Archive-Team
/
docker-mailserver
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' into mta-sts-support

This commit is contained in:
Georg Lauterbach 2023-11-14 10:50:55 +01:00 committed by GitHub
parent 115435af3b d2efedf91c
commit 824ea334bc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 350 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

173
CONTRIBUTORS.md
View File

@ -427,14 +427,21 @@ Thanks goes to these wonderful people ✨
<sub><b>Jarrod Smith</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/jsonn">
<img src="https://avatars.githubusercontent.com/u/296817?v=4" width="100;" alt="jsonn"/>
<br />
<sub><b>Joerg Sonnenberger</b></sub>
</a>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/pbek">
<img src="https://avatars.githubusercontent.com/u/1798101?v=4" width="100;" alt="pbek"/>
<br />
<sub><b>Patrizio Bekerle</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/Rubytastic2">
<img src="https://avatars.githubusercontent.com/u/21036612?v=4" width="100;" alt="Rubytastic2"/>
@ -469,15 +476,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Null</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/kamuri">
<img src="https://avatars.githubusercontent.com/u/2777769?v=4" width="100;" alt="kamuri"/>
<br />
<sub><b>Null</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/davidszp">
<img src="https://avatars.githubusercontent.com/u/15107452?v=4" width="100;" alt="davidszp"/>
@ -512,15 +519,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Null</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/elbracht">
<img src="https://avatars.githubusercontent.com/u/2912000?v=4" width="100;" alt="elbracht"/>
<br />
<sub><b>Alexander Elbracht</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/aminvakil">
<img src="https://avatars.githubusercontent.com/u/12948692?v=4" width="100;" alt="aminvakil"/>
@ -555,15 +562,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Christian Raue</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/danielpanteleit">
<img src="https://avatars.githubusercontent.com/u/15816819?v=4" width="100;" alt="danielpanteleit"/>
<br />
<sub><b>Daniel Panteleit</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/dmcgrandle">
<img src="https://avatars.githubusercontent.com/u/28963307?v=4" width="100;" alt="dmcgrandle"/>
@ -598,15 +605,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>FL42</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/ipernet">
<img src="https://avatars.githubusercontent.com/u/1324566?v=4" width="100;" alt="ipernet"/>
<br />
<sub><b>Guillaume Simon</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/H4R0">
<img src="https://avatars.githubusercontent.com/u/8709669?v=4" width="100;" alt="H4R0"/>
@ -641,15 +648,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Jeremy Shipman</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/spacecowboy">
<img src="https://avatars.githubusercontent.com/u/223655?v=4" width="100;" alt="spacecowboy"/>
<br />
<sub><b>Jonas Kalderstam</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/artonge">
<img src="https://avatars.githubusercontent.com/u/6653109?v=4" width="100;" alt="artonge"/>
@ -684,15 +691,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Pablo Castorino</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/p-fruck">
<img src="https://avatars.githubusercontent.com/u/30511472?v=4" width="100;" alt="p-fruck"/>
<br />
<sub><b>Philipp Fruck</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/Rillke">
<img src="https://avatars.githubusercontent.com/u/2311611?v=4" width="100;" alt="Rillke"/>
@ -727,15 +734,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Vincent Ducamps</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/andymel123">
<img src="https://avatars.githubusercontent.com/u/9843057?v=4" width="100;" alt="andymel123"/>
<br />
<sub><b>Andymel</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/bigpigeon">
<img src="https://avatars.githubusercontent.com/u/12421954?v=4" width="100;" alt="bigpigeon"/>
