From 41b471fb140fc8fe381c11e7d1bd538356fcacba Mon Sep 17 00:00:00 2001 From: Jam Balaya Date: Sun, 21 Jan 2024 20:21:29 +0900 Subject: [PATCH 1/6] fix(typo): comment on mailserver.env (#3799) Thanks! --- mailserver.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mailserver.env b/mailserver.env index 9b085c9f..1d131696 100644 --- a/mailserver.env +++ b/mailserver.env @@ -388,7 +388,7 @@ SPAMASSASSIN_SPAM_TO_INBOX=1 # spam messages will be moved in the Junk folder (SPAMASSASSIN_SPAM_TO_INBOX=1 required) MOVE_SPAM_TO_JUNK=1 -# spam messages wil be marked as read +# spam messages will be marked as read MARK_SPAM_AS_READ=0 # add 'spam info' headers at, or above this level From 3cbcdb2d6517b6c61818afb49c0eb58ee82b6202 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 21 Jan 2024 12:31:10 +0100 Subject: [PATCH 2/6] docs: update `CONTRIBUTORS.md` (#3798) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Casper --- CONTRIBUTORS.md | 215 ++++++++++++++++++++++++++---------------------- 1 file changed, 115 insertions(+), 100 deletions(-) diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md index 53254c78..f86435f4 100644 --- a/CONTRIBUTORS.md +++ b/CONTRIBUTORS.md @@ -814,14 +814,21 @@ Thanks goes to these wonderful people ✨ fl42 + + + nilshoell +
+ nilshoell + + + stigok
stigok - - + 5ven @@ -856,15 +863,15 @@ Thanks goes to these wonderful people ✨
thomasschmit - + + Thiritin
Thiritin - - + tweibert @@ -899,15 +906,15 @@ Thanks goes to these wonderful people ✨
k3it - + + Drakulix
Drakulix - - + vilisas @@ -942,13 +949,6 @@ Thanks goes to these wonderful people ✨
allddd - - - - nilshoell -
- nilshoell - @@ -1022,21 +1022,28 @@ Thanks goes to these wonderful people ✨ romansey + + + norrs +
+ norrs + + MightySCollins
MightySCollins - + + 501st-alpha1
501st-alpha1 - - + klamann @@ -1071,15 +1078,15 @@ Thanks goes to these wonderful people ✨
sjmudd - + + simonsystem
simonsystem - - + stephan-devop @@ -1114,15 +1121,15 @@ Thanks goes to these wonderful people ✨
okamidash - + + olaf-mandel
olaf-mandel - - + ontheair81 @@ -1157,15 +1164,15 @@ Thanks goes to these wonderful people ✨
rmlhuk - + + rriski
rriski - - + schnippl0r @@ -1200,15 +1207,15 @@ Thanks goes to these wonderful people ✨
strarsis - + + tamueller
tamueller - - + vivacarvajalito @@ -1243,15 +1250,15 @@ Thanks goes to these wonderful people ✨
arcaine2 - + + awb99
awb99 - - + brainkiller @@ -1286,15 +1293,15 @@ Thanks goes to these wonderful people ✨
eleith - + + ghnp5
ghnp5 - - + helmutundarnold @@ -1329,15 +1336,15 @@ Thanks goes to these wonderful people ✨
ixeft - + + jjtt
jjtt - - + paralax @@ -1372,15 +1379,15 @@ Thanks goes to these wonderful people ✨
marios88 - + + matrixes
matrixes - - + mchamplain @@ -1388,13 +1395,6 @@ Thanks goes to these wonderful people ✨ mchamplain - - - 0xflotus -
- 0xflotus - - auchri @@ -1452,21 +1452,28 @@ Thanks goes to these wonderful people ✨ danielvandenberg95 + + + denisix +
+ denisix + + mlatorre31
mlatorre31 - + + mazzz1y
mazzz1y - - + aydodo @@ -1501,15 +1508,15 @@ Thanks goes to these wonderful people ✨
ekkis - + + ErikEngerd
ErikEngerd - - + huncode @@ -1532,12 +1539,20 @@ Thanks goes to these wonderful people ✨ - - froks + + thechubbypanda
- froks + thechubbypanda + + + 0xflotus +
+ 0xflotus + + + ifokeev @@ -1551,8 +1566,7 @@ Thanks goes to these wonderful people ✨
20th - - + 2b @@ -1580,7 +1594,8 @@ Thanks goes to these wonderful people ✨
vifino - + + kachkaev @@ -1594,8 +1609,7 @@ Thanks goes to these wonderful people ✨
alexanderneu - - + ch3sh1r @@ -1623,7 +1637,8 @@ Thanks goes to these wonderful people ✨
green-anger - + + iRhonin @@ -1637,8 +1652,7 @@ Thanks goes to these wonderful people ✨
MrFreezeex - - + arunvc @@ -1666,7 +1680,8 @@ Thanks goes to these wonderful people ✨
