dovecot oauth2

group_vars/mail.yml

@@ -15,8 +15,22 @@ ldap_query_filter_alias: "(&(objectClass=posixAccount)(emailalternative=%s))"
 ldap_query_filter_domain: "(&(objectClass=posixAccount)(|(mail=%s)(uid=%s)))"
 ldap_query_filter_senders: "(&(objectClass=posixAccount)(|(mail=%s)(uid=%s)))"
 
-sasl_ldap_filter: "(&(|(uid=%U)(mail=%U))(class=posixAccount))"
+sasl_ldap_filter: >
+  (&(|(uid=%U)(mail=%U))(class=posixAccount)
+  (memberOf=cn=mail,dc=auth,dc=hatecomputers,dc=club))
 
-dovecot_user_filter: "(&(class=posixAccount)(uid=%u))"
+dovecot_user_filter: >
+  (&(class=posixAccount)(uid=%u)
+  (memberOf=cn=mail,dc=auth,dc=hatecomputers,dc=club))
 dovecot_auth_bind_userdn: "uid=%u,dc=auth,dc=hatecomputers,dc=club"
 dovecot_user_attrs: "=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid"
+
+roundcube_default_host: "ssl://mail.hatecomputers.club"
+roundcube_default_port: 993
+roundcube_smtp_host: "ssl://mail.hatecomputers.club"
+roundcube_smtp_port: 465
+
+roundcube_oauth2_auth_uri: "https://auth.hatecomputers.club/ui/oauth2"
+roundcube_oauth2_user_uri: >
+  https://auth.hatecomputers.club/oauth2/openid/roundcube/userinfo
+roundcube_oauth2_token_uri: "https://auth.hatecomputers.club/oauth2/token"

playbooks/roles/mail/tasks/main.yml

@@ -9,7 +9,7 @@
     mode: 0700
 
 - name: Ensure mail config volume exist
-  file:
+  ansible.builtin.file:
     path: /etc/docker/compose/mail/docker-data/dms/config
     state: directory
     owner: root
@@ -17,12 +17,12 @@
     mode: 0700
 
 - name: Ensure mail entries volume exist with correct permission
-  file:
+  ansible.builtin.file:
     path: /etc/docker/compose/mail/docker-data/dms/mail-data/
     state: directory
-    owner: root
+    owner: 5000
-    group: root
+    group: 5000
-    mode: 0777
+    mode: 0700
     recurse: true
 
 - name: Ensure dovecot ldap config exist
@@ -41,6 +41,22 @@
     group: root
     mode: 0700
 
+- name: Ensure roundcube config volume exist
+  ansible.builtin.file:
+    path: /etc/docker/compose/mail/docker-data/roundcube/config
+    state: directory
+    owner: root
+    group: root
+    mode: 0777
+
+- name: Build roundcube oauth2 config
+  ansible.builtin.template:
+    src: oauth2.inc.php.j2
+    dest: /etc/docker/compose/mail/docker-data/roundcube/config/oauth2.inc.php
+    owner: root
+    group: root
+    mode: 0777
+
 - name: Build mail docker-compose.yml.j2
   ansible.builtin.template:
     src: docker-compose.yml.j2