@ -770,15 +777,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Null</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/GoliathLabs">
<img src="https://avatars.githubusercontent.com/u/8057646?v=4" width="100;" alt="GoliathLabs"/>
<br />
<sub><b>Felix</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/yogo1212">
<img src="https://avatars.githubusercontent.com/u/5165324?v=4" width="100;" alt="yogo1212"/>
@ -813,15 +820,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>0xflotus</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/ifokeev">
<img src="https://avatars.githubusercontent.com/u/2017148?v=4" width="100;" alt="ifokeev"/>
<br />
<sub><b>Johan Fokeev</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/20th">
<img src="https://avatars.githubusercontent.com/u/1331328?v=4" width="100;" alt="20th"/>
@ -856,15 +863,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Adrian Pistol</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/kachkaev">
<img src="https://avatars.githubusercontent.com/u/608862?v=4" width="100;" alt="kachkaev"/>
<br />
<sub><b>Alexander Kachkaev</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/alexanderneu">
<img src="https://avatars.githubusercontent.com/u/4265287?v=4" width="100;" alt="alexanderneu"/>
@ -899,15 +906,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Andrey Likhodievskiy</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/iRhonin">
<img src="https://avatars.githubusercontent.com/u/13151232?v=4" width="100;" alt="iRhonin"/>
<br />
<sub><b>Arash Fatahzade</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/MrFreezeex">
<img src="https://avatars.githubusercontent.com/u/3845213?v=4" width="100;" alt="MrFreezeex"/>
@ -942,15 +949,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Bogdan</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/erdos4d">
<img src="https://avatars.githubusercontent.com/u/72926946?v=4" width="100;" alt="erdos4d"/>
<br />
<sub><b>Charles Harris</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/crash7">
<img src="https://avatars.githubusercontent.com/u/1450075?v=4" width="100;" alt="crash7"/>
@ -985,15 +992,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Damian Moore</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/espitall">
<img src="https://avatars.githubusercontent.com/u/1910925?v=4" width="100;" alt="espitall"/>
<br />
<sub><b>Null</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/dkarski">
<img src="https://avatars.githubusercontent.com/u/17147149?v=4" width="100;" alt="dkarski"/>
@ -1028,15 +1035,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Dmitry R.</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/aydodo">
<img src="https://avatars.githubusercontent.com/u/5312040?v=4" width="100;" alt="aydodo"/>
<br />
<sub><b>Dorian Ayllón</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/vedtam">
<img src="https://avatars.githubusercontent.com/u/4981592?v=4" width="100;" alt="vedtam"/>
@ -1071,15 +1078,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Erik Brakkee</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/huncode">
<img src="https://avatars.githubusercontent.com/u/1650008?v=4" width="100;" alt="huncode"/>
<br />
<sub><b>Huncode</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/felixn">
<img src="https://avatars.githubusercontent.com/u/221502?v=4" width="100;" alt="felixn"/>
@ -1109,20 +1116,20 @@ Thanks goes to these wonderful people ✨
</a>
</td>
<td align="center">
<a href="https://github.com/frugan-it">
<img src="https://avatars.githubusercontent.com/u/7957714?v=4" width="100;" alt="frugan-it"/>
<a href="https://github.com/frugan-dev">
<img src="https://avatars.githubusercontent.com/u/7957714?v=4" width="100;" alt="frugan-dev"/>
<br />
<sub><b>Frugan</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/Marsu31">
<img src="https://avatars.githubusercontent.com/u/16478866?v=4" width="100;" alt="Marsu31"/>
<br />
<sub><b>Gabriel Euzet</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/glandais">
<img src="https://avatars.githubusercontent.com/u/864152?v=4" width="100;" alt="glandais"/>
