self-hosted/docker-mailserver
1
0
Fork 0
mirror of https://github.com/docker-mailserver/docker-mailserver.git synced 2025-08-08 23:06:49 +02:00
Code Issues Releases Activity

Apply suggestions from code review

Browse Source
This commit is contained in:
Brennan Kinney
2025-08-08 19:18:39 +12:00
committed by GitHub
parent 9bbf1a9b56
commit d73fa60d83
3 changed files with 16 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
target/dovecot/10-auth.conf
View File

@ -7,7 +7,7 @@
# matches the local IP (ie. you're connecting from the same computer), the # matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed. # connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting. # See also ssl=required setting.
#auth_allow_cleartext = yes #auth_allow_cleartext = no
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used. # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.

4
target/dovecot/auth-passwdfile.inc
View File

@ -10,13 +10,11 @@ passdb passwd-file {
passwd_file_path = /etc/dovecot/userdb passwd_file_path = /etc/dovecot/userdb
} }
# !!! Attention !!!
# Do not add `scheme=SHA512-CRYPT` to the userdb args. This is not supported.
userdb passwd-file { userdb passwd-file {
driver = passwd-file driver = passwd-file
auth_username_format = %{user} auth_username_format = %{user}
passwd_file_path = /etc/dovecot/userdb passwd_file_path = /etc/dovecot/userdb
# Defaults field values for an entry if they're missing in `/etc/dovecot/userdb`. # Default field values to use when they're not set for user accounts sourced via `/etc/dovecot/userdb`.
# NOTE: That file is created from `postfix-accounts.cf` + `postfix-virtual.cf` # NOTE: That file is created from `postfix-accounts.cf` + `postfix-virtual.cf`
fields { fields {
uid:default = docker uid:default = docker

17
target/scripts/helpers/ssl.sh
View File

@ -345,9 +345,20 @@ function _setup_ssl() {
-e '/smtpd_tls_auth_only/s|yes|no|' \ -e '/smtpd_tls_auth_only/s|yes|no|' \
"${POSTFIX_CONFIG_MASTER}" "${POSTFIX_CONFIG_MASTER}"
# ref: https://doc.dovecot.org/2.4.1/core/summaries/settings.html#auth_allow_cleartext # These two settings `auth_allow_cleartext` + `ssl` impact if TLS for connections is required,
sed -i -r "s|^#?(auth_allow_cleartext =).*|\1 no|" /etc/dovecot/conf.d/10-auth.conf # which can vary by auth mechanism used and context of the connecting client:
# ref: https://doc.dovecot.org/2.4.1/core/summaries/settings.html#ssl # - https://doc.dovecot.org/2.4.1/core/config/ssl.html#how-to-specify-when-ssl-tls-is-required
# - https://doc.dovecot.org/2.4.1/core/summaries/settings.html#auth_allow_cleartext
# - https://doc.dovecot.org/2.4.1/core/summaries/settings.html#ssl
# NOTE: Trusted clients (`secured` connections) almost always allow cleartext auth,
# with the exception of some when `ssl=required` as detailed in Dovecot docs:
# https://doc.dovecot.org/2.4.1/core/config/ssl.html#secured-connections
# Allow cleartext auth (mechanisms that don't protect secrets) without requiring an encrypted connection
sed -i -r "s|^#?(auth_allow_cleartext =).*|\1 yes|" /etc/dovecot/conf.d/10-auth.conf
# Disable TLS listeners on ports (`ssl=no`), unencrypted traffic only
sed -i -r "s|^(ssl =).*|\1 no|" "${DOVECOT_CONFIG_SSL}" sed -i -r "s|^(ssl =).*|\1 no|" "${DOVECOT_CONFIG_SSL}"
;; ;;