LDAP support added

Dockerfile

@@ -7,8 +7,8 @@ ARG DEBIAN_FRONTEND=noninteractive
 ENV PYTHONUNBUFFERED=1
 
 RUN apt-get update && apt-get install -y -q --no-install-recommends \
-    postfix postfix-pgsql postfix-mysql postfix-pcre libsasl2-modules \
-    dovecot-core dovecot-imapd dovecot-lmtpd dovecot-pgsql dovecot-mysql dovecot-sieve dovecot-managesieved dovecot-pop3d \
+    postfix postfix-pgsql postfix-mysql postfix-ldap postfix-pcre libsasl2-modules \
+    dovecot-core dovecot-imapd dovecot-lmtpd dovecot-pgsql dovecot-mysql dovecot-ldap dovecot-sieve dovecot-managesieved dovecot-pop3d \
     fetchmail libdbi-perl libdbd-pg-perl libdbd-mysql-perl liblockfile-simple-perl \
     clamav clamav-daemon \
     python-setuptools python-gpgme \

docker-compose.yml

@@ -0,0 +1,236 @@
+version: "3.7"
+
+# IPv4 only
+# docker network create http_network
+
+# IPv4/IPv6 network
+# docker network create http_network --ipv6 --subnet "fd00:0000:0000:0000::/64"
+# Refer to https://github.com/hardware/mailserver/#ipv6-support for more information.
+
+networks:
+#  traefik:
+#    external: true
+  mail_network:
+    external: false
+  ldap-overlay:
+    driver: overlay
+    external: true
+
+services:
+#  traefik:
+#    image: traefik:1.7-alpine
+#    container_name: traefik
+#    restart: ${RESTART_MODE}
+#    ports:
+#      - "80:80"
+#      - "443:443"
+#    labels:
+#      - traefik.enable=true
+#      - traefik.frontend.rule=Host:mail.${MAILSERVER_DOMAIN}
+#      - traefik.port=8080
+#      - traefik.docker.network=http_network
+#    volumes:
+#      - /var/run/docker.sock:/var/run/docker.sock:ro
+#      - ${VOLUMES_ROOT_PATH}/traefik/traefik.toml:/traefik.toml:ro
+#      - ${VOLUMES_ROOT_PATH}/traefik/acme:/etc/traefik/acme
+#    networks:
+#      - http_network
+
+  mailserver:
+    build: .
+#    image: hardware/mailserver:${MAILSERVER_DOCKER_TAG}
+    container_name: mailserver
+#    restart: ${RESTART_MODE}
+    domainname: "docker.spy.de"                    # Mail server A/MX/FQDN & reverse PTR = mail.domain.tld.
+    hostname: "docker"
+    labels:
+      - traefik.enable=true
+      - traefik.frontend.rule=Host:spam.${MAILSERVER_DOMAIN}
+      - traefik.port=11334
+      - traefik.docker.network=traefik
+    # extra_hosts:                          - Required for external database (on other server or for local databases on host without docker)
+    #  - "mariadb:xx.xx.xx.xx"              - Replace with IP address of MariaDB server
+    #  - "redis:xx.xx.xx.xx"                - Replace with IP address of Redis server
+#    ports:
+#      - "25:25"       # SMTP                - Required
+#    # - "110:110"     # POP3       STARTTLS - Optional - For webmails/desktop clients
+#      - "143:143"     # IMAP       STARTTLS - Optional - For webmails/desktop clients
+#    # - "465:465"     # SMTPS      SSL/TLS  - Optional - Enabled for compatibility reason, otherwise disabled
+#      - "587:587"     # Submission STARTTLS - Optional - For webmails/desktop clients
+#      - "993:993"     # IMAPS      SSL/TLS  - Optional - For webmails/desktop clients
+#    # - "995:995"     # POP3S      SSL/TLS  - Optional - For webmails/desktop clients
+#      - "4190:4190"   # SIEVE      STARTTLS - Optional - Recommended for mail filtering
+    environment:
+#      - DBPASS=${DATABASE_USER_PASSWORD}       # MariaDB database password (required)
+      RSPAMD_PASSWORD: "geheim"                # Rspamd WebUI password (required)
+
+      LDAP_ENABLED: "true"
+      LDAP_HOST: "openldap"
+      LDAP_TLS_ENABLED: "true"
+#      LDAP_TLS_CA_FILE: ""
+#      LDAP_TLS_FORCE: ""
+      LDAP_BIND: "true"
+      LDAP_BIND_DN: "cn=admin,dc=spy,dc=de"
+      LDAP_BIND_PW: "geheim"
+      LDAP_DEFAULT_SEARCH_BASE: "o=spy.de,dc=spy,dc=de"
+#      LDAP_DEFAULT_SEARCH_SCOPE: ""
+
+      LDAP_DOMAIN_SEARCH_BASE: "ou=mx.spy.de,o=spy.de,dc=spy,dc=de"
+#      LDAP_DOMAIN_SEARCH_SCOPE: ""
+      LDAP_DOMAIN_FILTER: "(filter=domain)"
+      LDAP_DOMAIN_ATTRIBUTE: "domainattr"
+      LDAP_DOMAIN_FORMAT: "domainformat"
+
+#      LDAP_MAILBOX_SEARCH_BASE: ""
+#      LDAP_MAILBOX_SEARCH_SCOPE: ""
+      LDAP_MAILBOX_FILTER: "(filter=mailbox)"
+      LDAP_MAILBOX_ATTRIBUTE: "mailboxattribute"
+#      LDAP_MAILBOX_FORMAT: ""
+
+#      LDAP_ALIAS_SEARCH_BASE: ""
+#      LDAP_ALIAS_SEARCH_SCOPE: ""
+      LDAP_ALIAS_FILTER: "(filter=alias)"
+      LDAP_ALIAS_ATTRIBUTE: "aliasattribute"
+#      LDAP_ALIAS_FORMAT: ""
+
+#      LDAP_SENDER_SEARCH_BASE: ""
+#      LDAP_SENDER_SEARCH_SCOPE: ""
+      LDAP_SENDER_FILTER: "(filter=sender)"
+      LDAP_SENDER_ATTRIBUTE: "senderattribute"
+#      LDAP_SENDER_FORMAT: ""
+
