From f0edcc28d9ddfdae8fa95260c71dab25c53b419f Mon Sep 17 00:00:00 2001
From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Date: Fri, 3 Mar 2023 23:42:55 +0100
Subject: [PATCH] config: ensure SASL socket file is not inside a volume mount
 (#3131)

---
 Dockerfile                               |  2 +-
 target/dovecot/10-master.conf            | 22 +++++-----------------
 target/dovecot/lmtp-master.inc           | 13 +++++++++++++
 target/postfix/main.cf                   |  2 +-
 target/postfix/master.cf                 |  2 --
 target/scripts/startup/setup-stack.sh    |  3 +++
 test/config/dovecot-lmtp/user-patches.sh | 17 +++++++++++------
 7 files changed, 34 insertions(+), 27 deletions(-)
 create mode 100644 target/dovecot/lmtp-master.inc

diff --git a/Dockerfile b/Dockerfile
index 1397332b..2e49b332 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -53,7 +53,7 @@ EOF
 # --- Dovecot -----------------------------------
 # -----------------------------------------------
 
-COPY target/dovecot/auth-passwdfile.inc target/dovecot/auth-master.inc target/dovecot/??-*.conf /etc/dovecot/conf.d/
+COPY target/dovecot/*.inc target/dovecot/*.conf /etc/dovecot/conf.d/
 COPY target/dovecot/sieve/ /etc/dovecot/sieve/
 COPY target/dovecot/dovecot-purge.cron /etc/cron.d/dovecot-purge.disabled
 RUN chmod 0 /etc/cron.d/dovecot-purge.disabled
diff --git a/target/dovecot/10-master.conf b/target/dovecot/10-master.conf
index e4ec233a..2c5fa6ba 100644
--- a/target/dovecot/10-master.conf
+++ b/target/dovecot/10-master.conf
@@ -45,19 +45,7 @@ service pop3-login {
   }
 }
 
-service lmtp {
-  unix_listener lmtp {
-    mode = 0660
-    group = postfix
-  }
-
-  # Create inet listener only if you can't use the above UNIX socket
-  #inet_listener lmtp {
-    # Avoid making LMTP visible for the entire internet
-    #address =
-    #port =
-  #}
-}
+!include lmtp-master.inc
 
 service imap {
   # Most of the memory goes to mmap()ing files. You may need to increase this
@@ -100,10 +88,10 @@ service auth {
   }
 
   # Postfix smtp-auth
-  unix_listener /var/spool/postfix/private/auth {
-    mode = 0666
-    user = docker
-    group = docker
+  unix_listener /dev/shm/sasl-auth.sock {
+    mode = 0660
+    user = postfix
+    group = postfix
   }
 
   # Auth process is run as this user.
diff --git a/target/dovecot/lmtp-master.inc b/target/dovecot/lmtp-master.inc
new file mode 100644
index 00000000..8bebaf42
--- /dev/null
+++ b/target/dovecot/lmtp-master.inc
@@ -0,0 +1,13 @@
+service lmtp {
+  unix_listener lmtp {
+    mode = 0660
+    group = postfix
+  }
+
+  # Create inet listener only if you can't use the above UNIX socket
+  # and avoid making LMTP visible for the entire internet
+  #inet_listener lmtp {
+  #  address = 127.0.0.1
+  #  port = 24
+  #}
+}
diff --git a/target/postfix/main.cf b/target/postfix/main.cf
index 2cffe1c0..9d47348f 100644
--- a/target/postfix/main.cf
+++ b/target/postfix/main.cf
@@ -77,7 +77,7 @@ postscreen_bare_newline_action = enforce
 
 # SASL
 smtpd_sasl_auth_enable = no
-smtpd_sasl_path = /var/spool/postfix/private/auth
+smtpd_sasl_path = /dev/shm/sasl-auth.sock
 smtpd_sasl_type = dovecot
 
 smtpd_sasl_security_options = noanonymous
diff --git a/target/postfix/master.cf b/target/postfix/master.cf
index 52b6fe8d..beb3b216 100644
--- a/target/postfix/master.cf
+++ b/target/postfix/master.cf
@@ -19,7 +19,6 @@ submission     inet  n       -       n       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_sasl_type=dovecot
-  -o smtpd_sasl_path=private/auth
   -o smtpd_reject_unlisted_recipient=no
   -o smtpd_sasl_authenticated_header=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
@@ -33,7 +32,6 @@ smtps          inet  n       -       n       -       -       smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_sasl_type=dovecot
-  -o smtpd_sasl_path=private/auth
   -o smtpd_reject_unlisted_recipient=no
   -o smtpd_sasl_authenticated_header=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh
index 679c2b22..f677dfed 100644
--- a/target/scripts/startup/setup-stack.sh
+++ b/target/scripts/startup/setup-stack.sh
@@ -109,6 +109,9 @@ function _setup_apply_fixes_after_configuration
 
   _log 'debug' 'Checking /var/mail permissions'
   _chown_var_mail_if_necessary || _shutdown 'Failed to fix /var/mail permissions'
+
+  _log 'trace' 'Remove left-over files and directories from older versions'
+  rm -rf /var/spool/postfix/{dev,etc,lib,usr,private/auth}
 }
 
 function _run_user_patches
diff --git a/test/config/dovecot-lmtp/user-patches.sh b/test/config/dovecot-lmtp/user-patches.sh
index 77a8a600..5881f46a 100644
--- a/test/config/dovecot-lmtp/user-patches.sh
+++ b/test/config/dovecot-lmtp/user-patches.sh
@@ -3,12 +3,17 @@
 # This user script will be executed between configuration and starting daemons
 # To enable it you must save it in your config directory as "user-patches.sh"
 ##
+
 echo "[user-patches.sh] Changing Dovecot LMTP service listener from a unix socket to TCP on port 24"
-sedfile -i \
-  -e "s|unix_listener lmtp|inet_listener lmtp|" \
-  -e "s|mode = 0660|address = 0.0.0.0|" \
-  -e "s|group = postfix|port = 24|" \
-  /etc/dovecot/conf.d/10-master.conf
+
+cat >/etc/dovecot/conf.d/lmtp-master.inc << EOF
+service lmtp {
+  inet_listener lmtp {
+    address = 127.0.0.1
+    port = 24
+  }
+}
+EOF
 
 ### Before / After ###
 
@@ -21,7 +26,7 @@ sedfile -i \
 
 # service lmtp {
 #   inet_listener lmtp {
-#     address = 0.0.0.0
+#     address = 127.0.0.1
 #     port = 24
 #   }
 # }