forked from jan/cacert-devsetup
Configure mgr and mail containers
This commit configures IMAP to work properly and makes logs of mgr and dovecot available.
This commit is contained in:
parent
30ddadd954
commit
af156f24c6
9 changed files with 164 additions and 4 deletions
|
@ -25,6 +25,8 @@ services:
|
||||||
dockerfile: mail.Dockerfile
|
dockerfile: mail.Dockerfile
|
||||||
volumes:
|
volumes:
|
||||||
- maildir:/home/catchall/Maildir
|
- maildir:/home/catchall/Maildir
|
||||||
|
env_file:
|
||||||
|
- ./.env
|
||||||
application:
|
application:
|
||||||
build:
|
build:
|
||||||
context: .
|
context: .
|
||||||
|
|
|
@ -9,9 +9,14 @@ sed "s/@MYSQL_MGR_USER@/${MYSQL_MGR_USER}/g; s/@MYSQL_MGR_PASSWORD@/${MYSQL_MGR_
|
||||||
|
|
||||||
mysql -u "${MYSQL_MGR_USER}" -h db "-p${MYSQL_MGR_PASSWORD}" mgr <<-EOF
|
mysql -u "${MYSQL_MGR_USER}" -h db "-p${MYSQL_MGR_PASSWORD}" mgr <<-EOF
|
||||||
REPLACE INTO system_user (id, system_role_id, login, user_client_crt_s_dn_i_dn)
|
REPLACE INTO system_user (id, system_role_id, login, user_client_crt_s_dn_i_dn)
|
||||||
VALUES (2, 2,'${CLIENT_CERT_EMAIL}','/CN=${CLIENT_CERT_USERNAME}///C=AU/O=CAcert Inc./CN=Class 3 Test CA');
|
VALUES (1, 2,'${CLIENT_CERT_EMAIL}','CN=${CLIENT_CERT_USERNAME}//CN=Class 3 Test CA,O=CAcert Inc.,C=AU');
|
||||||
|
|
||||||
|
UPDATE system_config SET config_value='1' WHERE config_key='log.file.enabled';
|
||||||
|
UPDATE system_config SET config_value='mail' WHERE config_key='imap.mailhost';
|
||||||
|
UPDATE system_config SET config_value='catchall' WHERE config_key='imap.username';
|
||||||
|
UPDATE system_config SET config_value='${CATCHALL_MAILBOX_PASSWORD}' WHERE config_key='imap.password';
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
apache2ctl start "$@"
|
apache2ctl start "$@"
|
||||||
|
|
||||||
exec tail -F --follow=name --retry /var/log/apache2/error.log
|
exec tail -F --follow=name --retry /var/log/apache2/error.log /tmp/ca_mgr.log
|
||||||
|
|
|
@ -13,9 +13,14 @@
|
||||||
SSLCertificateChainFile /etc/ssl/certs/combined.crt
|
SSLCertificateChainFile /etc/ssl/certs/combined.crt
|
||||||
|
|
||||||
SSLCACertificateFile /etc/ssl/certs/combined.crt
|
SSLCACertificateFile /etc/ssl/certs/combined.crt
|
||||||
SSLVerifyClient require
|
SSLVerifyClient optional
|
||||||
SSLVerifyDepth 2
|
SSLVerifyDepth 2
|
||||||
SSLOptions +StdEnvVars
|
SSLOptions +StdEnvVars
|
||||||
|
|
||||||
|
<Directory /var/www/manager/public>
|
||||||
|
Options Indexes FollowSymlinks MultiViews
|
||||||
|
AllowOverride Options FileInfo
|
||||||
|
</Directory>
|
||||||
|
|
||||||
Header always set Strict-Transport-Security "max-age=31536000"
|
Header always set Strict-Transport-Security "max-age=31536000"
