From ea61a21259c404b42c20256b29312c0a2ac1d38a Mon Sep 17 00:00:00 2001 From: polarathene <5098581+polarathene@users.noreply.github.com> Date: Sun, 3 Sep 2023 18:49:24 +1200 Subject: [PATCH] refactor: Adapt Postfix LDAP config generation to use Config Template - `postfix.base` defaults are now potentially breaking: - The `query_filter` default is common between `ldap-users.cf` and `ldap-senders.cf`, but the `mailEnabled` attribute locks it in to requiring the `postfix-book` OpenLDAP schema. Like the `result_attribute` setting, this is only set as a convenient default but not as broadly useful like the `bind` + `version` settings. - `version = 3` is required as unlike SASLAuthd and Dovecot, the default for Postfix is `2`. - `bind = yes` because we only support configuring for this in DMS? - `ldap-senders.cf` originally differed with it's `result_attribute` setting, but that default chosen looks to be more of a workaround introduced and should be more explicit? - The Postfix `.base` template does not include the four common attributes (_that Dovecot and SASLAuthd base configs do_), as the `LDAP_` prefix is presently the same (no`POSTFIX_` prefix), thus would override user config regardless.. - `sender_login_maps.ldap` doesn't exist and isn't relevant to LDAP queries (seems to be accidentally included here). `ldap-senders.cf` provides this functionality. - `ldap-senders.cf` was not supporting copying over a user-provided config, it does now. - Internal location for these Postfix generated configs is now `/etc/postfix/ldap/`. --- target/features/ldap/postfix.base | 4 ++ target/features/ldap/postfix.tmpl | 35 +++++++++++++++ target/scripts/startup/setup.d/ldap.sh | 60 ++++++++++++++++---------- 3 files changed, 76 insertions(+), 23 deletions(-) create mode 100644 target/features/ldap/postfix.base create mode 100644 target/features/ldap/postfix.tmpl diff --git a/target/features/ldap/postfix.base b/target/features/ldap/postfix.base new file mode 100644 index 00000000..6623427b --- /dev/null +++ b/target/features/ldap/postfix.base @@ -0,0 +1,4 @@ +bind = yes +query_filter = (&(mail=%s)(mailEnabled=TRUE)) +result_attribute = mail +version = 3 diff --git a/target/features/ldap/postfix.tmpl b/target/features/ldap/postfix.tmpl new file mode 100644 index 00000000..4d48f31d --- /dev/null +++ b/target/features/ldap/postfix.tmpl @@ -0,0 +1,35 @@ +# Postfix LDAP table docs: http://www.postfix.org/ldap_table.5.html +server_host = ${SERVER_HOST} +server_port = ${SERVER_PORT} +timeout = ${TIMEOUT} +search_base = ${SEARCH_BASE} +query_filter = ${QUERY_FILTER} +result_format = ${RESULT_FORMAT} +domain = ${DOMAIN} +result_attribute = ${RESULT_ATTRIBUTE} +special_result_attribute = ${SPECIAL_RESULT_ATTRIBUTE} +terminal_result_attribute = ${TERMINAL_RESULT_ATTRIBUTE} +leaf_result_attribute = ${LEAF_RESULT_ATTRIBUTE} +scope = ${SCOPE} +bind = ${BIND} +bind_dn = ${BIND_DN} +bind_pw = ${BIND_PW} +recursion_limit = ${RECURSION_LIMIT} +expansion_limit = ${EXPANSION_LIMIT} +size_limit = ${SIZE_LIMIT} +dereference = ${DEREFERENCE} +chase_referrals = ${CHASE_REFERRALS} +version = ${VERSION} +debuglevel = ${DEBUGLEVEL} +sasl_mechs = ${SASL_MECHS} +sasl_realm = ${SASL_REALM} +sasl_authz_id = ${SASL_AUTHZ_ID} +sasl_minssf = ${SASL_MINSSF} +start_tls = ${START_TLS} +tls_ca_cert_dir = ${TLS_CA_CERT_DIR} +tls_ca_cert_file = ${TLS_CA_CERT_FILE} +tls_cert = ${TLS_CERT} +tls_key = ${TLS_KEY} +tls_require_cert = ${TLS_REQUIRE_CERT} +tls_random_file = ${TLS_RANDOM_FILE} +tls_cipher_suite = ${TLS_CIPHER_SUITE} diff --git a/target/scripts/startup/setup.d/ldap.sh b/target/scripts/startup/setup.d/ldap.sh index 42115bbd..9b037f3b 100644 --- a/target/scripts/startup/setup.d/ldap.sh +++ b/target/scripts/startup/setup.d/ldap.sh @@ -2,33 +2,36 @@ function _setup_ldap() { _log 'debug' 'Setting up LDAP' - _log 'trace' 'Checking for custom configs' - for i in 'users' 'groups' 'aliases' 'domains'; do - local FPATH="/tmp/docker-mailserver/ldap-${i}.cf" - if [[ -f ${FPATH} ]]; then - cp "${FPATH}" "/etc/postfix/ldap-${i}.cf" - fi - done + _log 'trace' "Configuring Postfix for LDAP" + mkdir -p /etc/postfix/ldap - _log 'trace' 'Starting to override configs' + # Generate Postfix LDAP configs: + for QUERY_KIND in 'users' 'groups' 'aliases' 'domains' 'senders'; do + # NOTE: Presently, only `query_filter` is supported for individually targeting: + case "${QUERY_KIND}" in + ( 'users' ) + export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_USER}" + ;; - local FILES=( - /etc/postfix/ldap-users.cf - /etc/postfix/ldap-groups.cf - /etc/postfix/ldap-aliases.cf - /etc/postfix/ldap-domains.cf - /etc/postfix/ldap-senders.cf - /etc/postfix/maps/sender_login_maps.ldap - ) + ( 'groups' ) + export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_GROUP}" + ;; - for FILE in "${FILES[@]}"; do - [[ ${FILE} =~ ldap-user ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_USER}" - [[ ${FILE} =~ ldap-group ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_GROUP}" - [[ ${FILE} =~ ldap-aliases ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_ALIAS}" - [[ ${FILE} =~ ldap-domains ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_DOMAIN}" - [[ ${FILE} =~ ldap-senders ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_SENDERS}" - [[ -f ${FILE} ]] && _replace_by_env_in_file 'LDAP_' "${FILE}" + ( 'aliases' ) + export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_ALIAS}" + ;; + + ( 'domains' ) + export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_DOMAIN}" + ;; + + ( 'senders' ) + export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_SENDERS}" + ;; + esac + + _create_config_postfix "${QUERY_KIND}" done _log 'trace' "Configuring Dovecot for LDAP" @@ -77,3 +80,14 @@ function _create_config_dovecot() { <(_template_with_env 'DOVECOT_' /etc/dms/ldap/dovecot.tmpl) \ ) > /etc/dovecot/dovecot-ldap.conf.ext } + +# NOTE: Only relies on the `LDAP_` prefix, presently assigned a `POSTFIX_` prefix. +function _create_config_postfix() { + local QUERY_KIND=${1} + + _cleanse_config '=' <(cat 2>/dev/null \ + /etc/dms/ldap/postfix.base \ + "/tmp/docker-mailserver/ldap-${QUERY_KIND}.cf" \ + <(_template_with_env 'LDAP_' /etc/dms/ldap/postfix.tmpl) \ + ) > "/etc/postfix/ldap-${QUERY_KIND}.cf" +}