playbooks/roles/mail/templates/docker-compose.yml.j2

@@ -1,13 +1,32 @@
+version: '3'
+
 services:
+  roundcube:
+    image: roundcube/roundcubemail:latest
+    restart: always
+    volumes:
+      - ./docker-data/roundcube/www:/var/www/html
+      - ./docker-data/roundcube/db/sqlite:/var/roundcube/db
+      - ./docker-data/roundcube/config:/var/roundcube/config
+    ports:
+      - 127.0.0.1:9002:80
+    environment:
+      - ROUNDCUBEMAIL_DB_TYPE=sqlite
+      - ROUNDCUBEMAIL_SKIN=elastic
+      - ROUNDCUBEMAIL_DEFAULT_HOST={{ roundcube_default_host }}
+      - ROUNDCUBEMAIL_DEFAULT_PORT={{ roundcube_default_port }}
+      - ROUNDCUBEMAIL_SMTP_SERVER={{ roundcube_smtp_host }}
+      - ROUNDCUBEMAIL_SMTP_PORT={{ roundcube_smtp_port }}
+
   mailserver:
     image: ghcr.io/docker-mailserver/docker-mailserver:latest
-    container_name: mailserver
     hostname: {{ mail_domain }}
+    restart: always
     ports:
-      - "0.0.0.0:25:25"
+      - 0.0.0.0:25:25
-      - "0.0.0.0:465:465"
+      - 0.0.0.0:465:465
-      - "0.0.0.0:587:587"
+      - 0.0.0.0:587:587
-      - "0.0.0.0:993:993"
+      - 0.0.0.0:993:993
     volumes:
       - ./docker-data/dms/mail-data/:/var/mail/
       - ./docker-data/dms/mail-state/:/var/mail-state/
@@ -18,7 +37,7 @@ services:
       - /etc/localtime:/etc/localtime:ro
     environment:
       - SSL_TYPE=letsencrypt
-      - ENABLE_CLAMAV=1
+      - ENABLE_CLAMAV=0
       - ENABLE_AMAVIS=1
       - ENABLE_FAIL2BAN=1
       - ENABLE_SASLAUTHD=1
@@ -42,4 +61,6 @@ services:
       - ENABLE_SASLAUTHD=1
       - SASLAUTHD_MECHANISMS=ldap
       - SASLAUTHD_LDAP_FILTER={{ sasl_ldap_filter }} 
-    restart: always
+
+      - ENABLE_OAUTH2=1
+      - OAUTH2_INTROSPECTION_URL={{ roundcube_oauth2_user_uri }}

playbooks/roles/mail/templates/oauth2.inc.php.j2

@@ -0,0 +1,19 @@
+<?php
+
+$config['oauth_provider'] = 'generic';
+$config['oauth_provider_name'] = 'hatecomputers.club <3';
+$config['oauth_client_id'] = '{{ roundcube_oauth2_client_id }}';
+$config['oauth_client_secret'] = '{{ roundcube_oauth2_client_basic_secret }}';
+$config['oauth_auth_uri'] = '{{ roundcube_oauth2_auth_uri }}';
+$config['oauth_token_uri'] = '{{ roundcube_oauth2_token_uri }}';
+$config['oauth_identity_uri'] = '{{ roundcube_oauth2_user_uri }}';
+
+$config['oauth_verify_peer'] = true;
+
+$config['oauth_scope'] = 'email openid profile';
+$config['oauth_identity_fields'] = ['email'];
+
+$config['oauth_login_redirect'] = true;
+
+$config['force_https'] = true;
+$config['use_https'] = true;

playbooks/roles/mail/templates/user-patches.sh.j2

@@ -8,3 +8,15 @@ postconf -e 'smtpd_sasl_auth_enable = yes'
 postconf -e 'broken_sasl_auth_clients = yes'
 
 echo 'auth_username_format = %Ln' >> /etc/dovecot/conf.d/10-auth.conf
+
+echo 'username_format = %Ln' >> /etc/dovecot/dovecot-oauth2.conf.ext
+
+echo "passdb {
+    driver = ldap
+    args = /etc/dovecot/dovecot-ldap.conf.ext
+}
+
+userdb {
+    driver = static
+    args = uid=5000 gid=5000 home=/var/mail/%u
+}" > /etc/dovecot/conf.d/auth-ldap.conf.ext

playbooks/roles/nginx/templates/fern.hatecomputers.club/https.mail.hatecomputers.club.conf

@@ -14,7 +14,7 @@ server {
   ssl_certificate_key /etc/letsencrypt/live/mail.hatecomputers.club/privkey.pem;
 
   location / {
-    proxy_pass         http://127.0.0.1:8331;
+    proxy_pass         http://127.0.0.1:9002;
     proxy_set_header   X-Real-IP $remote_addr;
     proxy_set_header   Host $host;
   }

secrets.txt

@@ -1,3 +1,5 @@
 cloudflare_api_token
 certbot_email
 email_ldap_api_token
+roundcube_oauth2_client_id
+roundcube_oauth2_client_basic_secret