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
129
docker/imap_auth.conf
Normal file
129
docker/imap_auth.conf
Normal file
|
@ -0,0 +1,129 @@
|
||||||
|
##
|
||||||
|
## Authentication processes
|
||||||
|
##
|
||||||
|
|
||||||
|
# Disable LOGIN command and all other plaintext authentications unless
|
||||||
|
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
|
||||||
|
# matches the local IP (ie. you're connecting from the same computer), the
|
||||||
|
# connection is considered secure and plaintext authentication is allowed.
|
||||||
|
# See also ssl=required setting.
|
||||||
|
#disable_plaintext_auth = yes
|
||||||
|
|
||||||
|
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
|
||||||
|
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
|
||||||
|
#auth_cache_size = 0
|
||||||
|
# Time to live for cached data. After TTL expires the cached record is no
|
||||||
|
# longer used, *except* if the main database lookup returns internal failure.
|
||||||
|
# We also try to handle password changes automatically: If user's previous
|
||||||
|
# authentication was successful, but this one wasn't, the cache isn't used.
|
||||||
|
# For now this works only with plaintext authentication.
|
||||||
|
#auth_cache_ttl = 1 hour
|
||||||
|
# TTL for negative hits (user not found, password mismatch).
|
||||||
|
# 0 disables caching them completely.
|
||||||
|
#auth_cache_negative_ttl = 1 hour
|
||||||
|
|
||||||
|
# Space separated list of realms for SASL authentication mechanisms that need
|
||||||
|
# them. You can leave it empty if you don't want to support multiple realms.
|
||||||
|
# Many clients simply use the first one listed here, so keep the default realm
|
||||||
|
# first.
|
||||||
|
#auth_realms =
|
||||||
|
|
||||||
|
# Default realm/domain to use if none was specified. This is used for both
|
||||||
|
# SASL realms and appending @domain to username in plaintext logins.
|
||||||
|
#auth_default_realm =
|
||||||
|
|
||||||
|
# List of allowed characters in username. If the user-given username contains
|
||||||
|
# a character not listed in here, the login automatically fails. This is just
|
||||||
|
# an extra check to make sure user can't exploit any potential quote escaping
|
||||||
|
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
|
||||||
|
# set this value to empty.
|
||||||
|
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
|
||||||
|
|
||||||
|
# Username character translations before it's looked up from databases. The
|
||||||
|
# value contains series of from -> to characters. For example "#@/@" means
|
||||||
|
# that '#' and '/' characters are translated to '@'.
|
||||||
|
#auth_username_translation =
|
||||||
|
|
||||||
|
# Username formatting before it's looked up from databases. You can use
|
||||||
|
# the standard variables here, eg. %Lu would lowercase the username, %n would
|
||||||
|
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
|
||||||
|
# "-AT-". This translation is done after auth_username_translation changes.
|
||||||
|
#auth_username_format = %Lu
|
||||||
|
|
||||||
|
# If you want to allow master users to log in by specifying the master
|
||||||
|
# username within the normal username string (ie. not using SASL mechanism's
|
||||||
|
# support for it), you can specify the separator character here. The format
|
||||||
|
# is then <username><separator><master username>. UW-IMAP uses "*" as the
|
||||||
|
# separator, so that could be a good choice.
|
||||||
|
#auth_master_user_separator =
|
||||||
|
|
||||||
|
# Username to use for users logging in with ANONYMOUS SASL mechanism
|
||||||
|
#auth_anonymous_username = anonymous
|
||||||
|
|
||||||
|
# Maximum number of dovecot-auth worker processes. They're used to execute
|
||||||
|
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
|
||||||
|
# automatically created and destroyed as needed.
|
||||||
|
#auth_worker_max_count = 30
|
||||||
|
|
||||||
|
# Host name to use in GSSAPI principal names. The default is to use the
|
||||||
|
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
|
||||||
|
# entries.
|
||||||
|
#auth_gssapi_hostname =
|
||||||
|
|
||||||
|
# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
|
||||||
|
# default (usually /etc/krb5.keytab) if not specified. You may need to change
|
||||||
|
# the auth service to run as root to be able to read this file.
|
||||||
|
#auth_krb5_keytab =
|
||||||
|
|
||||||
|
# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
|
||||||
|
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
|
||||||
|
#auth_use_winbind = no
|
||||||
|
|
||||||
|
# Path for Samba's ntlm_auth helper binary.
|
||||||
|
#auth_winbind_helper_path = /usr/bin/ntlm_auth
|
||||||
|
|
||||||
|
# Time to delay before replying to failed authentications.
|
||||||
|
#auth_failure_delay = 2 secs
|
||||||
|