@ -1157,15 +1164,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Ian Andrews</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/Influencer">
<img src="https://avatars.githubusercontent.com/u/1127304?v=4" width="100;" alt="Influencer"/>
<br />
<sub><b>Influencer</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/jcalfee">
<img src="https://avatars.githubusercontent.com/u/204121?v=4" width="100;" alt="jcalfee"/>
@ -1200,13 +1207,6 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Jiří Kozlovský</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/jsonn">
<img src="https://avatars.githubusercontent.com/u/296817?v=4" width="100;" alt="jsonn"/>
<br />
<sub><b>Joerg Sonnenberger</b></sub>
</a>
</td></tr>
<tr>
<td align="center">
@ -1639,6 +1639,13 @@ Thanks goes to these wonderful people ✨
</a>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/Zepmann">
<img src="https://avatars.githubusercontent.com/u/4273943?v=4" width="100;" alt="Zepmann"/>
<br />
<sub><b>Null</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/allddd">
<img src="https://avatars.githubusercontent.com/u/117767298?v=4" width="100;" alt="allddd"/>
@ -1673,15 +1680,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Null</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/dborowy">
<img src="https://avatars.githubusercontent.com/u/56255618?v=4" width="100;" alt="dborowy"/>
<br />
<sub><b>Null</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/dimalo">
<img src="https://avatars.githubusercontent.com/u/26287094?v=4" width="100;" alt="dimalo"/>
@ -1716,15 +1723,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Null</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/i-C-o-d-e-r">
<img src="https://avatars.githubusercontent.com/u/19938289?v=4" width="100;" alt="i-C-o-d-e-r"/>
<br />
<sub><b>Null</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/idaadi">
<img src="https://avatars.githubusercontent.com/u/2011380?v=4" width="100;" alt="idaadi"/>
@ -1759,15 +1766,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Null</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/landergate">
<img src="https://avatars.githubusercontent.com/u/904839?v=4" width="100;" alt="landergate"/>
<br />
<sub><b>Null</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/callmemagnus">
<img src="https://avatars.githubusercontent.com/u/232478?v=4" width="100;" alt="callmemagnus"/>
@ -1802,15 +1809,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Jason Miller</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/mplx">
<img src="https://avatars.githubusercontent.com/u/1986588?v=4" width="100;" alt="mplx"/>
<br />
<sub><b>Null</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/odinis">
<img src="https://avatars.githubusercontent.com/u/23659698?v=4" width="100;" alt="odinis"/>
@ -1845,15 +1852,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Null</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/presocratics">
<img src="https://avatars.githubusercontent.com/u/203116?v=4" width="100;" alt="presocratics"/>
<br />
<sub><b>Null</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/rhyst">
<img src="https://avatars.githubusercontent.com/u/5313660?v=4" width="100;" alt="rhyst"/>
@ -1888,15 +1895,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Null</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/sportshead">
<img src="https://avatars.githubusercontent.com/u/32637656?v=4" width="100;" alt="sportshead"/>
<br />
<sub><b>Null</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/squash">
<img src="https://avatars.githubusercontent.com/u/527457?v=4" width="100;" alt="squash"/>
@ -1931,15 +1938,15 @@ Thanks goes to these wonderful people ✨
<br />
<sub><b>Null</b></sub>
</a>
</td>
</td></tr>
<tr>
<td align="center">
<a href="https://github.com/wolkenschieber">
<img src="https://avatars.githubusercontent.com/u/5024238?v=4" width="100;" alt="wolkenschieber"/>
<br />
<sub><b>Null</b></sub>
</a>
</td></tr>
<tr>
</td>
<td align="center">
<a href="https://github.com/worldworm">
<img src="https://avatars.githubusercontent.com/u/13227454?v=4" width="100;" alt="worldworm"/>

