -e '/\!include auth-passwdfile\.inc/s/^/#/' /etc/dovecot/conf.d/10-auth.conf + + _log 'trace' "Configuring Dovecot OAUTH2" + + _replace_by_env_in_file 'OAUTH2_' '/etc/dovecot/dovecot-oauth2.conf.ext' + + return 0 +} diff --git a/target/scripts/startup/variables-stack.sh b/target/scripts/startup/variables-stack.sh index 2660ce89..1fc2fe85 100644 --- a/target/scripts/startup/variables-stack.sh +++ b/target/scripts/startup/variables-stack.sh @@ -151,6 +151,14 @@ function __environment_variables_general_setup() { VARS[UPDATE_CHECK_INTERVAL]="${UPDATE_CHECK_INTERVAL:=1d}" } +function _environment_variables_oauth2() { + _log 'debug' 'Setting OAUTH2-related environment variables now' + + VARS[OAUTH2_CLIENT_ID]="${OAUTH2_CLIENT_ID:=}" + VARS[OAUTH2_CLIENT_SECRET]="${OAUTH2_CLIENT_SECRET:=}" + VARS[OAUTH2_TOKENINFO_URL]="${OAUTH2_TOKENINFO_URL:=}" +} + # This function handles environment variables related to LDAP. # NOTE: SASLAuthd and Dovecot LDAP support inherit these common ENV. function _environment_variables_ldap() {