From af156f24c6fdb0089231e979f759bf895c537265 Mon Sep 17 00:00:00 2001
From: Jan Dittberner <jan@dittberner.info>
Date: Tue, 22 Dec 2020 14:19:31 +0100
Subject: [PATCH] Configure mgr and mail containers

This commit configures IMAP to work properly and makes logs of mgr and
dovecot available.
---
 docker-compose.yml                 |   2 +
 docker/apache-mgr-foreground       |   9 +-
 docker/apache-mgr-virtualhost.conf |   7 +-
 docker/imap_auth.conf              | 129 +++++++++++++++++++++++++++++
 docker/imap_plain_userdb.conf      |   9 ++
 docker/initdb.sh                   |   2 +-
 docker/run-dovecot                 |   6 ++
 mail.Dockerfile                    |   2 +
 mgr.Dockerfile                     |   2 +
 9 files changed, 164 insertions(+), 4 deletions(-)
 create mode 100644 docker/imap_auth.conf
 create mode 100644 docker/imap_plain_userdb.conf

diff --git a/docker-compose.yml b/docker-compose.yml
index 6151567..5487f09 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -25,6 +25,8 @@ services:
       dockerfile: mail.Dockerfile
     volumes:
       - maildir:/home/catchall/Maildir
+    env_file:
+      - ./.env
   application:
     build:
       context: .
diff --git a/docker/apache-mgr-foreground b/docker/apache-mgr-foreground
index e7dc445..90f9c64 100755
--- a/docker/apache-mgr-foreground
+++ b/docker/apache-mgr-foreground
@@ -9,9 +9,14 @@ sed "s/@MYSQL_MGR_USER@/${MYSQL_MGR_USER}/g; s/@MYSQL_MGR_PASSWORD@/${MYSQL_MGR_
 
 mysql -u "${MYSQL_MGR_USER}" -h db "-p${MYSQL_MGR_PASSWORD}" mgr <<-EOF
 REPLACE INTO system_user (id, system_role_id, login, user_client_crt_s_dn_i_dn)
-VALUES (2, 2,'${CLIENT_CERT_EMAIL}','/CN=${CLIENT_CERT_USERNAME}///C=AU/O=CAcert Inc./CN=Class 3 Test CA');
+VALUES (1, 2,'${CLIENT_CERT_EMAIL}','CN=${CLIENT_CERT_USERNAME}//CN=Class 3 Test CA,O=CAcert Inc.,C=AU');
+
+UPDATE system_config SET config_value='1' WHERE config_key='log.file.enabled';
+UPDATE system_config SET config_value='mail' WHERE config_key='imap.mailhost';
+UPDATE system_config SET config_value='catchall' WHERE config_key='imap.username';
+UPDATE system_config SET config_value='${CATCHALL_MAILBOX_PASSWORD}' WHERE config_key='imap.password';
 EOF
 
 apache2ctl start "$@"
 
-exec tail -F --follow=name --retry /var/log/apache2/error.log
+exec tail -F --follow=name --retry /var/log/apache2/error.log /tmp/ca_mgr.log
diff --git a/docker/apache-mgr-virtualhost.conf b/docker/apache-mgr-virtualhost.conf
index 707958b..30417b7 100644
--- a/docker/apache-mgr-virtualhost.conf
+++ b/docker/apache-mgr-virtualhost.conf
@@ -13,9 +13,14 @@
   SSLCertificateChainFile /etc/ssl/certs/combined.crt
 
   SSLCACertificateFile /etc/ssl/certs/combined.crt
-  SSLVerifyClient require
+  SSLVerifyClient optional
   SSLVerifyDepth 2
   SSLOptions +StdEnvVars
 
