Switch to python and Jinja2 for the dovecot container

dovecot/Dockerfile

@@ -3,12 +3,10 @@ FROM alpine:edge
 RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
  && apk add --no-cache \
      dovecot dovecot-sqlite dovecot-pigeonhole-plugin dovecot-pigeonhole-plugin-extdata \
-     rspamd-client@testing \
-     bash
+     rspamd-client@testing python py-jinja2
 
-COPY conf /etc/dovecot
+COPY conf /conf
 COPY sieve /var/lib/dovecot
+COPY start.py /start.py
 
-COPY start.sh /start.sh
-
-CMD ["/start.sh"]
+CMD /start.py

dovecot/conf/dovecot-sql.conf.ext

@@ -3,7 +3,7 @@ connect = /data/main.db
 
 # Return the user hashed password
 password_query = \
- SELECT password \
+ SELECT NULL as password, 'Y' as nopassword, '{{ FRONT_ADDRESS }}' as allow_nets \
    FROM user \
   WHERE user.email = '%u'
 

dovecot/conf/dovecot.conf

@@ -52,27 +52,11 @@ namespace inbox {
   }
 }
 
-###############
-# TLS
-###############
-ssl = yes
-ssl_cert = </certs/cert.pem
-ssl_key = </certs/key.pem
-# This will be enabled once 2.3 is released
-# ssl_dh = </certs/dhparam.pem
-# In the meanwhile:
-ssl_dh_parameters_length = 2048
-# TLS hardening is based on the following documentation:
-# https://bettercrypto.org/static/applied-crypto-hardening.pdf
-ssl_protocols=!SSLv3 !SSLv2
-ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
-ssl_prefer_server_ciphers = yes
-ssl_options = no_compression
-
 ###############
 # Authentication
 ###############
 auth_mechanisms = plain login
+disable_plaintext_auth = no
 
 passdb {
   driver = sql
@@ -88,10 +72,6 @@ service auth {
   user = dovecot
   unix_listener auth-userdb {
   }
-
-  inet_listener {
-    port = 2102
-  }
 }
 
 service auth-worker {
@@ -119,9 +99,6 @@ service imap-login {
   inet_listener imap {
     port = 143
   }
-  inet_listener imaps {
-    port = 993
-  }
 }
 
 ###############

dovecot/start.py

@@ -0,0 +1,20 @@
+#!/usr/bin/python
+
+import jinja2
+import os
+import socket
+import glob
+	
+convert = lambda src, dst: open(dst, "w").write(jinja2.Template(open(src).read()).render(**os.environ))
+
+# Actual startup script
+os.environ["FRONT_ADDRESS"] = socket.gethostbyname("front")
+
+for postfix_file in glob.glob("/conf/*.cf"):
+    convert(postfix_file, os.path.join("/etc/postfix", os.path.basename(postfix_file)))
+
+convert("/conf/rsyslog.conf", "/etc/rsyslog.conf")
+
+# Run postfix
+os.system("chown -R mail:mail /mail /var/lib/dovecot")
+os.execv("/usr/sbin/dovecot" ["dovecot", "-c", "/etc/dovecot/dovecot.conf", "-F"])

dovecot/start.sh

@@ -1,13 +0,0 @@
-#!/bin/bash
-
-# Substitute configuration
-for VARIABLE in `env | cut -f1 -d=`; do
-  sed -i "s={{ $VARIABLE }}=${!VARIABLE}=g" /etc/dovecot/*.conf
-done
-
-# Fix permissions
-chown -R mail:mail /mail
-chown -R mail:mail /var/lib/dovecot
-
-# Run dovecot
-exec /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf -F