From d73fa60d83757130ac83b71e2da422ad45813f6c Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Fri, 8 Aug 2025 19:18:39 +1200 Subject: [PATCH] Apply suggestions from code review --- target/dovecot/10-auth.conf | 2 +- target/dovecot/auth-passwdfile.inc | 4 +--- target/scripts/helpers/ssl.sh | 17 ++++++++++++++--- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/target/dovecot/10-auth.conf b/target/dovecot/10-auth.conf index d6fade19..2fd814eb 100644 --- a/target/dovecot/10-auth.conf +++ b/target/dovecot/10-auth.conf @@ -7,7 +7,7 @@ # matches the local IP (ie. you're connecting from the same computer), the # connection is considered secure and plaintext authentication is allowed. # See also ssl=required setting. -#auth_allow_cleartext = yes +#auth_allow_cleartext = no # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used. diff --git a/target/dovecot/auth-passwdfile.inc b/target/dovecot/auth-passwdfile.inc index d1c2d384..a006812e 100644 --- a/target/dovecot/auth-passwdfile.inc +++ b/target/dovecot/auth-passwdfile.inc @@ -10,13 +10,11 @@ passdb passwd-file { passwd_file_path = /etc/dovecot/userdb } -# !!! Attention !!! -# Do not add `scheme=SHA512-CRYPT` to the userdb args. This is not supported. userdb passwd-file { driver = passwd-file auth_username_format = %{user} passwd_file_path = /etc/dovecot/userdb - # Defaults field values for an entry if they're missing in `/etc/dovecot/userdb`. + # Default field values to use when they're not set for user accounts sourced via `/etc/dovecot/userdb`. # NOTE: That file is created from `postfix-accounts.cf` + `postfix-virtual.cf` fields { uid:default = docker diff --git a/target/scripts/helpers/ssl.sh b/target/scripts/helpers/ssl.sh index 23286096..2400e1ac 100644 --- a/target/scripts/helpers/ssl.sh +++ b/target/scripts/helpers/ssl.sh @@ -345,9 +345,20 @@ function _setup_ssl() { -e '/smtpd_tls_auth_only/s|yes|no|' \ "${POSTFIX_CONFIG_MASTER}" - # ref: https://doc.dovecot.org/2.4.1/core/summaries/settings.html#auth_allow_cleartext - sed -i -r "s|^#?(auth_allow_cleartext =).*|\1 no|" /etc/dovecot/conf.d/10-auth.conf - # ref: https://doc.dovecot.org/2.4.1/core/summaries/settings.html#ssl + # These two settings `auth_allow_cleartext` + `ssl` impact if TLS for connections is required, + # which can vary by auth mechanism used and context of the connecting client: + # - https://doc.dovecot.org/2.4.1/core/config/ssl.html#how-to-specify-when-ssl-tls-is-required + # - https://doc.dovecot.org/2.4.1/core/summaries/settings.html#auth_allow_cleartext + # - https://doc.dovecot.org/2.4.1/core/summaries/settings.html#ssl + + # NOTE: Trusted clients (`secured` connections) almost always allow cleartext auth, + # with the exception of some when `ssl=required` as detailed in Dovecot docs: + # https://doc.dovecot.org/2.4.1/core/config/ssl.html#secured-connections + + # Allow cleartext auth (mechanisms that don't protect secrets) without requiring an encrypted connection + sed -i -r "s|^#?(auth_allow_cleartext =).*|\1 yes|" /etc/dovecot/conf.d/10-auth.conf + + # Disable TLS listeners on ports (`ssl=no`), unencrypted traffic only sed -i -r "s|^(ssl =).*|\1 no|" "${DOVECOT_CONFIG_SSL}" ;;