spock - + + erdos4d @@ -1680,14 +1695,6 @@ Thanks goes to these wonderful people ✨
crash7 - - - - - fkefer -
- fkefer - @@ -1716,15 +1723,15 @@ Thanks goes to these wonderful people ✨
LeoWinterDE - + + linhandev
linhandev - - + luke- @@ -1759,15 +1766,15 @@ Thanks goes to these wonderful people ✨
maxemann96 - + + dragetd
dragetd - - + michaeljensen @@ -1802,15 +1809,15 @@ Thanks goes to these wonderful people ✨
MohammedNoureldin - + + mpldr
mpldr - - + naveensrinivasan @@ -1832,6 +1839,21 @@ Thanks goes to these wonderful people ✨ radicand + + + froks +
+ froks + + + + + fkefer +
+ fkefer + + + frugan-dev @@ -1852,8 +1874,7 @@ Thanks goes to these wonderful people ✨
glandais - - + GiovanH @@ -1874,7 +1895,8 @@ Thanks goes to these wonderful people ✨
HeySora - + + sirgantrithon @@ -1895,8 +1917,7 @@ Thanks goes to these wonderful people ✨
jcalfee - - + mivek @@ -1917,7 +1938,8 @@ Thanks goes to these wonderful people ✨
Jeidnx - + + JiLleON @@ -1938,8 +1960,7 @@ Thanks goes to these wonderful people ✨
jmccl - - + jurekbarth @@ -1960,20 +1981,14 @@ Thanks goes to these wonderful people ✨
Kaan88 - + + akkumar
akkumar - - - - thechubbypanda -
- thechubbypanda - From 37f4c853b2e319d33ed5eed63837fc94f2976010 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jan 2024 21:02:49 +0100 Subject: [PATCH 3/6] chore(deps): Bump actions/cache from 3 to 4 (#3807) --- .github/workflows/generic_build.yml | 2 +- .github/workflows/generic_publish.yml | 2 +- .github/workflows/generic_test.yml | 2 +- .github/workflows/generic_vulnerability-scan.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/generic_build.yml b/.github/workflows/generic_build.yml index 0f375d45..ccef46f5 100644 --- a/.github/workflows/generic_build.yml +++ b/.github/workflows/generic_build.yml @@ -64,7 +64,7 @@ jobs: # When full, the least accessed cache upload is evicted to free up storage. # https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows - name: 'Handle Docker build layer cache' - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: /tmp/.buildx-cache key: cache-buildx-${{ steps.derive-image-cache-key.outputs.digest }} diff --git a/.github/workflows/generic_publish.yml b/.github/workflows/generic_publish.yml index 00771221..d7a791c5 100644 --- a/.github/workflows/generic_publish.yml +++ b/.github/workflows/generic_publish.yml @@ -46,7 +46,7 @@ jobs: # NOTE: Until adopting `type=gha` scoped cache exporter (in `docker/build-push-action`), # only AMD64 image is expected to be cached, ARM images will build from scratch. - name: 'Retrieve image build from build cache' - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: /tmp/.buildx-cache key: cache-buildx-${{ inputs.cache-key }} diff --git a/.github/workflows/generic_test.yml b/.github/workflows/generic_test.yml index 5b8bac62..2c1d1045 100644 --- a/.github/workflows/generic_test.yml +++ b/.github/workflows/generic_test.yml @@ -29,7 +29,7 @@ jobs: # This should always be a cache-hit, thus `restore-keys` fallback is not used. # No new cache uploads should ever happen for this job. - name: 'Retrieve image built from build cache' - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: /tmp/.buildx-cache key: cache-buildx-${{ inputs.cache-key }} diff --git a/.github/workflows/generic_vulnerability-scan.yml b/.github/workflows/generic_vulnerability-scan.yml index 896ee80e..f8f87ba3 100644 --- a/.github/workflows/generic_vulnerability-scan.yml +++ b/.github/workflows/generic_vulnerability-scan.yml @@ -28,7 +28,7 @@ jobs: # This should always be a cache-hit, thus `restore-keys` fallback is not used. # No new cache uploads should ever happen for this job. - name: 'Retrieve image built from build cache' - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: /tmp/.buildx-cache key: cache-buildx-${{ inputs.cache-key }} From 