5
docs/content/config/advanced/kubernetes.md
View File

@ -190,7 +190,10 @@ spec:
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
# Required to support SGID via `postdrop` executable
# in `/var/mail-state` for Postfix (maildrop + public dirs):
# https://github.com/docker-mailserver/docker-mailserver/pull/3625
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
runAsUser: 0
runAsGroup: 0

2
docs/content/config/advanced/optional-config.md
View File

@ -12,7 +12,7 @@ This is a list of all configuration files and directories which are optional or
- **sieve-pipe:** directory for sieve pipe scripts. (Docs: [Sieve][docs-sieve])
- **opendkim:** DKIM directory. Auto-configurable via [`setup.sh config dkim`][docs-setupsh]. (Docs: [DKIM][docs-dkim])
- **ssl:** SSL Certificate directory if `SSL_TYPE` is set to `self-signed` or `custom`. (Docs: [SSL][docs-ssl])
- **Rspamd:** Override directory for custom settings when using Rspamd (Docs: [Rspamd][docs-rspamd-override-d])
- **rspamd:** Override directory for custom settings when using Rspamd (Docs: [Rspamd][docs-rspamd-override-d])
## Files

25
docs/content/config/debugging.md
View File

@ -29,22 +29,29 @@ These links may advise how the provider can unblock the port through additional
1. **Increase log verbosity**: Very helpful for troubleshooting problems during container startup. Set the environment variable [`LOG_LEVEL`][docs-environment-log-level] to `debug` or `trace`.
2. **Use error logs as a search query**: Try [finding an _existing issue_][gh-issues] or _search engine result_ from any errors in your container log output. Often you'll find answers or more insights. If you still need to open an issue, sharing links from your search may help us assist you. The mail server log can be acquired by running `docker log <CONTAINER NAME>` (_or `docker logs -f <CONTAINER NAME>` if you want to follow the log_).
3. **Understand the basics of mail servers**: Especially for beginners, make sure you read our [Introduction][docs-introduction] and [Usage][docs-usage] articles.
4. **Search the whole FAQ**: Our [FAQ][docs-faq] contains answers for common problems. Make sure you go through the list.
5. **Reduce the scope**: Ensure that you can run a basic setup of DMS first. Then incrementally restore parts of your original configuration until the problem is reproduced again. If you're new to DMS, it is common to find the cause is misunderstanding how to configure a minimal setup.
3. **Inspect the logs of the service that is failing**: We provide a dedicated paragraph on this topic [further down below](#logs).
4. **Understand the basics of mail servers**: Especially for beginners, make sure you read our [Introduction][docs-introduction] and [Usage][docs-usage] articles.
5. **Search the whole FAQ**: Our [FAQ][docs-faq] contains answers for common problems. Make sure you go through the list.
6. **Reduce the scope**: Ensure that you can run a basic setup of DMS first. Then incrementally restore parts of your original configuration until the problem is reproduced again. If you're new to DMS, it is common to find the cause is misunderstanding how to configure a minimal setup.
### Debug a running container
To get a shell inside the container run: `docker exec -it <CONTAINER NAME> bash`.
#### General
If you need more flexibility than `docker logs` offers, within the container `/var/log/mail/mail.log` and `/var/log/supervisor/` are the most useful locations to get relevant DMS logs. Use the `tail` or `cat` commands to view their contents.
To install additional software:
To get a shell inside the container run: `docker exec -it <CONTAINER NAME> bash`. To install additional software, run:
1. `apt-get update` to update repository metadata.
2. `apt-get install <PACKAGE>`
2. `apt-get install <PACKAGE>` to install a package, e.g., `apt-get install neovim` if you want to use NeoVim instead of `nano` (which is shipped by default).
For example a text editor you can use in the terminal: `apt-get install nano`
#### Logs
If you need more flexibility than what the `docker logs` command offers, then the most useful locations to get relevant DMS logs within the container are:
- `/var/log/mail/mail.log`
- `/var/log/mail/mail/<SERVICE>.log`
- `/var/log/supervisor/<SERVICE>.log`
You may use `nano` (a text editor) to edit files, while `less` (a file viewer) and `tail`/`cat` are useful tools to inspect the contents of logs.
## Compatibility

6
docs/content/config/environment.md
View File

@ -586,8 +586,10 @@ Note: activate this only if you are confident in your bayes database for identif
##### FETCHMAIL_PARALLEL
**0** => `fetchmail` runs with a single config file `/etc/fetchmailrc`
**1** => `/etc/fetchmailrc` is split per poll entry. For every poll entry a separate fetchmail instance is started to allow having multiple imap idle configurations defined.
- **0** => `fetchmail` runs with a single config file `/etc/fetchmailrc`
- 1 => `/etc/fetchmailrc` is split per poll entry. For every poll entry a separate fetchmail instance is started to [allow having multiple imap idle connections per server][fetchmail-imap-workaround] (_when poll entries reference the same IMAP server_).
[fetchmail-imap-workaround]: https://otremba.net/wiki/Fetchmail_(Debian)#Immediate_Download_via_IMAP_IDLE
Note: The defaults of your fetchmailrc file need to be at the top of the file. Otherwise it won't be added correctly to all separate `fetchmail` instances.
#### Getmail

2
docs/content/config/security/rspamd.md
View File

@ -71,7 +71,7 @@ DMS does not supply custom values for DNS servers to Rspamd. If you need to use
### Logs
You can find the Rspamd logs at `/var/log/mail/rspamd.log`, and the corresponding logs for [Redis](#persistence-with-redis), if it is enabled, at `/var/log/supervisor/rspamd-redis.log`. We recommend inspecting these logs (with `docker exec -it <CONTAINER NAME> cat /var/log/mail/rspamd.log`) in case Rspamd does not work as expected.
You can find the Rspamd logs at `/var/log/mail/rspamd.log`, and the corresponding logs for [Redis](#persistence-with-redis), if it is enabled, at `/var/log/supervisor/rspamd-redis.log`. We recommend inspecting these logs (with `docker exec -it <CONTAINER NAME> less /var/log/mail/rspamd.log`) in case Rspamd does not work as expected.
### Modules

