From cfd78782611bbcb1dbd151b914a8035d433f50e2 Mon Sep 17 00:00:00 2001 From: Dashamir Hoxha Date: Wed, 30 Dec 2020 22:57:24 +0100 Subject: [PATCH] Describe how to authenticate with LDAP --- ...nly-mailserver-with-ldap-authentication.md | 79 ++++++++++++++++++- 1 file changed, 76 insertions(+), 3 deletions(-) diff --git a/docs/content/uses-cases/forward-only-mailserver-with-ldap-authentication.md b/docs/content/uses-cases/forward-only-mailserver-with-ldap-authentication.md index fda4e84c..3ab795f1 100644 --- a/docs/content/uses-cases/forward-only-mailserver-with-ldap-authentication.md +++ b/docs/content/uses-cases/forward-only-mailserver-with-ldap-authentication.md @@ -1,4 +1,3 @@ -# Forward-Only mailserver with LDAP authentication ## Building a Forward-Only mailserver @@ -6,7 +5,7 @@ A **forward-only** mailserver does not have any local mailboxes. Instead, it has The important settings for this setup (on `mailserver.env`) are these: -``` +```console PERMIT_DOCKER=host ENABLE_POP3= ENABLE_CLAMAV=0 @@ -19,8 +18,82 @@ Since there are no local mailboxes, we use `SMTP_ONLY=1` to disable `dovecot`. W We can create aliases with `./setup.sh`, like this: -``` +```bash ./setup.sh alias add ``` ## Authenticating with LDAP + +If you want to send emails from outside the mailserver you have to authenticate somehow (with a username and password). One way of doing it is described in [this discussion](https://github.com/tomav/docker-mailserver/issues/1247). However if there are many user accounts, it is better to use authentication with LDAP. The settings for this on `mailserver.env` are: + +```console +ENABLE_LDAP=1 +LDAP_START_TLS=yes +LDAP_SERVER_HOST=ldap.example.org +LDAP_SEARCH_BASE=ou=users,dc=example,dc=org +LDAP_BIND_DN=cn=mailserver,dc=example,dc=org +LDAP_BIND_PW=pass1234 + +ENABLE_SASLAUTHD=1 +SASLAUTHD_MECHANISMS=ldap +SASLAUTHD_LDAP_SERVER=ldap.example.org +SASLAUTHD_LDAP_SSL=0 +SASLAUTHD_LDAP_START_TLS=yes +SASLAUTHD_LDAP_BIND_DN=cn=mailserver,dc=example,dc=org +SASLAUTHD_LDAP_PASSWORD=pass1234 +SASLAUTHD_LDAP_SEARCH_BASE=ou=users,dc=example,dc=org +SASLAUTHD_LDAP_FILTER=(&(uid=%U)(objectClass=inetOrgPerson)) +``` + +My LDAP data structure is very basic, containing only the username, password, and the external email address where to forward emails for this user. An entry looks like this + +```console +add uid=username,ou=users,dc=example,dc=org +uid: username +objectClass: inetOrgPerson +sn: username +cn: username +userPassword: {SSHA}abcdefghi123456789 +email: real-email-address@external-domain.com +``` + +This structure is different from what is expected/assumed from the configuration scripts of the mailserver, so it doesn't work just by using the `LDAP_QUERY_FILTER_...` settings. Instead, I had to do [custom configuration](https://github.com/tomav/docker-mailserver#custom-user-changes--patches). I created the script `config/user-patches.sh`, with a content like this: + +```bash +#!/bin/bash + +rm -f /etc/postfix/{ldap-groups.cf,ldap-domains.cf} + +postconf \ + "virtual_mailbox_domains = /etc/postfix/vhost" \ + "virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf texthash:/etc/postfix/virtual" \ + "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf" + +sed -i /etc/postfix/ldap-users.cf \ + -e '/query_filter/d' \ + -e '/result_attribute/d' \ + -e '/result_format/d' +cat <> /etc/postfix/ldap-users.cf +query_filter = (uid=%u) +result_attribute = uid +result_format = %s@example.org +EOF + +sed -i /etc/postfix/ldap-aliases.cf \ + -e '/domain/d' \ + -e '/query_filter/d' \ + -e '/result_attribute/d' +cat <> /etc/postfix/ldap-aliases.cf +domain = example.org +query_filter = (uid=%u) +result_attribute = mail +EOF + +postfix reload +``` + +You see that besides `query_filter`, I had to customize as well `result_attribute` and `result_format`. + +For more details about using LDAP see: [LDAP managed mail server with Postfix and Dovecot for multiple domains](https://www.vennedey.net/resources/2-LDAP-managed-mail-server-with-Postfix-and-Dovecot-for-multiple-domains) + +Another solution that serves as a forward-only mailserver is this: https://gitlab.com/docker-scripts/postfix