Proxy IMAP sous dovecot

Dovecot va nous permettre de proxifier toute connexion vers nos serveurs IMAP en validant la connexion via l’authentification LDAP ou AD.

L’intérêt étant de pouvoir fédérer l’ensemble des serveurs IMAP (Oracle, Dovecot, Exchange, etc).

J’ai utilisé l’image docker officielle disponible sur le docker hub que j’ai déployé sous mon infrastructure Rancher v2.

Configuration globale

mail_uid = 1000
mail_gid = 1000
protocols = imap pop3
ssl = yes
ssl_cert = <cert.pem
ssl_key = <key.pem
verbose_ssl = yes
ssl_ca = </certs/certs-exchange.cer
ssl_require_crl = no
listen = *
passdb userdb {
  driver = ldap
  username_filter = *@domain, *@domain.local
  args = /etc/dovecot/dovecot-ad.conf.ext
  override_fields = host=owa-exchange.domain.local port=143 user=%n@domain
  auth_verbose = yes
}
passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
  auth_verbose = yes
}
userdb {
  driver = prefetch
}

disable_plaintext_auth = no
mail_home = /srv/mail/%u
auth_mechanisms = plain login

log_path = /var/log/dovecot.log
# If not set, use the value from log_path
info_log_path = /var/log/dovecot-info.log
# If not set, use the value from info_log_path
debug_log_path = /var/log/dovecot-debug.log

Configuration LDAP (dovecot-ldap.conf.ext)

On récupère l’attribut mailHost de la fiche LDAP de l’utilisateur afin de savoir quel serveur attaquer.

uris = ldap://ldap.domain.local
dn = cn=Directory Manager 
dnpass = ********
base = ou=users,o=domain,c=local
scope = subtree
pass_attrs = uid=user,userPassword=password,mailHost=host,=proxy=y
pass_filter=(&(!(mailUSerStatus=inactive))(uid=%n))
user_filter = (&(!(mailUSerStatus=inactive))(uid=%n))

Configuration Active Directory (dovecot-ad.conf.ext)

L’Active Directory n’étant pas configuré via un attribut mailHost, j’ai forcé l’utilisation d’un serveur spécifique dans la configuration globale grâce à la directive « override_fields ».

A savoir, le port 3268 est celui à utiliser car cela nous permet d’interroger l’ensemble de la hiérarchie AD.

hosts = ad.domain.local:3268
ldap_version = 3
auth_bind = yes
dn = CN=rancher.bind,OU=Services,DC=domain,DC=local
dnpass = ********
base = DC=users,DC=domain,DC=local
scope = subtree
deref = never
user_filter = (&(sAMAccountName=%n)(objectClass=person))
pass_filter = (&(sAMAccountName=%n)(objectClass=person))
pass_attrs = %n@domain=user,=starttls=y,=proxy=y

Sources

• http://www.pegasus45.lautre.net/index.php/LAB01_:part_07:CentOS_7:IMAP1:_Configuration_du_proxy_IMAP
• https://www.vennedey.net/resources/2-LDAP-managed-mail-server-with-Postfix-and-Dovecot-for-multiple-domains
• https://www.howtoforge.com/postfix-dovecot-authentication-against-active-directory-on-centos-5.x
• https://doc.dovecot.org/configuration_manual/authentication/ldap/
• https://doc.dovecot.org/configuration_manual/config_file/config_variables/
• https://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds
• https://dovecot.org/pipermail/dovecot/2015-September/102057.html
• https://tibius.be/2009/08/31/active-directory-ldap-port-389-3268/