162
docs/content/examples/use-cases/auth-lua.md Normal file
View File

@ -0,0 +1,162 @@
---
title: 'Examples | Use Cases | Lua Authentication'
---
## Introduction
Dovecot has the ability to let users create their own custom user provisioning and authentication providers in [Lua](https://en.wikipedia.org/wiki/Lua_(programming_language)#Syntax). This allows any data source that can be approached from Lua to be used for authentication, including web servers. It is possible to do more with Dovecot and Lua, but other use cases fall outside of the scope of this documentation page.
!!! warning "Community contributed guide"
Dovecot authentication via Lua scripting is not officially supported in DMS. No assistance will be provided should you encounter any issues.
DMS provides the required packages to support this guide. Note that these packages will be removed should they introduce any future maintenance burden.
The example in this guide relies on the current way in which DMS works with Dovecot configuration files. Changes to this to accommodate new authentication methods such as OpenID Connect will likely break this example in the future. This guide is updated on a best-effort base.
Dovecot's Lua support can be used for user provisioning (userdb functionality) and/or password verification (passdb functionality). Consider using other userdb and passdb options before considering Lua, since Lua does require the use of additional (unsupported) program code that might require maintenance when updating DMS.
Each implementation of Lua-based authentication is custom. Therefore it is impossible to write documentation that covers every scenario. Instead, this page describes a single example scenario. If that scenario is followed, you will learn vital aspects that are necessary to kickstart your own Lua development:
- How to override Dovecot's default configuration to disable parts that conflict with your scenario.
- How to make Dovecot use your Lua script.
- How to add your own Lua script and any libraries it uses.
- How to debug your Lua script.
## The example scenario
This scenario starts with [DMS being configured to use LDAP][docs::auth-ldap] for mailbox identification, user authorization and user authentication. In this scenario, [Nextcloud](https://nextcloud.com/) is also a service that uses the same LDAP server for user identification, authorization and authentication.
The goal of this scenario is to have Dovecot not authenticate the user against LDAP, but against Nextcloud using an [application password](https://docs.nextcloud.com/server/latest/user_manual/en/session_management.html#managing-devices). The idea behind this is that a compromised mailbox password does not compromise the user's account entirely. To make this work, Nextcloud is configured to [deny the use of account passwords by clients](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#token-auth-enforced) and to [disable account password reset through mail verification](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#lost-password-link).
If the application password is configured correctly, an adversary can only use it to access the user's mailbox on DMS, and CalDAV and CardDAV data on Nextcloud. File access through WebDAV can be disabled for the application password used to access mail. Having CalDAV and CardDAV compromised by the same password is a minor setback. If an adversary gets access to a Nextcloud application password through a device of the user, it is likely that the adversary also gets access to the user's calendars and contact lists anyway (locally or through the same account settings used for mail and CalDAV/CardDAV synchronization). The user's stored files in Nextcloud, the LDAP account password and any other services that rely on it would still be protected. A bonus is that a user is able to revoke and renew the mailbox password in Nextcloud for whatever reason, through a friendly user interface with all the security measures with which the Nextcloud instance is configured (e.g. verification of the current account password).
A drawback of this method is that any (compromised) Nextcloud application password can be used to access the user's mailbox. This introduces a risk that a Nextcloud application password used for something else (e.g. WebDAV file access) is compromised and used to access the user's mailbox. Discussion of that risk and possible mitigations fall outside of the scope of this scenario.
To answer the questions asked earlier for this specific scenario:
1. Do I want to use Lua to identify mailboxes and verify that users are are authorized to use mail services? **No. Provisioning is done through LDAP.**
1. Do I want to use Lua to verify passwords that users authenticate with for IMAP/POP3/SMTP in their mail clients? **Yes. Password authentication is done through Lua against Nextcloud.**
1. If the answer is 'yes' to question 1 or 2: are there other methods that better facilitate my use case instead of custom scripts which rely on me being a developer and not just a user? **No. Only HTTP can be used to authenticate against Nextcloud, which is not supported natively by Dovecot or DMS.**
While it is possible to extend the authentication methods which Nextcloud can facilitate with [Nextcloud apps](https://apps.nextcloud.com/), there is currently a mismatch between what DMS supports and what Nextcloud applications can provide. This might change in the future. For now, Lua will be used to bridge the gap between DMS and Nextcloud for authentication only (Dovecot passdb), while LDAP will still be used to identify mailboxes and verify authorization (Dovecot userdb).