+    # - ADD_DOMAINS=aa.tld, www.bb.tld...      # Add additional domains separated by commas (needed for dkim keys etc.)
+    # - DEBUG_MODE=true                        # Enable Postfix, Dovecot, Rspamd and Unbound verbose logging
+    # - ENABLE_POP3=true                       # Enable POP3 protocol
+    # - ENABLE_FETCHMAIL=true                  # Enable fetchmail forwarding
+    # - DISABLE_RATELIMITING=false             # Enable ratelimiting policy
+    # - DISABLE_CLAMAV=true                    # Disable virus scanning
+    # - DISABLE_SIGNING=true                   # Disable DKIM/ARC signing
+    # - DISABLE_GREYLISTING=true               # Disable greylisting policy
+    #
+    # Full list : https://github.com/hardware/mailserver#environment-variables
+    #
+#    volumes:
+#      - ${VOLUMES_ROOT_PATH}/mail:/var/mail
+    depends_on:
+#      - mariadb
+      - redis
+    networks:
+      - ldap-overlay
+      - mail_network
+#      - http_network
+
+#  # Administration interface
+#  # https://github.com/hardware/postfixadmin
+#  # http://postfixadmin.sourceforge.net/
+#  # Configuration : https://github.com/hardware/mailserver/wiki/Postfixadmin-initial-configuration
+#  postfixadmin:
+#    image: hardware/postfixadmin
+#    container_name: postfixadmin
+#    restart: ${RESTART_MODE}
+#    domainname: ${MAILSERVER_DOMAIN}
+#    hostname: ${MAILSERVER_HOSTNAME}
+#    labels:
+#      - traefik.enable=true
+#      - traefik.frontend.rule=Host:postfixadmin.${MAILSERVER_DOMAIN}
+#      - traefik.port=8888
+#      - traefik.docker.network=http_network
+#    environment:
+#      - DBPASS=${DATABASE_USER_PASSWORD}
+#    depends_on:
+#      - mailserver
+#      - mariadb
+#    networks:
+#      - mail_network
+#      - http_network
+
+  # Webmail (Optional)
+  # https://github.com/hardware/rainloop
+  # https://www.rainloop.net/
+  # Configuration : https://github.com/hardware/mailserver/wiki/Rainloop-initial-configuration
+#  rainloop:
+#    image: hardware/rainloop
+#    container_name: rainloop
+##    restart: ${RESTART_MODE}
+#    labels:
+#      - traefik.enable=true
+#      - traefik.port=8888
+#      - traefik.frontend.rule=Host:webmail.${MAILSERVER_DOMAIN}
+#      - traefik.docker.network=traefik
+#    volumes:
+#      - ${VOLUMES_ROOT_PATH}/rainloop:/rainloop/data
+#    depends_on:
+#      - mailserver
+##      - mariadb
+#    networks:
+#      - mail_network
+#      - traefik
+
+  # Alternative webmail (Optional)
+  # https://github.com/hardware/afterlogic-webmail-lite
+  # https://afterlogic.org/webmail-lite
+  # Configuration : https://github.com/hardware/mailserver/wiki/AfterLogic-Webmail-Lite-initial-configuration
+  # afterlogic-webmail-lite:
+  #   image: hardware/afterlogic-webmail-lite
+  #   container_name: afterlogic-webmail-lite
+  #   restart: ${RESTART_MODE}
+  #   labels:
+  #     - traefik.enable=true
+  #     - traefik.port=8888
+  #     - traefik.frontend.rule=Host:webmail.${MAILSERVER_DOMAIN}
+  #     - traefik.docker.network=http_network
+  #   volumes:
+  #     - ${VOLUMES_ROOT_PATH}/afterlogic-webmail-lite:/afterlogic-webmail-lite/data
+  #   depends_on:
+  #     - mailserver
+  #     - mariadb
+  #   networks:
+  #     - mail_network
+  #     - http_network
+
+  # Authoritative DNS server (Optional)
+  # https://github.com/hardware/nsd-dnssec
+  # https://www.nlnetlabs.nl/projects/nsd/
+  # Configuration : https://github.com/hardware/mailserver/wiki/NSD-initial-configuration
+  # nsd:
+  #   image: hardware/nsd-dnssec
+  #   container_name: nsd
+  #   restart: ${RESTART_MODE}
+  #   ports:
+  #     - "53:53"
+  #     - "53:53/udp"
+  #   volumes:
+  #     - ${VOLUMES_ROOT_PATH}/nsd/conf:/etc/nsd
+  #     - ${VOLUMES_ROOT_PATH}/nsd/zones:/zones
+  #     - ${VOLUMES_ROOT_PATH}/nsd/db:/var/db/nsd
+
+#  # Database
+#  # https://github.com/docker-library/mariadb
+#  # https://mariadb.org/
+#  mariadb:
+#    image: mariadb:10.2
+#    container_name: mariadb
+#    restart: ${RESTART_MODE}
+#    # Info : These variables are ignored when the volume already exists (if databases was created before).
+#    environment:
+#      - MYSQL_RANDOM_ROOT_PASSWORD=yes
+#      - MYSQL_DATABASE=postfix
+#      - MYSQL_USER=postfix
+#      - MYSQL_PASSWORD=${DATABASE_USER_PASSWORD}
+#    volumes:
+#      - ${VOLUMES_ROOT_PATH}/mysql/db:/var/lib/mysql
+#    networks:
+#      - mail_network
+#
+  # Database
+  # https://github.com/docker-library/redis
+  # https://redis.io/
+  redis:
+    image: redis:4.0-alpine
+    container_name: redis
+#    restart: ${RESTART_MODE}
+    command: redis-server --appendonly yes
+#    volumes:
+#      - ${VOLUMES_ROOT_PATH}/redis/db:/data
+    networks:
+      - mail_network