+  <Directory /var/www/manager/public>
+    Options Indexes FollowSymlinks MultiViews
+    AllowOverride Options FileInfo
+  </Directory>
+
   Header always set Strict-Transport-Security "max-age=31536000"
 </VirtualHost>
diff --git a/docker/imap_auth.conf b/docker/imap_auth.conf
new file mode 100644
index 0000000..84abe37
--- /dev/null
+++ b/docker/imap_auth.conf
@@ -0,0 +1,129 @@
+##
+## Authentication processes
+##
+
+# Disable LOGIN command and all other plaintext authentications unless
+# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
+# matches the local IP (ie. you're connecting from the same computer), the
+# connection is considered secure and plaintext authentication is allowed.
+# See also ssl=required setting.
+#disable_plaintext_auth = yes
+
+# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
+# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
+#auth_cache_size = 0
+# Time to live for cached data. After TTL expires the cached record is no
+# longer used, *except* if the main database lookup returns internal failure.
+# We also try to handle password changes automatically: If user's previous
+# authentication was successful, but this one wasn't, the cache isn't used.
+# For now this works only with plaintext authentication.
+#auth_cache_ttl = 1 hour
+# TTL for negative hits (user not found, password mismatch).
+# 0 disables caching them completely.
+#auth_cache_negative_ttl = 1 hour
+
+# Space separated list of realms for SASL authentication mechanisms that need
+# them. You can leave it empty if you don't want to support multiple realms.
+# Many clients simply use the first one listed here, so keep the default realm
+# first.
+#auth_realms =
+
+# Default realm/domain to use if none was specified. This is used for both
+# SASL realms and appending @domain to username in plaintext logins.
+#auth_default_realm = 
+
+# List of allowed characters in username. If the user-given username contains
+# a character not listed in here, the login automatically fails. This is just
+# an extra check to make sure user can't exploit any potential quote escaping
+# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
+# set this value to empty.
+#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
+
+# Username character translations before it's looked up from databases. The
+# value contains series of from -> to characters. For example "#@/@" means
+# that '#' and '/' characters are translated to '@'.
+#auth_username_translation =
+
+# Username formatting before it's looked up from databases. You can use
+# the standard variables here, eg. %Lu would lowercase the username, %n would
+# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
+# "-AT-". This translation is done after auth_username_translation changes.
+#auth_username_format = %Lu
+
+# If you want to allow master users to log in by specifying the master
+# username within the normal username string (ie. not using SASL mechanism's
+# support for it), you can specify the separator character here. The format
+# is then <username><separator><master username>. UW-IMAP uses "*" as the
+# separator, so that could be a good choice.
+#auth_master_user_separator =
+
+# Username to use for users logging in with ANONYMOUS SASL mechanism
+#auth_anonymous_username = anonymous
+
+# Maximum number of dovecot-auth worker processes. They're used to execute
+# blocking passdb and userdb queries (eg. MySQL and PAM). They're
+# automatically created and destroyed as needed.
+#auth_worker_max_count = 30
+
+# Host name to use in GSSAPI principal names. The default is to use the
+# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
+# entries.
+#auth_gssapi_hostname =
+
+# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
+# default (usually /etc/krb5.keytab) if not specified. You may need to change
+# the auth service to run as root to be able to read this file.
+#auth_krb5_keytab = 
+
+# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
+# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
+#auth_use_winbind = no
+
+# Path for Samba's ntlm_auth helper binary.
+#auth_winbind_helper_path = /usr/bin/ntlm_auth
+
+# Time to delay before replying to failed authentications.
+#auth_failure_delay = 2 secs
+
+# Require a valid SSL client certificate or the authentication fails.
+#auth_ssl_require_client_cert = no
+
+# Take the username from client's SSL certificate, using 
+# X509_NAME_get_text_by_NID() which returns the subject's DN's
+# CommonName. 
+#auth_ssl_username_from_cert = no
+
+# Space separated list of wanted authentication mechanisms:
+#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
+#   gss-spnego
+# NOTE: See also disable_plaintext_auth setting.
+auth_mechanisms = plain
+
+##
+## Password and user databases
+##
+
+#
+# Password database is used to verify user's password (and nothing more).
+# You can have multiple passdbs and userdbs. This is useful if you want to
+# allow both system users (/etc/passwd) and virtual users to login without
+# duplicating the system users into virtual database.
+#
+# <doc/wiki/PasswordDatabase.txt>
+#
+# User database specifies where mails are located and what user/group IDs
+# own them. For single-UID configuration use "static" userdb.
+#
+# <doc/wiki/UserDatabase.txt>
+
+#!include auth-deny.conf.ext
+#!include auth-master.conf.ext
+
+#!include auth-system.conf.ext
+#!include auth-sql.conf.ext
+#!include auth-ldap.conf.ext
+#!include auth-passwdfile.conf.ext
+#!include auth-checkpassword.conf.ext
+#!include auth-vpopmail.conf.ext
+#!include auth-static.conf.ext
+!include auth-plain-userdb.conf.ext
diff --git a/docker/imap_plain_userdb.conf b/docker/imap_plain_userdb.conf
new file mode 100644
index 0000000..bf8ed01
--- /dev/null
+++ b/docker/imap_plain_userdb.conf
@@ -0,0 +1,9 @@
+passdb {
+  driver = passwd-file
+  args = username_format=%n /etc/dovecot/imap_user.txt
+}
+userdb {
+  driver = passwd-file
+  args = username_format=%n /etc/dovecot/imap_user.txt
+  default_fields = uid=catchall gid=catchall home=/home/%n mail=maildir:/home/%n/Maildir
+}
\ No newline at end of file
diff --git a/docker/initdb.sh b/docker/initdb.sh
index 83b34dd..9273d82 100755
--- a/docker/initdb.sh
+++ b/docker/initdb.sh
@@ -124,5 +124,5 @@ GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_APP_USER@'%';
 CREATE USER $MYSQL_MGR_USER@'%' IDENTIFIED BY '$MYSQL_MGR_PASSWORD';
 GRANT CREATE TEMPORARY TABLES ON mgr.* TO $MYSQL_MGR_USER@'%';
 GRANT SELECT, INSERT, UPDATE, DELETE ON mgr.* TO $MYSQL_MGR_USER@'%';
-GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.users TO $MYSQL_MGR_USER@'%';
+GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_MGR_USER@'%';
 EOF
diff --git a/docker/run-dovecot b/docker/run-dovecot
index 29fd5b5..31b9b37 100755
--- a/docker/run-dovecot
+++ b/docker/run-dovecot
@@ -1,4 +1,10 @@
 #!/bin/sh
 set -eu
 