|
||||||
|
# Require a valid SSL client certificate or the authentication fails.
|
||||||
|
#auth_ssl_require_client_cert = no
|
||||||
|
|
||||||
|
# Take the username from client's SSL certificate, using
|
||||||
|
# X509_NAME_get_text_by_NID() which returns the subject's DN's
|
||||||
|
# CommonName.
|
||||||
|
#auth_ssl_username_from_cert = no
|
||||||
|
|
||||||
|
# Space separated list of wanted authentication mechanisms:
|
||||||
|
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
|
||||||
|
# gss-spnego
|
||||||
|
# NOTE: See also disable_plaintext_auth setting.
|
||||||
|
auth_mechanisms = plain
|
||||||
|
|
||||||
|
##
|
||||||
|
## Password and user databases
|
||||||
|
##
|
||||||
|
|
||||||
|
#
|
||||||
|
# Password database is used to verify user's password (and nothing more).
|
||||||
|
# You can have multiple passdbs and userdbs. This is useful if you want to
|
||||||
|
# allow both system users (/etc/passwd) and virtual users to login without
|
||||||
|
# duplicating the system users into virtual database.
|
||||||
|
#
|
||||||
|
# <doc/wiki/PasswordDatabase.txt>
|
||||||
|
#
|
||||||
|
# User database specifies where mails are located and what user/group IDs
|
||||||
|
# own them. For single-UID configuration use "static" userdb.
|
||||||
|
#
|
||||||
|
# <doc/wiki/UserDatabase.txt>
|
||||||
|
|
||||||
|
#!include auth-deny.conf.ext
|
||||||
|
#!include auth-master.conf.ext
|
||||||
|
|
||||||
|
#!include auth-system.conf.ext
|
||||||
|
#!include auth-sql.conf.ext
|
||||||
|
#!include auth-ldap.conf.ext
|
||||||
|
#!include auth-passwdfile.conf.ext
|
||||||
|
#!include auth-checkpassword.conf.ext
|
||||||
|
#!include auth-vpopmail.conf.ext
|
||||||
|
#!include auth-static.conf.ext
|
||||||
|
!include auth-plain-userdb.conf.ext
|
9
docker/imap_plain_userdb.conf
Normal file
9
docker/imap_plain_userdb.conf
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
passdb {
|
||||||
|
driver = passwd-file
|
||||||
|
args = username_format=%n /etc/dovecot/imap_user.txt
|
||||||
|
}
|
||||||
|
userdb {
|
||||||
|
driver = passwd-file
|
||||||
|
args = username_format=%n /etc/dovecot/imap_user.txt
|
||||||
|
default_fields = uid=catchall gid=catchall home=/home/%n mail=maildir:/home/%n/Maildir
|
||||||
|
}
|
|
@ -124,5 +124,5 @@ GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_APP_USER@'%';
|
||||||
CREATE USER $MYSQL_MGR_USER@'%' IDENTIFIED BY '$MYSQL_MGR_PASSWORD';
|
CREATE USER $MYSQL_MGR_USER@'%' IDENTIFIED BY '$MYSQL_MGR_PASSWORD';
|
||||||
GRANT CREATE TEMPORARY TABLES ON mgr.* TO $MYSQL_MGR_USER@'%';
|
GRANT CREATE TEMPORARY TABLES ON mgr.* TO $MYSQL_MGR_USER@'%';
|
||||||
GRANT SELECT, INSERT, UPDATE, DELETE ON mgr.* TO $MYSQL_MGR_USER@'%';
|
GRANT SELECT, INSERT, UPDATE, DELETE ON mgr.* TO $MYSQL_MGR_USER@'%';
|
||||||
GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.users TO $MYSQL_MGR_USER@'%';
|
GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_MGR_USER@'%';
|
||||||
EOF
|
EOF
|
||||||
|
|
|
@ -1,4 +1,10 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
set -eu
|
set -eu
|
||||||
|
|
||||||
|
echo "catchall:{plain}${CATCHALL_MAILBOX_PASSWORD}::::::" \
|
||||||
|
> /etc/dovecot/imap_user.txt
|
||||||
|
chmod 0640 /etc/dovecot/imap_user.txt
|
||||||
|
chown dovecot.dovecot /etc/dovecot/imap_user.txt
|
||||||
|
echo "log_path = /dev/stderr" > /etc/dovecot/local.conf
|
||||||
|
|
||||||
dovecot -F
|
dovecot -F
|
||||||
|
|
|
@ -15,6 +15,8 @@ RUN apt-get update \
|
||||||
EXPOSE 143
|
EXPOSE 143
|
||||||
|
|
||||||
RUN adduser --uid 1000 --gecos "catchall mailbox" --disabled-password catchall
|
RUN adduser --uid 1000 --gecos "catchall mailbox" --disabled-password catchall
|
||||||
|
COPY docker/imap_auth.conf /etc/dovecot/conf.d/10-auth.conf
|
||||||
|
COPY docker/imap_plain_userdb.conf /etc/dovecot/conf.d/auth-plain-userdb.conf.ext
|
||||||
|
|
||||||
VOLUME /home/catchall/Maildir
|
VOLUME /home/catchall/Maildir
|
||||||
|
|
||||||
|
|
|
@ -10,6 +10,7 @@ RUN apt-get update \
|
||||||
locales-all \
|
locales-all \
|
||||||
mariadb-client \
|
mariadb-client \
|
||||||
nullmailer \
|
nullmailer \
|
||||||
|
php5-imap \
|
||||||
php5-mysql \
|
php5-mysql \
|
||||||
zendframework \
|
zendframework \
|
||||||
&& apt-get clean \
|
&& apt-get clean \
|
||||||
|
@ -33,6 +34,7 @@ VOLUME /var/www
|
||||||
RUN a2ensite mgr.cacert.localhost ; \
|
RUN a2ensite mgr.cacert.localhost ; \
|
||||||
a2dissite 000-default ; \
|
a2dissite 000-default ; \
|
||||||
a2enmod headers ; \
|
a2enmod headers ; \
|
||||||
|
a2enmod rewrite ; \
|
||||||
a2enmod ssl ; \
|
a2enmod ssl ; \
|
||||||
cd /usr/local/share/ca-certificates ; \
|
cd /usr/local/share/ca-certificates ; \
|
||||||
curl -O http://www.cacert.org/certs/root_X0F.crt ; \
|
curl -O http://www.cacert.org/certs/root_X0F.crt ; \
|
||||||
|
|
Loading…
Reference in a new issue