petit commit destiné à tester l'authentification IMAP /\*Y*JVK7jR SANS LDAP

petit commit destiné à tester l'authentification IMAP /\YJVK7jR SANS LDAP
28be3351 · Thomas Picouet · Rémy Huet · fbcdf749 · 28be3351 · 28be3351
Unverified Commit 28be3351 authored 6 years ago by Thomas Picouet Committed by Rémy Huet 6 years ago
--- a/pica-mail-mda/auth_plaintext/10-auth.conf
+++ b/pica-mail-mda/auth_plaintext/10-auth.conf
+##
+## Authentication processes
+##
+
+# Disable LOGIN command and all other plaintext authentications unless
+# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
+# matches the local IP (ie. you're connecting from the same computer), the
+# connection is considered secure and plaintext authentication is allowed.
+# See also ssl=required setting.
+disable_plaintext_auth = no
+
+# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
+# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
+#auth_cache_size = 0
+# Time to live for cached data. After TTL expires the cached record is no
+# longer used, *except* if the main database lookup returns internal failure.
+# We also try to handle password changes automatically: If user's previous
+# authentication was successful, but this one wasn't, the cache isn't used.
+# For now this works only with plaintext authentication.
+#auth_cache_ttl = 1 hour
+# TTL for negative hits (user not found, password mismatch).
+# 0 disables caching them completely.
+#auth_cache_negative_ttl = 1 hour
+
+# Space separated list of realms for SASL authentication mechanisms that need
+# them. You can leave it empty if you don't want to support multiple realms.
+# Many clients simply use the first one listed here, so keep the default realm
+# first.
+#auth_realms =
+
+# Default realm/domain to use if none was specified. This is used for both
+# SASL realms and appending @domain to username in plaintext logins.
+#auth_default_realm = 
+
+# List of allowed characters in username. If the user-given username contains
+# a character not listed in here, the login automatically fails. This is just
+# an extra check to make sure user can't exploit any potential quote escaping
+# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
+# set this value to empty.
+#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
+
+# Username character translations before it's looked up from databases. The
+# value contains series of from -> to characters. For example "#@/@" means
+# that '#' and '/' characters are translated to '@'.
+#auth_username_translation =
+
+# Username formatting before it's looked up from databases. You can use
+# the standard variables here, eg. %Lu would lowercase the username, %n would
+# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
+# "-AT-". This translation is done after auth_username_translation changes.
+#auth_username_format = %Lu
+
+# If you want to allow master users to log in by specifying the master
+# username within the normal username string (ie. not using SASL mechanism's
+# support for it), you can specify the separator character here. The format
+# is then <username><separator><master username>. UW-IMAP uses "*" as the
+# separator, so that could be a good choice.
+#auth_master_user_separator =
+
+# Username to use for users logging in with ANONYMOUS SASL mechanism
+#auth_anonymous_username = anonymous
+
+# Maximum number of dovecot-auth worker processes. They're used to execute
+# blocking passdb and userdb queries (eg. MySQL and PAM). They're
+# automatically created and destroyed as needed.
+#auth_worker_max_count = 30
+
+# Host name to use in GSSAPI principal names. The default is to use the
+# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
+# entries.
+#auth_gssapi_hostname =
+
+# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
+# default (usually /etc/krb5.keytab) if not specified. You may need to change
+# the auth service to run as root to be able to read this file.
+#auth_krb5_keytab = 
+
+# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
+# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
+#auth_use_winbind = no
+
+# Path for Samba's ntlm_auth helper binary.
+#auth_winbind_helper_path = /usr/bin/ntlm_auth
+
+# Time to delay before replying to failed authentications.
+#auth_failure_delay = 2 secs
+
+# Require a valid SSL client certificate or the authentication fails.
+#auth_ssl_require_client_cert = no
+
+# Take the username from client's SSL certificate, using 
+# X509_NAME_get_text_by_NID() which returns the subject's DN's
+# CommonName. 
+#auth_ssl_username_from_cert = no
+
+# Space separated list of wanted authentication mechanisms:
+#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
+#   gss-spnego
+# NOTE: See also disable_plaintext_auth setting.
+auth_mechanisms = plain
+
+##
+## Password and user databases
+##
+
+#
+# Password database is used to verify user's password (and nothing more).
+# You can have multiple passdbs and userdbs. This is useful if you want to
+# allow both system users (/etc/passwd) and virtual users to login without
+# duplicating the system users into virtual database.
+#
+# <doc/wiki/PasswordDatabase.txt>
+#
+# User database specifies where mails are located and what user/group IDs
+# own them. For single-UID configuration use "static" userdb.
+#
+# <doc/wiki/UserDatabase.txt>
+
+#!include auth-deny.conf.ext
+#!include auth-master.conf.ext
+
+#!include auth-system.conf.ext
+#!include auth-sql.conf.ext
+#!include auth-ldap.conf.ext
+!include auth-passwdfile.conf.ext
+#!include auth-checkpassword.conf.ext
+#!include auth-vpopmail.conf.ext
+#!include auth-static.conf.ext
--- a/pica-mail-mda/auth_plaintext/Dockerfile
+++ b/pica-mail-mda/auth_plaintext/Dockerfile
+#Dockerfile pour le MDA de Picasoft
+#actuellement basé sur dovecot
+From debian
+
+#lors de l'installation de dovecot, par défaut, il y a des "fenêtres dans la console", ceci les désactive et utilise des réponses par défaut
+ENV DEBIAN_FRONTEND noninteractive
+
+#installation des paquets debian
+RUN apt-get update -y \
+  && apt-get install -y \
+      dovecot-common dovecot-imapd dovecot-lmtpd nano \
+  && rm -rf /var/lib/apt/lists/*
+
+
+#configuration de dovecot
+
+COPY ./10-auth.conf /etc/dovecot/conf.d/10-auth.conf
+COPY entrypoint.sh /
+
+ENTRYPOINT ["/entrypoint.sh"]
--- a/pica-mail-mda/auth_plaintext/README.md
+++ b/pica-mail-mda/auth_plaintext/README.md
+Pour build:
+
+```
+sudo docker build -t pica-mail-mda-auth_plaintext .
+```
+Les différentes variables d'environnement du Dockerfile peuvent être "overridden" en utilisant le docker run (docker run -e "deep=purple") ou en utilisant docker compose.
--- a/pica-mail-mda/auth_plaintext/entrypoint.sh
+++ b/pica-mail-mda/auth_plaintext/entrypoint.sh
+#!/bin/bash
+
+#ajouter utilisateur
+adduser --disabled-password mail1
+#insertion de l'utilisateur mail1 dans la BD des password.
+echo "mail1:{PLAIN}mail1pwd:1000:1000::/home/mail1" > /etc/dovecot/users
+
+#désactiver l'utilisation du protocole ssl
+cat <<EOF >> /etc/dovecot/conf.d/10-ssl.conf
+ssl = no
+EOF
+
+#définir l'emplacement et le format des mails
+cat <<EOF >> /etc/dovecot/conf.d/10-mail.conf
+mail_location = maildir:~/Maildir
+EOF
+
+#lancer dovecot au premier plan
+dovecot -F