rootfs/etc/dovecot/conf.d/10-auth.conf

@@ -1,3 +1,8 @@
 disable_plaintext_auth = yes
 auth_mechanisms = plain login
-!include auth-sql.conf.ext
+
+{{ if eq .LDAP_ENABLED "true" }}
+!include auth-ldap.conf.ext
+{{ else }}
+!include auth-sql.conf.ext
+{{ end }}

rootfs/etc/dovecot/conf.d/auth-ldap.conf.ext

@@ -0,0 +1,9 @@
+passdb {
+  driver = ldap
+  args = /etc/dovecot/dovecot-ldap.conf.ext
+}
+
+userdb {
+  driver = ldap
+  args = /etc/dovecot/dovecot-ldap.conf.ext
+}

rootfs/etc/dovecot/dovecot-ldap.conf.ext

@@ -0,0 +1,16 @@
+hosts           = {{ .LDAP_HOST }}
+ldap_version    = 3
+auth_bind       = yes
+dn              = {{ .LDAP_BIND_DN }}
+dnpass          = {{ .LDAP_BIND_PW }}
+base            = {{ .LDAP_MAILBOX_SEARCH_BASE }}
+scope           = {{ .LDAP_MAILBOX_SEARCH_SCOPE }}
+deref           = never
+
+user_attrs = quota=quota=maildir:storage
+user_attrs = quota=quota=maildir:storage=%$B
+user_filter = (&(objectClass=VirtualMailAccount)(accountActive=TRUE)(mail=%u))
+
+pass_attrs = mail,userPassword
+pass_filter = (&(objectClass=VirtualMailAccount)(accountActive=TRUE)(mail=%u))
+#default_pass_scheme = MD5

