docker-mailserver/target/dovecot/auth-passwdfile.inc

# Authentication for passwd-file users. Included from 10-auth.conf.
#
# Documentation
#   PassDB: https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/
#   UserDB: https://doc.dovecot.org/configuration_manual/authentication/user_databases_userdb/
#
# !!! Attention !!!
#   Do not add `scheme=SHA512-CRYPT` to the userdb args. This is not supported.

passdb {
  driver = passwd-file
  mechanisms = plain login
  args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/userdb
}

userdb {
  driver = passwd-file
  args = username_format=%u /etc/dovecot/userdb
  default_fields = uid=docker gid=docker home=/var/mail/%d/%u/home/
}
Dovecot based version of the mailserver. Courier and Cyrus Sasl have been removed and substituted with Dovecot which now handle authentication for Postfix, Imap and Pop3, with support for SSL. This allow the use of several encryption schemes for the password as well as a single user db. OpenDKIM keys can now be provided at the startup and will be used instead of generating new ones (so that you don't have to change your DNS configuration). This version builds correctly on Docker but no integration tests have been reworked to accommodate Dovecot instead of Courier and Cyrus Sasl. As such at present no automatic tests can be executed. 2016-04-07 14:20:51 +02:00			`# Authentication for passwd-file users. Included from 10-auth.conf.`
			`#`
fix: Make Dovecot aware of basic aliases in userdb for quota support + Use correct hash scheme in passdb configuration (#2248) Dovecot quota support would log auth failures when Postfix validated incoming mail to accept/reject and the `check_policy_service` for `quota-status` was queried with a recipient that was an account alias. When Dovecot is not aware of the user account, it will not be able to check a quota and inform Postfix that everything is fine, Postfix will accept the mail and send it to Dovecot, where if the quota is exceeded will result in a bounce back to the sender. This is considered "backscatter" and can be abused by spammers forging the sender address which can get your server blacklisted. The solution is to either disable quota support `ENABLE_QUOTAS=0`, or as a workaround, add dummy accounts to Dovecot userdb for aliases in `postfix-virtual.cf` (not `postfix-aliases.cf`), these dummy accounts will map to the real user account mailbox (real users are defined in `postfix-accounts.cf`). The workaround is naive, in that we only check for basic 1-to-1 alias mapping to real accounts. This will still be an issue for aliases that map to another alias or multiple addresses (real or alias). Unfortunately Postfix will not expand aliases until accepting mail where this would be too late. A better solution is to proxy the `check_policy_service` from Dovecot `quota-status` that Postfix queries in `main.cf:smtpd_recipient_restrictions`, however this requires a fair amount more of additional work and still requires an implementation to recursively query aliases for nested or multiple address mappings, which can then be forwarded to the `quota-status` service configured by Dovecot in `/etc/dovecot/conf.d/90-quota.conf`. LDAP users are unaffected as quota support is not supported/implemented with `docker-mailserver` at this time, it is always considered disabled when using LDAP. --- Additionally Dovecot configuration for `passdb` has been fixed to use the correct password hash scheme of `SHA512-CRYPT`. Co-authored-by: Casper <casperklein@users.noreply.github.com> Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com> 2021-11-01 02:20:22 +01:00			`# Documentation`
			`# PassDB: https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/`
			`# UserDB: https://doc.dovecot.org/configuration_manual/authentication/user_databases_userdb/`
			`#`
			`# !!! Attention !!!`
			# Do not add `scheme=SHA512-CRYPT` to the userdb args. This is not supported.
Dovecot based version of the mailserver. Courier and Cyrus Sasl have been removed and substituted with Dovecot which now handle authentication for Postfix, Imap and Pop3, with support for SSL. This allow the use of several encryption schemes for the password as well as a single user db. OpenDKIM keys can now be provided at the startup and will be used instead of generating new ones (so that you don't have to change your DNS configuration). This version builds correctly on Docker but no integration tests have been reworked to accommodate Dovecot instead of Courier and Cyrus Sasl. As such at present no automatic tests can be executed. 2016-04-07 14:20:51 +02:00
			`passdb {`
			`driver = passwd-file`
fix: Correctly support multiple Dovecot PassDBs (#3812) * fix: Dovecot PassDB should restrict allowed auth mechanisms This prevents PassDBs incompatible with certain auth mechanisms from logging failures which accidentally triggers Fail2Ban. Instead only allow the PassDB to be authenticated against when it's compatible with the auth mechanism used. * tests: Use `curl` for OAuth2 login test-cases instead of netcat `curl` provides this capability for both IMAP and SMTP authentication with a bearer token. It supports both `XOAUTH2` and `OAUTHBEARER` mechanisms, as these updated test-cases demonstrate. * chore: Add entry to `CHANGELOG.md` 2024-01-23 19:11:05 +01:00			`mechanisms = plain login`
fix: Make Dovecot aware of basic aliases in userdb for quota support + Use correct hash scheme in passdb configuration (#2248) Dovecot quota support would log auth failures when Postfix validated incoming mail to accept/reject and the `check_policy_service` for `quota-status` was queried with a recipient that was an account alias. When Dovecot is not aware of the user account, it will not be able to check a quota and inform Postfix that everything is fine, Postfix will accept the mail and send it to Dovecot, where if the quota is exceeded will result in a bounce back to the sender. This is considered "backscatter" and can be abused by spammers forging the sender address which can get your server blacklisted. The solution is to either disable quota support `ENABLE_QUOTAS=0`, or as a workaround, add dummy accounts to Dovecot userdb for aliases in `postfix-virtual.cf` (not `postfix-aliases.cf`), these dummy accounts will map to the real user account mailbox (real users are defined in `postfix-accounts.cf`). The workaround is naive, in that we only check for basic 1-to-1 alias mapping to real accounts. This will still be an issue for aliases that map to another alias or multiple addresses (real or alias). Unfortunately Postfix will not expand aliases until accepting mail where this would be too late. A better solution is to proxy the `check_policy_service` from Dovecot `quota-status` that Postfix queries in `main.cf:smtpd_recipient_restrictions`, however this requires a fair amount more of additional work and still requires an implementation to recursively query aliases for nested or multiple address mappings, which can then be forwarded to the `quota-status` service configured by Dovecot in `/etc/dovecot/conf.d/90-quota.conf`. LDAP users are unaffected as quota support is not supported/implemented with `docker-mailserver` at this time, it is always considered disabled when using LDAP. --- Additionally Dovecot configuration for `passdb` has been fixed to use the correct password hash scheme of `SHA512-CRYPT`. Co-authored-by: Casper <casperklein@users.noreply.github.com> Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com> 2021-11-01 02:20:22 +01:00			`args = scheme=SHA512-CRYPT username_format=%u /etc/dovecot/userdb`
Dovecot based version of the mailserver. Courier and Cyrus Sasl have been removed and substituted with Dovecot which now handle authentication for Postfix, Imap and Pop3, with support for SSL. This allow the use of several encryption schemes for the password as well as a single user db. OpenDKIM keys can now be provided at the startup and will be used instead of generating new ones (so that you don't have to change your DNS configuration). This version builds correctly on Docker but no integration tests have been reworked to accommodate Dovecot instead of Courier and Cyrus Sasl. As such at present no automatic tests can be executed. 2016-04-07 14:20:51 +02:00			`}`