315f33c9fe8fad64bee1f8f4a93e67e887e870ae Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jan 2024 15:36:53 +1300 Subject: [PATCH 4/6] chore(deps): Bump anchore/scan-action from 3.5.0 to 3.6.0 (#3808) Bumps [anchore/scan-action](https://github.com/anchore/scan-action) from 3.5.0 to 3.6.0. - [Release notes](https://github.com/anchore/scan-action/releases) - [Changelog](https://github.com/anchore/scan-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/anchore/scan-action/compare/v3.5.0...v3.6.0) --- updated-dependencies: - dependency-name: anchore/scan-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> --- .github/workflows/generic_vulnerability-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/generic_vulnerability-scan.yml b/.github/workflows/generic_vulnerability-scan.yml index f8f87ba3..b261de91 100644 --- a/.github/workflows/generic_vulnerability-scan.yml +++ b/.github/workflows/generic_vulnerability-scan.yml @@ -55,7 +55,7 @@ jobs: provenance: false - name: 'Run the Anchore Grype scan action' - uses: anchore/scan-action@v3.5.0 + uses: anchore/scan-action@v3.6.0 id: scan with: image: mailserver-testing:ci From d40a17f7e071005faf71e39a09dd040b370f5fb4 Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Tue, 23 Jan 2024 23:51:10 +1300 Subject: [PATCH 5/6] fix: Ensure correct ownership for the Rspamd DKIM directory (#3813) The UID / GID shifted during a new release. Until DKIM handling is refactored in a new major release, this fix ensures the content maintains the expected `_rspamd` ownership. --- target/scripts/startup/setup-stack.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh index f55cb548..c3c54cc3 100644 --- a/target/scripts/startup/setup-stack.sh +++ b/target/scripts/startup/setup-stack.sh @@ -94,6 +94,10 @@ function _setup_apply_fixes_after_configuration() { _log 'debug' 'Removing files and directories from older versions' rm -rf /var/mail-state/spool-postfix/{dev,etc,lib,pid,usr,private/auth} + + # /tmp/docker-mailserver/rspamd/dkim + _log 'debug' "Ensuring ${RSPAMD_DMS_DKIM_D} is owned by '_rspamd:_rspamd'" + chown -R _rspamd:_rspamd "${RSPAMD_DMS_DKIM_D}" } function _run_user_patches() { From 611a66bf98ab14065e9915105154bc53bb9012fb Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Wed, 24 Jan 2024 07:11:05 +1300 Subject: [PATCH 6/6] fix: Correctly support multiple Dovecot PassDBs (#3812) * fix: Dovecot PassDB should restrict allowed auth mechanisms This prevents PassDBs incompatible with certain auth mechanisms from logging failures which accidentally triggers Fail2Ban. Instead only allow the PassDB to be authenticated against when it's compatible with the auth mechanism used. * tests: Use `curl` for OAuth2 login test-cases instead of netcat `curl` provides this capability for both IMAP and SMTP authentication with a bearer token. It supports both `XOAUTH2` and `OAUTHBEARER` mechanisms, as these updated test-cases demonstrate. * chore: Add entry to `CHANGELOG.md` --- CHANGELOG.md | 7 +++ target/dovecot/auth-ldap.conf.ext | 21 ++++++++ target/dovecot/auth-oauth2.conf.ext | 7 +++ target/dovecot/auth-passwdfile.inc | 1 + test/config/oauth2/Caddyfile | 3 ++ test/files/auth/imap-oauth2-oauthbearer.txt | 4 -- test/files/auth/imap-oauth2-xoauth2.txt | 4 -- test/tests/serial/mail_with_oauth2.bats | 54 ++++++++++++++++++--- 8 files changed, 85 insertions(+), 16 deletions(-) create mode 100644 target/dovecot/auth-ldap.conf.ext delete mode 100644 test/files/auth/imap-oauth2-oauthbearer.txt delete mode 100644 test/files/auth/imap-oauth2-xoauth2.txt diff --git a/CHANGELOG.md b/CHANGELOG.md index 74acdc61..ffb96636 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,13 @@ All notable changes to this project will be documented in this file. The format > **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes. +### Fixes + +**Dovecot:** + - Restrict the auth mechanisms for PassDB configs we manage (oauth2, passwd-file, ldap) ([#3812](https://github.com/docker-mailserver/docker-mailserver/pull/3812)) + - Prevents misleading auth failures from attempting to authenticate against a PassDB with incompatible auth mechanisms. + - When the new OAuth2 feature was enabled, it introduced false-positives with logged auth failures which triggered Fail2Ban to ban the IP. + ## [v13.3.0](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v13.3.0) ### Features diff --git a/target/dovecot/auth-ldap.conf.ext b/target/dovecot/auth-ldap.conf.ext new file mode 100644 index 00000000..222769aa --- /dev/null +++ b/target/dovecot/auth-ldap.conf.ext @@ -0,0 +1,21 @@ +# NOTE: This is effectively the same default LDAP config shipped by Dovecot +# The only difference is the addition of the passdb mechanisms field, +# which restricts what auth mechanisms are supported / expected. +# This prevents unnecessary auth failure logs triggering Fail2Ban when +# additional passdb are enabled (OAuth2). + +passdb { + driver = ldap + mechanism = plain login + + # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext + args = /etc/dovecot/dovecot-ldap.conf.ext +} + +userdb { + driver = ldap + args = /etc/dovecot/dovecot-ldap.conf.ext + + # Default fields can be used to specify defaults that LDAP may override + #default_fields = home=/home/virtual/%u +} diff --git a/target/dovecot/auth-oauth2.conf.ext b/target/dovecot/auth-oauth2.conf.ext index 6096d1e4..99a7986b 100644 --- a/target/dovecot/auth-oauth2.conf.ext +++ b/target/dovecot/auth-oauth2.conf.ext @@ -1,5 +1,12 @@ +# Allow clients to use these additional mechanisms: auth_mechanisms = $auth_mechanisms oauthbearer xoauth2 +# Dovecot docs consider the oauth2 driver as a "success/failure" type PassDB: +# https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/#success-failure-database +# Which implies it cannot be configured for the non-plaintext SASL mechanisms listed here: +# https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/#dovecot-supports-the-following-non-plaintext-mechanisms +# However that is not the case, these mechanisms are still valid to prevent trying other incompatible mechanisms (like `plain`). + passdb { driver = oauth2 mechanisms = xoauth2 oauthbearer diff --git a/target/dovecot/auth-passwdfile.inc b/target/dovecot/auth-passwdfile.inc index 6bbf8258..38be4e5f 100644 --- a/target/dovecot/auth-passwdfile.inc +++ b/target/dovecot/auth-passwdfile.inc @@ -9,6 +9,7 @@ passdb { driver = passwd-file + mechanisms = plain login args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/userdb } diff --git a/test/config/oauth2/Caddyfile b/test/config/oauth2/Caddyfile index e116aa55..f87ffc80 100644 --- a/test/config/oauth2/Caddyfile +++ b/test/config/oauth2/Caddyfile @@ -38,6 +38,9 @@ } } +# NOTE: This portion of config is only relevant for understanding what happens seamlesssly, +# DMS tests no longer use raw IMAP commands with netcat, thus none of this is relevant beyond reference for troubleshooting. +# # /imap/xoauth2 # Generate IMAP commands for authentication testing # Base64 encoded credentials can alternative be done via CLI with: diff --git a/test/files/auth/imap-oauth2-oauthbearer.txt b/test/files/auth/imap-oauth2-oauthbearer.txt deleted file mode 100644 index d85c63e8..00000000 --- a/test/files/auth/imap-oauth2-oauthbearer.txt +++ /dev/null @@ -1,4 +0,0 @@ -a0 NOOP See test/config/oauth2/Caddyfile to generate the below OAUTHBEARER string -a1 AUTHENTICATE OAUTHBEARER bixhPXVzZXIxQGxvY2FsaG9zdC5sb2NhbGRvbWFpbiwBaG9zdD1sb2NhbGhvc3QBcG9ydD0xNDMBYXV0aD1CZWFyZXIgRE1TX1lXTmpaWE56WDNSdmEyVnUBAQ== -a2 EXAMINE INBOX -a3 LOGOUT diff --git a/test/files/auth/imap-oauth2-xoauth2.txt b/test/files/auth/imap-oauth2-xoauth2.txt