Refonte de ldap_sasl : on prend unix_sasl en base

2cc6a7c0 · Roma · Rémy Huet · 2429e7d9 · 2cc6a7c0 · 2cc6a7c0
Unverified Commit 2cc6a7c0 authored 6 years ago by Roma Committed by Rémy Huet 6 years ago
--- a/pica-mail-mta/local_mailbox_ldap_sasl/Dockerfile
+++ b/pica-mail-mta/local_mailbox_ldap_sasl/Dockerfile
@@ -15,5 +15,6 @@ ENV LDAP_SERVER_HOSTNAME ldap.test.picasoft.net
 ENV LDAP_PORT 389

 COPY local_users /
+COPY saslauthd-postfix /etc/default/
 COPY entrypoint2.sh /
 ENTRYPOINT ["/entrypoint2.sh"]
--- a/pica-mail-mta/local_mailbox_ldap_sasl/entrypoint2.sh
+++ b/pica-mail-mta/local_mailbox_ldap_sasl/entrypoint2.sh
@@ -10,10 +10,11 @@ postconf -e "virtual_mailbox_maps = hash:/local_users"

 #on modifie temporairement les restrictions pour permettre à tout le monde d'envoyer du mail par notre serveur tant que la destination est autorisée (par les autres règles) et que celui qui tente de se servir du serveur est sur un réseau autorisé (typiquement l'hôte et le subnet)
 postconf -e "mynetworks = 127.0.0.0/8"
-postconf -e "smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination"
+#voir en dessous pour la config sasl
+postconf -e "smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination"
+
+postconf -e "smtpd_client_restrictions = "

-#désactivation de la blacklist de clients à des fins de debug (elle rejette les clients en local)
-postconf -e "smtpd_client_restrictions = permit_mynetworks"
 #désactivation des restrictions sur le helo
 postconf -e "smtpd_helo_restrictions = "

@@ -22,17 +23,28 @@ postconf -e "virtual_transport = lmtp:inet:${LMTP_LAN_HOSTNAME}:${LMTP_PORT}"
 #:private/dovecot-lmtp

 #utiliser le démon saslauthd. Il est contacté par des appels de fonction à une lib et retourne la validité des login.
+postconf -e "smtpd_sasl_path = smtpd"
 cat <<EOF >> /etc/postfix/sasl/smtpd.conf
 pwcheck_method: saslauthd
 mech_list: PLAIN LOGIN
-ldap_servers: ldap://${LDAP_SERVER_HOSTNAME}:${LDAP_PORT}
-ldap_search_base: dc=picasoft, dc=net
-ldap_filter: objectClass=posixAccount
 EOF
-#configuration de saslauthd: utiliser le mécanisme ldap (on remplace pam par ldap dans la config par défaut de debian)
-sed -i -e 's/MECHANISMS="pam"/MECHANISMS="ldap"/g' /etc/default/saslauthd
-

+#fichiers de config et socket utilisés par le démon de saslauthd créé pour postfix (voir fichier copié dans le Dockerfile)
+dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
+adduser postfix sasl
+service saslauthd  restart
+
+#on utilise les comptes unix de l'hôte
+postconf -e 'smtpd_sasl_local_domain = $myhostname'
+postconf -e 'smtpd_sasl_auth_enable = yes'
+postconf -e 'smtpd_sasl_security_options = noanonymous'
+#autorise l'auth depuis des clients connus comme sécurisés mais utilisant des syntaxes obsolètes/non standard (=outlook)
+postconf -e 'broken_sasl_auth_clients = yes'
+
+useradd toto
+useradd bobo
+echo "toto:toutou"|chpasswd
+echo "bobo:boubou"|chpasswd

 postfix start
 postfix reload

--- a/pica-mail-mta/local_mailbox_ldap_sasl/saslauthd-postfix
+++ b/pica-mail-mta/local_mailbox_ldap_sasl/saslauthd-postfix
+#
+# Settings for saslauthd daemon
+# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
+#
+
+# Should saslauthd run automatically on startup? (default: no)
+START=yes
+
+# Description of this saslauthd instance. Recommended.
+# (suggestion: SASL Authentication Daemon)
+DESC="SASL Auth. Daemon for Postfix"
+
+# Short name of this saslauthd instance. Strongly recommended.
+# (suggestion: saslauthd)
+NAME="saslauthd-postf"
+
+# Which authentication mechanisms should saslauthd use? (default: pam)
+#
+# Available options in this Debian package:
+# getpwent  -- use the getpwent() library function
+# kerberos5 -- use Kerberos 5
+# pam       -- use PAM
+# rimap     -- use a remote IMAP server
+# shadow    -- use the local shadow password file
+# sasldb    -- use the local sasldb database file
+# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
+#
+# Only one option may be used at a time. See the saslauthd man page
+# for more information.
+#
+# Example: MECHANISMS="pam"
+MECHANISMS="pam"
+
+# Additional options for this mechanism. (default: none)
+# See the saslauthd man page for information about mech-specific options.
+MECH_OPTIONS=""
+
+# How many saslauthd processes should we run? (default: 5)
+# A value of 0 will fork a new process for each connection.
+THREADS=5
+
+# Other options (default: -c -m /var/run/saslauthd)
+# Note: You MUST specify the -m option or saslauthd won't run!
+#
+# WARNING: DO NOT SPECIFY THE -d OPTION.
+# The -d option will cause saslauthd to run in the foreground instead of as
+# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
+# to run saslauthd in debug mode, please run it by hand to be safe.
+#
+# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
+# See the saslauthd man page and the output of 'saslauthd -h' for general
+# information about these options.
+#
+# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
+# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
+#
+# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
+# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
+# then your Postfix is running in a chroot.
+# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
+# running in a chroot.
+
+# Option -m sets working dir for saslauthd (contains socket)
+OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" # postfix/smtp in chroot()