rootfs/etc/postfix/ldap/sender-login-maps.cf

@@ -0,0 +1,35 @@
+server_host = {{ .LDAP_HOST }}
+version = 3
+
+{{ if eq .LDAP_TLS_ENABLED "true" }}
+start_tls = yes
+{{ else }}
+start_tls = no
+{{ end }}
+
+{{ if ne .LDAP_TLS_CA_FILE "" }}
+tls_ca_cert_file = {{ .LDAP_TLS_CA_FILE }}
+{{ end }}
+
+{{ if eq .LDAP_TLS_FORCE "true" }}
+tls_require_cert = true
+{{ end }}
+
+{{ if eq .LDAP_BIND "true" }}
+bind = yes
+bind_dn = {{ .LDAP_BIND_DN }}
+bind_pw = {{ .LDAP_BIND_PW }}
+{{ else }}
+bind = no
+{{ end }}
+
+
+search_base = {{ .LDAP_SENDER_SEARCH_BASE }}
+scope = {{ .LDAP_SENDER_SEARCH_SCOPE }}
+
+query_filter = {{ .LDAP_SENDER_FILTER }}
+result_attribute = {{ .LDAP_SENDER_ATTRIBUTE }}
+
+{{ if ne .LDAP_SENDER_FORMAT "" }}
+result_format = {{ .LDAP_SENDER_FORMAT }}
+{{ end }}

rootfs/etc/postfix/ldap/virtual-alias-maps.cf

@@ -0,0 +1,36 @@
+server_host = {{ .LDAP_HOST }}
+version = 3
+
+{{ if eq .LDAP_TLS_ENABLED "true" }}
+start_tls = yes
+{{ else }}
+start_tls = no
+{{ end }}
+
+{{ if ne .LDAP_TLS_CA_FILE "" }}
+tls_ca_cert_file = {{ .LDAP_TLS_CA_FILE }}
+{{ end }}
+
+{{ if eq .LDAP_TLS_FORCE "true" }}
+tls_require_cert = true
+{{ end }}
+
+{{ if eq .LDAP_BIND "true" }}
+bind = yes
+bind_dn = {{ .LDAP_BIND_DN }}
+bind_pw = {{ .LDAP_BIND_PW }}
+{{ else }}
+bind = no
+{{ end }}
+
+
+search_base = {{ .LDAP_ALIAS_SEARCH_BASE }}
+scope = {{ .LDAP_ALIAS_SEARCH_SCOPE }}
+
+query_filter = {{ .LDAP_ALIAS_FILTER }}
+result_attribute = {{ .LDAP_ALIAS_ATTRIBUTE }}
+
+{{ if ne .LDAP_ALIAS_FORMAT "" }}
+result_format = {{ .LDAP_ALIAS_FORMAT }}
+{{ end }}
+

rootfs/etc/postfix/ldap/virtual-mailbox-domains.cf

@@ -0,0 +1,35 @@
+server_host = {{ .LDAP_HOST }}
+version = 3
+
+{{ if eq .LDAP_TLS_ENABLED "true" }}
+start_tls = yes
+{{ else }}
+start_tls = no
+{{ end }}
+
+{{ if ne .LDAP_TLS_CA_FILE "" }}
+tls_ca_cert_file = {{ .LDAP_TLS_CA_FILE }}
+{{ end }}
+
+{{ if eq .LDAP_TLS_FORCE "true" }}
+tls_require_cert = true
+{{ end }}
+
+{{ if eq .LDAP_BIND "true" }}
+bind = yes
+bind_dn = {{ .LDAP_BIND_DN }}
+bind_pw = {{ .LDAP_BIND_PW }}
+{{ else }}
+bind = no
+{{ end }}
+
+
+search_base = {{ .LDAP_DOMAIN_SEARCH_BASE }}
+scope = {{ .LDAP_DOMAIN_SEARCH_SCOPE }}
+
+query_filter = {{ .LDAP_DOMAIN_FILTER }}
+result_attribute = {{ .LDAP_DOMAIN_ATTRIBUTE }}
+
+{{ if ne .LDAP_DOMAIN_FORMAT "" }}
+result_format = {{ .LDAP_DOMAIN_FORMAT }}
+{{ end }}