deleted file mode 100644 index 0371b0cf..00000000 --- a/test/files/auth/imap-oauth2-xoauth2.txt +++ /dev/null @@ -1,4 +0,0 @@ -a0 NOOP See test/config/oauth2/Caddyfile to generate the below XOAUTH2 string -a1 AUTHENTICATE XOAUTH2 dXNlcj11c2VyMUBsb2NhbGhvc3QubG9jYWxkb21haW4BYXV0aD1CZWFyZXIgRE1TX1lXTmpaWE56WDNSdmEyVnUBAQ== -a2 EXAMINE INBOX -a3 LOGOUT diff --git a/test/tests/serial/mail_with_oauth2.bats b/test/tests/serial/mail_with_oauth2.bats index 0cc34a01..9b4d12fe 100644 --- a/test/tests/serial/mail_with_oauth2.bats +++ b/test/tests/serial/mail_with_oauth2.bats @@ -58,21 +58,59 @@ function teardown_file() { docker network rm "${DMS_TEST_NETWORK}" } -@test "should authenticate with XOAUTH2 over IMAP" { - _nc_wrapper 'auth/imap-oauth2-xoauth2.txt' '-w 1 0.0.0.0 143' - __verify_successful_login 'XOAUTH2' +@test "should authenticate with XOAUTH2" { + __should_login_successfully_with 'XOAUTH2' } -@test "should authenticate with OAUTHBEARER over IMAP" { - _nc_wrapper 'auth/imap-oauth2-oauthbearer.txt' '-w 1 0.0.0.0 143' - __verify_successful_login 'OAUTHBEARER' +@test "should authenticate with OAUTHBEARER" { + __should_login_successfully_with 'OAUTHBEARER' } -function __verify_successful_login() { +function __should_login_successfully_with() { local AUTH_METHOD=${1} + # These values are the auth credentials checked against the Caddy `/userinfo` endpoint: + local USER_ACCOUNT='user1@localhost.localdomain' + local ACCESS_TOKEN='DMS_YWNjZXNzX3Rva2Vu' + __verify_auth_with_imap + __verify_auth_with_smtp +} + +# Dovecot direct auth verification via IMAP: +function __verify_auth_with_imap() { + # NOTE: Include the `--verbose` option if you're troubleshooting and want to see the protocol exchange messages + # NOTE: `--user username:password` is valid for testing `PLAIN` auth mechanism, but you should prefer swaks instead. + _run_in_container curl --silent \ + --login-options "AUTH=${AUTH_METHOD}" --oauth2-bearer "${ACCESS_TOKEN}" --user "${USER_ACCOUNT}" \ + --url 'imap://localhost:143' -X 'LOGOUT' + + __dovecot_logs_should_verify_success +} + +# Postfix delegates by default to Dovecot via SASL: +# NOTE: This won't be compatible with LDAP if `ENABLE_SASLAUTHD=1` with `ldap` SASL mechanism: +function __verify_auth_with_smtp() { + # NOTE: `--upload-file` with some mail content seems required for using curl to test OAuth2 authentication. + # TODO: Replace with swaks and early exit option when it supports XOAUTH2 + OAUTHBEARER: + _run_in_container curl --silent \ + --login-options "AUTH=${AUTH_METHOD}" --oauth2-bearer "${ACCESS_TOKEN}" --user "${USER_ACCOUNT}" \ + --url 'smtp://localhost:587' --mail-from "${USER_ACCOUNT}" --mail-rcpt "${USER_ACCOUNT}" --upload-file - <<< 'RFC 5322 content - not important' + + # Postfix specific auth logs: + _run_in_container grep 'postfix/submission/smtpd' /var/log/mail.log + assert_output --partial "sasl_method=${AUTH_METHOD}, sasl_username=${USER_ACCOUNT}" + + # Dovecot logs should still be checked as it is handling the actual auth process under the hood: + __dovecot_logs_should_verify_success +} + +function __dovecot_logs_should_verify_success() { # Inspect the relevant Dovecot logs to catch failure / success: _run_in_container grep 'dovecot:' /var/log/mail.log refute_output --partial 'oauth2 failed: Introspection failed' - assert_output --partial "dovecot: imap-login: Login: user=, method=${AUTH_METHOD}" + assert_output --partial "dovecot: imap-login: Login: user=<${USER_ACCOUNT}>, method=${AUTH_METHOD}" + + # If another PassDB is enabled, it should not have been attempted with the XOAUTH2 / OAUTHBEARER mechanisms: + # dovecot: auth: passwd-file(${USER_ACCOUNT},127.0.0.1): Password mismatch (SHA1 of given password: d390c1) - trying the next passdb + refute_output --partial 'trying the next passdb' }