+echo "catchall:{plain}${CATCHALL_MAILBOX_PASSWORD}::::::" \
+    > /etc/dovecot/imap_user.txt
+chmod 0640 /etc/dovecot/imap_user.txt
+chown dovecot.dovecot /etc/dovecot/imap_user.txt
+echo "log_path = /dev/stderr" > /etc/dovecot/local.conf
+
 dovecot -F
diff --git a/mail.Dockerfile b/mail.Dockerfile
index 3ff9393..2ea32fb 100644
--- a/mail.Dockerfile
+++ b/mail.Dockerfile
@@ -15,6 +15,8 @@ RUN apt-get update \
 EXPOSE 143
 
 RUN adduser --uid 1000 --gecos "catchall mailbox" --disabled-password catchall
+COPY docker/imap_auth.conf /etc/dovecot/conf.d/10-auth.conf
+COPY docker/imap_plain_userdb.conf /etc/dovecot/conf.d/auth-plain-userdb.conf.ext
 
 VOLUME /home/catchall/Maildir
 
diff --git a/mgr.Dockerfile b/mgr.Dockerfile
index a583678..97bf26b 100644
--- a/mgr.Dockerfile
+++ b/mgr.Dockerfile
@@ -10,6 +10,7 @@ RUN apt-get update \
     locales-all \
     mariadb-client \
     nullmailer \
+    php5-imap \
     php5-mysql \
     zendframework \
     && apt-get clean \
@@ -33,6 +34,7 @@ VOLUME /var/www
 RUN a2ensite mgr.cacert.localhost ; \
     a2dissite 000-default ; \
     a2enmod headers ; \
+    a2enmod rewrite ; \
     a2enmod ssl ; \
     cd /usr/local/share/ca-certificates ; \
     curl -O http://www.cacert.org/certs/root_X0F.crt ; \