diff --git a/README.md b/README.md index 44c83ab0..75677aef 100644 --- a/README.md +++ b/README.md @@ -808,6 +808,30 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1` - empty or 0 => `ldap://` will be used - 1 => `ldaps://` will be used +##### SASLAUTHD_LDAP_START_TLS + +- **empty** => `no` +- `yes` => Enable `ldap_start_tls` option + +##### SASLAUTHD_LDAP_TLS_CHECK_PEER + +- **empty** => `no` +- `yes` => Enable `ldap_tls_check_peer` option + +##### SASLAUTHD_LDAP_TLS_CACERT_DIR + +Path to directory with CA (Certificate Authority) certificates. + +- **empty** => Nothing is added to the configuration +- Any value => Fills the `ldap_tls_cacert_dir` option + +##### SASLAUTHD_LDAP_TLS_CACERT_FILE + +File containing CA (Certificate Authority) certificate(s). + +- **empty** => Nothing is added to the configuration +- Any value => Fills the `ldap_tls_cacert_file` option + ##### SASLAUTHD_LDAP_BIND_DN - empty => anonymous bind @@ -830,11 +854,31 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1` - e.g. for active directory: `(&(sAMAccountName=%U)(objectClass=person))` - e.g. for openldap: `(&(uid=%U)(objectClass=person))` +##### SASLAUTHD_LDAP_PASSWORD_ATTR + +Specify what password attribute to use for password verification. + +- **empty** => Nothing is added to the configuration but the documentation says it is `userPassword` by default. +- Any value => Fills the `ldap_password_attr` option + ##### SASL_PASSWD - **empty** => No sasl_passwd will be created - string => `/etc/postfix/sasl_passwd` will be created with the string as password +##### SASLAUTHD_LDAP_AUTH_METHOD + +- **empty** => `bind` will be used as a default value +- `fastbind` => The fastbind method is used +- `custom` => The custom method uses userPassword attribute to verify the password + +##### SASLAUTHD_LDAP_MECH + +Specify the authentication mechanism for SASL bind. + +- **empty** => Nothing is added to the configuration +- Any value => Fills the `ldap_mech` option + #### SRS (Sender Rewriting Scheme) ##### SRS_SENDER_CLASSES diff --git a/mailserver.env b/mailserver.env index b0fa8591..94c37391 100644 --- a/mailserver.env +++ b/mailserver.env @@ -343,12 +343,38 @@ SASLAUTHD_LDAP_START_TLS= # empty => no # yes => Require and verify server certificate +# If yes you must/could specify SASLAUTHD_LDAP_TLS_CACERT_FILE or SASLAUTHD_LDAP_TLS_CACERT_DIR. SASLAUTHD_LDAP_TLS_CHECK_PEER= +# File containing CA (Certificate Authority) certificate(s). +# empty => Nothing is added to the configuration +# Any value => Fills the `ldap_tls_cacert_file` option +SASLAUTHD_LDAP_TLS_CACERT_FILE= + +# Path to directory with CA (Certificate Authority) certificates. +# empty => Nothing is added to the configuration +# Any value => Fills the `ldap_tls_cacert_dir` option +SASLAUTHD_LDAP_TLS_CACERT_DIR= + +# Specify what password attribute to use for password verification. +# empty => Nothing is added to the configuration but the documentation says it is `userPassword` by default. +# Any value => Fills the `ldap_password_attr` option +SASLAUTHD_LDAP_PASSWORD_ATTR= + # empty => No sasl_passwd will be created # string => `/etc/postfix/sasl_passwd` will be created with the string as password SASL_PASSWD= +# empty => `bind` will be used as a default value +# `fastbind` => The fastbind method is used +# `custom` => The custom method uses userPassword attribute to verify the password +SASLAUTHD_LDAP_AUTH_METHOD= + +# Specify the authentication mechanism for SASL bind +# empty => Nothing is added to the configuration +# Any value => Fills the `ldap_mech` option +SASLAUTHD_LDAP_MECH= + # ––––––––––––––––––––––––––––––––––––––––––––––– # ––– SRS Section ––––––––––––––––––––––––––––––– # ––––––––––––––––––––––––––––––––––––––––––––––– diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index 9cb951b0..666c4b75 100755 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -917,6 +917,35 @@ function _setup_saslauthd [[ -z ${SASLAUTHD_LDAP_START_TLS} ]] && SASLAUTHD_LDAP_START_TLS=no [[ -z ${SASLAUTHD_LDAP_TLS_CHECK_PEER} ]] && SASLAUTHD_LDAP_TLS_CHECK_PEER=no + [[ -z ${SASLAUTHD_LDAP_AUTH_METHOD} ]] && SASLAUTHD_LDAP_AUTH_METHOD=bind + + if [[ -z ${SASLAUTHD_LDAP_TLS_CACERT_FILE} ]] + then + SASLAUTHD_LDAP_TLS_CACERT_FILE="" + else + SASLAUTHD_LDAP_TLS_CACERT_FILE="ldap_tls_cacert_file: ${SASLAUTHD_LDAP_TLS_CACERT_FILE}" + fi + + if [[ -z ${SASLAUTHD_LDAP_TLS_CACERT_DIR} ]] + then + SASLAUTHD_LDAP_TLS_CACERT_DIR="" + else + SASLAUTHD_LDAP_TLS_CACERT_DIR="ldap_tls_cacert_dir: ${SASLAUTHD_LDAP_TLS_CACERT_DIR}" + fi + + if [[ -z ${SASLAUTHD_LDAP_PASSWORD_ATTR} ]] + then + SASLAUTHD_LDAP_PASSWORD_ATTR="" + else + SASLAUTHD_LDAP_PASSWORD_ATTR="ldap_password_attr: ${SASLAUTHD_LDAP_PASSWORD_ATTR}" + fi + + if [[ -z ${SASLAUTHD_LDAP_MECH} ]] + then + SASLAUTHD_LDAP_MECH="" + else + SASLAUTHD_LDAP_MECH="ldap_mech: ${SASLAUTHD_LDAP_MECH}" + fi if [[ ! -f /etc/saslauthd.conf ]] then @@ -924,7 +953,7 @@ function _setup_saslauthd cat > /etc/saslauthd.conf << EOF ldap_servers: ${SASLAUTHD_LDAP_PROTO}${SASLAUTHD_LDAP_SERVER} -ldap_auth_method: bind +ldap_auth_method: ${SASLAUTHD_LDAP_AUTH_METHOD} ldap_bind_dn: ${SASLAUTHD_LDAP_BIND_DN} ldap_bind_pw: ${SASLAUTHD_LDAP_PASSWORD} @@ -934,6 +963,11 @@ ldap_filter: ${SASLAUTHD_LDAP_FILTER} ldap_start_tls: ${SASLAUTHD_LDAP_START_TLS} ldap_tls_check_peer: ${SASLAUTHD_LDAP_TLS_CHECK_PEER} +${SASLAUTHD_LDAP_TLS_CACERT_FILE} +${SASLAUTHD_LDAP_TLS_CACERT_DIR} +${SASLAUTHD_LDAP_PASSWORD_ATTR} +${SASLAUTHD_LDAP_MECH} + ldap_referrals: yes log_level: 10 EOF