dovecot oauth2

This commit is contained in:
Elizabeth Hunt 2024-03-23 01:57:50 -04:00
parent 9f72ccca0a
commit e5cd04465c
7 changed files with 99 additions and 15 deletions

View File

@ -15,8 +15,22 @@ ldap_query_filter_alias: "(&(objectClass=posixAccount)(emailalternative=%s))"
ldap_query_filter_domain: "(&(objectClass=posixAccount)(|(mail=%s)(uid=%s)))"
ldap_query_filter_senders: "(&(objectClass=posixAccount)(|(mail=%s)(uid=%s)))"
sasl_ldap_filter: "(&(|(uid=%U)(mail=%U))(class=posixAccount))"
sasl_ldap_filter: >
(&(|(uid=%U)(mail=%U))(class=posixAccount)
(memberOf=cn=mail,dc=auth,dc=hatecomputers,dc=club))
dovecot_user_filter: "(&(class=posixAccount)(uid=%u))"
dovecot_user_filter: >
(&(class=posixAccount)(uid=%u)
(memberOf=cn=mail,dc=auth,dc=hatecomputers,dc=club))
dovecot_auth_bind_userdn: "uid=%u,dc=auth,dc=hatecomputers,dc=club"
dovecot_user_attrs: "=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid"
roundcube_default_host: "ssl://mail.hatecomputers.club"
roundcube_default_port: 993
roundcube_smtp_host: "ssl://mail.hatecomputers.club"
roundcube_smtp_port: 465
roundcube_oauth2_auth_uri: "https://auth.hatecomputers.club/ui/oauth2"
roundcube_oauth2_user_uri: >
https://auth.hatecomputers.club/oauth2/openid/roundcube/userinfo
roundcube_oauth2_token_uri: "https://auth.hatecomputers.club/oauth2/token"

View File

@ -9,7 +9,7 @@
mode: 0700
- name: Ensure mail config volume exist
file:
ansible.builtin.file:
path: /etc/docker/compose/mail/docker-data/dms/config
state: directory
owner: root
@ -17,12 +17,12 @@
mode: 0700
- name: Ensure mail entries volume exist with correct permission
file:
ansible.builtin.file:
path: /etc/docker/compose/mail/docker-data/dms/mail-data/
state: directory
owner: root
group: root
mode: 0777
owner: 5000
group: 5000
mode: 0700
recurse: true
- name: Ensure dovecot ldap config exist
@ -41,6 +41,22 @@
group: root
mode: 0700
- name: Ensure roundcube config volume exist
ansible.builtin.file:
path: /etc/docker/compose/mail/docker-data/roundcube/config
state: directory
owner: root
group: root
mode: 0777
- name: Build roundcube oauth2 config
ansible.builtin.template:
src: oauth2.inc.php.j2
dest: /etc/docker/compose/mail/docker-data/roundcube/config/oauth2.inc.php
owner: root
group: root
mode: 0777
- name: Build mail docker-compose.yml.j2
ansible.builtin.template:
src: docker-compose.yml.j2

View File

@ -1,13 +1,32 @@
version: '3'
services:
roundcube:
image: roundcube/roundcubemail:latest
restart: always
volumes:
- ./docker-data/roundcube/www:/var/www/html
- ./docker-data/roundcube/db/sqlite:/var/roundcube/db
- ./docker-data/roundcube/config:/var/roundcube/config
ports:
- 127.0.0.1:9002:80
environment:
- ROUNDCUBEMAIL_DB_TYPE=sqlite
- ROUNDCUBEMAIL_SKIN=elastic
- ROUNDCUBEMAIL_DEFAULT_HOST={{ roundcube_default_host }}
- ROUNDCUBEMAIL_DEFAULT_PORT={{ roundcube_default_port }}
- ROUNDCUBEMAIL_SMTP_SERVER={{ roundcube_smtp_host }}
- ROUNDCUBEMAIL_SMTP_PORT={{ roundcube_smtp_port }}
mailserver:
image: ghcr.io/docker-mailserver/docker-mailserver:latest
container_name: mailserver
hostname: {{ mail_domain }}
restart: always
ports:
- "0.0.0.0:25:25"
- "0.0.0.0:465:465"
- "0.0.0.0:587:587"
- "0.0.0.0:993:993"
- 0.0.0.0:25:25
- 0.0.0.0:465:465
- 0.0.0.0:587:587
- 0.0.0.0:993:993
volumes:
- ./docker-data/dms/mail-data/:/var/mail/
- ./docker-data/dms/mail-state/:/var/mail-state/
@ -18,7 +37,7 @@ services:
- /etc/localtime:/etc/localtime:ro
environment:
- SSL_TYPE=letsencrypt
- ENABLE_CLAMAV=1
- ENABLE_CLAMAV=0
- ENABLE_AMAVIS=1
- ENABLE_FAIL2BAN=1
- ENABLE_SASLAUTHD=1
@ -42,4 +61,6 @@ services:
- ENABLE_SASLAUTHD=1
- SASLAUTHD_MECHANISMS=ldap
- SASLAUTHD_LDAP_FILTER={{ sasl_ldap_filter }}
restart: always
- ENABLE_OAUTH2=1
- OAUTH2_INTROSPECTION_URL={{ roundcube_oauth2_user_uri }}

View File

@ -0,0 +1,19 @@
<?php
$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'hatecomputers.club <3';
$config['oauth_client_id'] = '{{ roundcube_oauth2_client_id }}';
$config['oauth_client_secret'] = '{{ roundcube_oauth2_client_basic_secret }}';
$config['oauth_auth_uri'] = '{{ roundcube_oauth2_auth_uri }}';
$config['oauth_token_uri'] = '{{ roundcube_oauth2_token_uri }}';
$config['oauth_identity_uri'] = '{{ roundcube_oauth2_user_uri }}';
$config['oauth_verify_peer'] = true;
$config['oauth_scope'] = 'email openid profile';
$config['oauth_identity_fields'] = ['email'];
$config['oauth_login_redirect'] = true;
$config['force_https'] = true;
$config['use_https'] = true;

View File

@ -8,3 +8,15 @@ postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'broken_sasl_auth_clients = yes'
echo 'auth_username_format = %Ln' >> /etc/dovecot/conf.d/10-auth.conf
echo 'username_format = %Ln' >> /etc/dovecot/dovecot-oauth2.conf.ext
echo "passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
driver = static
args = uid=5000 gid=5000 home=/var/mail/%u
}" > /etc/dovecot/conf.d/auth-ldap.conf.ext

View File

@ -14,7 +14,7 @@ server {
ssl_certificate_key /etc/letsencrypt/live/mail.hatecomputers.club/privkey.pem;
location / {
proxy_pass http://127.0.0.1:8331;
proxy_pass http://127.0.0.1:9002;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
}

View File

@ -1,3 +1,5 @@
cloudflare_api_token
certbot_email
email_ldap_api_token
roundcube_oauth2_client_id
roundcube_oauth2_client_basic_secret