## Modify Dovecot's configuration
???+ example "Add to DMS volumes in `compose.yaml`"
```yaml
# All new volumes are marked :ro to configure them as read-only, since their contents are not changed from inside the container
volumes:
# Configuration override to disable LDAP authentication
- ./docker-data/dms/config/dovecot/auth-ldap.conf.ext:/etc/dovecot/conf.d/auth-ldap.conf.ext:ro
# Configuration addition to enable Lua authentication
- ./docker-data/dms/config/dovecot/auth-lua-httpbasic.conf:/etc/dovecot/conf.d/auth-lua-httpbasic.conf:ro
# Directory containing Lua scripts
- ./docker-data/dms/config/dovecot/lua/:/etc/dovecot/lua/:ro
```
Create a directory for Lua scripts:
```bash
mkdir -p ./docker-data/dms/config/dovecot/lua
```
Create configuration file `./docker-data/dms/config/dovecot/auth-ldap.conf.ext` for LDAP user provisioning:
```
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
```
Create configuration file `./docker-data/dms/config/dovecot/auth-lua-httpbasic.conf` for Lua user authentication:
```
passdb {
driver = lua
args = file=/etc/dovecot/lua/auth-httpbasic.lua blocking=yes
}
```
That is all for configuring Dovecot.
## Create the Lua script
Create Lua file `./docker-data/dms/config/dovecot/lua/auth-httpbasic.lua` with contents:
```lua
local http_url = "https://nextcloud.example.com/remote.php/dav/"
local http_method = "PROPFIND"
local http_status_ok = 207
local http_status_failure = 401
local http_header_forwarded_for = "X-Forwarded-For"
package.path = package.path .. ";/etc/dovecot/lua/?.lua"
local base64 = require("base64")
local http_client = dovecot.http.client {
timeout = 1000;
max_attempts = 1;
debug = false;
}
function script_init()
return 0
end
function script_deinit()
end
function auth_passdb_lookup(req)
local auth_request = http_client:request {
url = http_url;
method = http_method;
}
auth_request:add_header("Authorization", "Basic " .. (base64.encode(req.user .. ":" .. req.password)))
auth_request:add_header(http_header_forwarded_for, req.remote_ip)
local auth_response = auth_request:submit()
local resp_status = auth_response:status()
local reason = auth_response:reason()
local returnStatus = dovecot.auth.PASSDB_RESULT_INTERNAL_FAILURE
local returnDesc = http_method .. " - " .. http_url .. " - " .. resp_status .. " " .. reason
if resp_status == http_status_ok
then
returnStatus = dovecot.auth.PASSDB_RESULT_OK
returnDesc = "nopassword=y"
elseif resp_status == http_status_failure
then
returnStatus = dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH
returnDesc = ""
end
return returnStatus, returnDesc
end
```
Replace the hostname in the URL to the actual hostname of Nextcloud.
Dovecot [provides an HTTP client for use in Lua](https://doc.dovecot.org/admin_manual/lua/#dovecot.http.client). Aside of that, Lua by itself is pretty barebones. It chooses library compactness over included functionality. You can see that in that a separate library is referenced to add support for Base64 encoding, which is required for [HTTP basic access authentication](https://en.wikipedia.org/wiki/Basic_access_authentication). This library (also a Lua script) is not included. It must be downloaded and stored in the same directory:
```bash
cd ./docker-data/dms/config/dovecot/lua
curl -JLO https://raw.githubusercontent.com/iskolbin/lbase64/master/base64.lua
```
Only use native (pure Lua) libraries as dependencies if possible, such as `base64.lua` from the example. This ensures maximum compatibility. Performance is less of an issue since Lua scripts written for Dovecot probably won't be long or complex, and there won't be a lot of data processing by Lua itself.
## Debugging a Lua script
To see which Lua version is used by Dovecot if you plan to do something that is version dependent, run:
```bash
docker exec CONTAINER_NAME strings /usr/lib/dovecot/libdovecot-lua.so|grep '^LUA_'
```
While Dovecot logs the status of authentication attempts for any passdb backend, Dovecot will also log Lua scripting errors and messages sent to Dovecot's [Lua API log functions](https://doc.dovecot.org/admin_manual/lua/#dovecot.i_debug). The combined DMS log (including that of Dovecot) can be viewed using `docker logs CONTAINER_NAME`. If the log is too noisy (_due to other processes in the container also logging to it_), `docker exec CONTAINER_NAME cat /var/log/mail/mail.log` can be used to view the log of Dovecot and Postfix specifically.
If working with HTTP in Lua, setting `debug = true;` when initiating `dovecot.http.client` will create debug log messages for every HTTP request and response.
Note that Lua runs compiled bytecode, and that scripts will be compiled when they are initially started. Once compiled, the bytecode is cached and changes in the Lua script will not be processed automatically. Dovecot will reload its configuration and clear its cached Lua bytecode when running `docker exec CONTAINER_NAME dovecot reload`. A (changed) Lua script will be compiled to bytecode the next time it is executed after running the Dovecot reload command.
[docs::auth-ldap]: ../../config/advanced/auth-ldap.md
[docs::dovecot-override-configuration]: ../../config/advanced/override-defaults/dovecot.md#override-configuration
[docs::dovecot-add-configuration]: ../../config/advanced/override-defaults/dovecot.md#add-configuration
[docs::faq-alter-running-dms-instance-without-container-relaunch]: ../../faq.md#how-to-alter-a-running-dms-instance-without-relaunching-the-container