			`userdb {`
			`driver = passwd-file`
			`args = username_format=%u /etc/dovecot/userdb`
Dovecot: make home dir distinct from mail dir (#3335) * add new home dir for Dovecot I tried changing the mail dir, but this is a _very_ disruptive change, so I took approach 3 on <https://doc.dovecot.org/configuration_manual/home_directories_for_virtual_users/>, whereby the home directory is now inside the mail directory. The MDBOX/SDBOX formats are not touched by this change. The change itself could be considered breaking though. * adjust Sieve tests accordingly * Update target/dovecot/10-mail.conf * Update target/dovecot/auth-passwdfile.inc --------- Co-authored-by: Casper <casperklein@users.noreply.github.com> 2023-05-15 20:10:29 +02:00			`default_fields = uid=docker gid=docker home=/var/mail/%d/%u/home/`
Dovecot based version of the mailserver. Courier and Cyrus Sasl have been removed and substituted with Dovecot which now handle authentication for Postfix, Imap and Pop3, with support for SSL. This allow the use of several encryption schemes for the password as well as a single user db. OpenDKIM keys can now be provided at the startup and will be used instead of generating new ones (so that you don't have to change your DNS configuration). This version builds correctly on Docker but no integration tests have been reworked to accommodate Dovecot instead of Courier and Cyrus Sasl. As such at present no automatic tests can be executed. 2016-04-07 14:20:51 +02:00			`}`