1
docs/mkdocs.yml
View File

@ -164,6 +164,7 @@ nav:
- 'Forward-Only Mail-Server with LDAP': examples/use-cases/forward-only-mailserver-with-ldap-authentication.md
- 'Customize IMAP Folders': examples/use-cases/imap-folders.md
- 'iOS Mail Push Support': examples/use-cases/ios-mail-push-support.md
- 'Lua Authentication': examples/use-cases/auth-lua.md
- 'FAQ' : faq.md
- 'Contributing':
- 'General Information': contributing/general.md

4
mailserver.env
View File

@ -403,6 +403,10 @@ ENABLE_FETCHMAIL=0
# The interval to fetch mail in seconds
FETCHMAIL_POLL=300
# Use multiple fetchmail instances (1 per poll entry in fetchmail.cf)
# Supports multiple IMAP IDLE connections when a server is used across multiple poll entries
# https://otremba.net/wiki/Fetchmail_(Debian)#Immediate_Download_via_IMAP_IDLE
FETCHMAIL_PARALLEL=0
# Enable or disable `getmail`.
#

7
target/bin/rspamd-dkim
View File

@ -62,13 +62,6 @@ ${ORANGE}EXIT STATUS${RESET}
"
}
function __do_as_rspamd_user() {
local COMMAND=${1:?Command required when using __do_as_rspamd_user}
_log 'trace' "Running '${*}' as user '_rspamd' now"
shift 1
su -l '_rspamd' -s "$(command -v "${COMMAND}")" -- "${@}"
}
function _parse_arguments() {
FORCE=0
KEYTYPE='rsa'

11
target/scripts/build/packages.sh
View File

@ -95,13 +95,19 @@ function _install_packages() {
function _install_dovecot() {
declare -a DOVECOT_PACKAGES
# Dovecot packages for officially supported features.
DOVECOT_PACKAGES=(
dovecot-core dovecot-imapd
dovecot-ldap dovecot-lmtpd dovecot-managesieved
dovecot-pop3d dovecot-sieve dovecot-solr
)
if [[ ${DOVECOT_COMMUNITY_REPO} -eq 1 ]]; then
# Dovecot packages for community supported features.
DOVECOT_PACKAGES+=(dovecot-auth-lua)
# Dovecot's deb community repository only provides x86_64 packages, so do not include it
# when building for another architecture.
if [[ ${DOVECOT_COMMUNITY_REPO} -eq 1 ]] && [[ "$(uname --machine)" == "x86_64" ]]; then
_log 'trace' 'Using Dovecot community repository'
curl https://repo.dovecot.org/DOVECOT-REPO-GPG | gpg --import
gpg --export ED409DA1 > /etc/apt/trusted.gpg.d/dovecot.gpg
@ -109,6 +115,9 @@ function _install_dovecot() {
_log 'trace' 'Updating Dovecot package signatures'
apt-get "${QUIET}" update
# Additional community package needed for Lua support if the Dovecot community repository is used.
DOVECOT_PACKAGES+=(dovecot-lua)
fi
_log 'debug' 'Installing Dovecot'

12
target/scripts/helpers/rspamd.sh
View File

@ -2,6 +2,18 @@
# shellcheck disable=SC2034 # VAR appears unused.
# Perform a specific command as the Rspamd user (`_rspamd`). This is useful
# in case you want to have correct permissions on newly created files or if
# you want to check whether Rspamd can perform a specific action.
function __do_as_rspamd_user() {
_log 'trace' "Running '${*}' as user '_rspamd'"
su _rspamd -s /bin/bash -c "${*}"
}
# Calling this function brings common Rspamd-related environment variables
# into the current context. The environment variables are `readonly`, i.e.
# they cannot be modified. Use this function when you require common directory
# names, file names, etc.
function _rspamd_get_envs() {
readonly RSPAMD_LOCAL_D='/etc/rspamd/local.d'
readonly RSPAMD_OVERRIDE_D='/etc/rspamd/override.d'

8
target/scripts/startup/setup.d/mail_state.sh
View File

@ -107,10 +107,10 @@ function _setup_save_states() {
# These two require the postdrop(103) group:
chgrp -R postdrop "${STATEDIR}"/spool-postfix/{maildrop,public}
# After changing the group, special bits (set-gid, sticky) may be stripped, restore them:
# Ref: https://github.com/docker-mailserver/docker-mailserver/pull/3149#issuecomment-1454981309
chmod 1730 "${STATEDIR}/spool-postfix/maildrop"
chmod 2710 "${STATEDIR}/spool-postfix/public"
# These permissions rely on the `postdrop` binary having the SGID bit set.
# Ref: https://github.com/docker-mailserver/docker-mailserver/pull/3625
chmod 730 "${STATEDIR}/spool-postfix/maildrop"
chmod 710 "${STATEDIR}/spool-postfix/public"
elif [[ ${ONE_DIR} -eq 1 ]]; then
_log 'warn' "'ONE_DIR=1' but no volume was mounted to '${STATEDIR}'"
else

41
target/scripts/startup/setup.d/security/rspamd.sh
View File

@ -23,6 +23,9 @@ function _setup_rspamd() {
__rspamd__setup_check_authenticated
_rspamd_handle_user_modules_adjustments # must run last
# only performing checks, no further setup handled from here onwards
__rspamd__check_dkim_permissions
__rspamd__log 'trace' '---------- Setup finished ----------'
else
_log 'debug' 'Rspamd is disabled'
@ -280,6 +283,12 @@ function __rspamd__setup_hfilter_group() {
fi
}
# If 'RSPAMD_CHECK_AUTHENTICATED' is enabled, then content checks for all users, i.e.
# also for authenticated users, are performed.
#
# The default that DMS ships does not check authenticated users. In case the checks are
# enabled, this function will remove the part of the Rspamd configuration that disables
# checks for authenticated users.
function __rspamd__setup_check_authenticated() {
local MODULE_FILE="${RSPAMD_LOCAL_D}/settings.conf"
readonly MODULE_FILE
@ -294,3 +303,35 @@ function __rspamd__setup_check_authenticated() {
"${MODULE_FILE}"
fi
}
# This function performs a simple check: go through DKIM configuration files, acquire
# all private key file locations and check whether they exist and whether they can be
# accessed by Rspamd.
function __rspamd__check_dkim_permissions() {
local DKIM_CONF_FILES DKIM_KEY_FILES
[[ -f ${RSPAMD_LOCAL_D}/dkim_signing.conf ]] && DKIM_CONF_FILES+=("${RSPAMD_LOCAL_D}/dkim_signing.conf")
[[ -f ${RSPAMD_OVERRIDE_D}/dkim_signing.conf ]] && DKIM_CONF_FILES+=("${RSPAMD_OVERRIDE_D}/dkim_signing.conf")
# Here, we populate DKIM_KEY_FILES which we later iterate over. DKIM_KEY_FILES
# contains all keys files configured by the user.
local FILE
for FILE in "${DKIM_CONF_FILES[@]}"; do
readarray -t DKIM_KEY_FILES_TMP < <(grep -o -E 'path = .*' "${FILE}" | cut -d '=' -f 2 | tr -d ' ";')
DKIM_KEY_FILES+=("${DKIM_KEY_FILES_TMP[@]}")
done
for FILE in "${DKIM_KEY_FILES[@]}"; do
if [[ -f ${FILE} ]]; then
__rspamd__log 'trace' "Checking DKIM file '${FILE}'"
# See https://serverfault.com/a/829314 for an explanation on `-exec false {} +`
# We additionally resolve symbolic links to check the permissions of the actual files
if find "$(realpath -eL "${FILE}")" -user _rspamd -or -group _rspamd -or -perm -o=r -exec false {} +; then
__rspamd__log 'warn' "Rspamd DKIM private key file '${FILE}' does not appear to have correct permissions/ownership for Rspamd to use it"
else
__rspamd__log 'trace' "DKIM file '${FILE}' permissions and ownership appear correct"
fi
else
__rspamd__log 'warn' "Rspamd DKIM private key file '${FILE}' is configured for usage, but does not appear to exist"
fi
done
}