Dovecot va nous permettre de proxifier toute connexion vers nos serveurs IMAP en validant la connexion via l’authentification LDAP ou AD.
L’intérêt étant de pouvoir fédérer l’ensemble des serveurs IMAP (Oracle, Dovecot, Exchange, etc).
J’ai utilisé l’image docker officielle disponible sur le docker hub que j’ai déployé sous mon infrastructure Rancher v2.
Configuration globale
mail_uid = 1000
mail_gid = 1000
protocols = imap pop3
ssl = yes
ssl_cert = <cert.pem
ssl_key = <key.pem
verbose_ssl = yes
ssl_ca = </certs/certs-exchange.cer
ssl_require_crl = no
listen = *
passdb userdb {
driver = ldap
username_filter = *@domain, *@domain.local
args = /etc/dovecot/dovecot-ad.conf.ext
override_fields = host=owa-exchange.domain.local port=143 user=%[email protected]
auth_verbose = yes
}
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
auth_verbose = yes
}
userdb {
driver = prefetch
}
disable_plaintext_auth = no
mail_home = /srv/mail/%u
auth_mechanisms = plain login
log_path = /var/log/dovecot.log
# If not set, use the value from log_path
info_log_path = /var/log/dovecot-info.log
# If not set, use the value from info_log_path
debug_log_path = /var/log/dovecot-debug.log
Configuration LDAP (dovecot-ldap.conf.ext)
On récupère l’attribut mailHost de la fiche LDAP de l’utilisateur afin de savoir quel serveur attaquer.
uris = ldap://ldap.domain.local
dn = cn=Directory Manager
dnpass = ********
base = ou=users,o=domain,c=local
scope = subtree
pass_attrs = uid=user,userPassword=password,mailHost=host,=proxy=y
pass_filter=(&(!(mailUSerStatus=inactive))(uid=%n))
user_filter = (&(!(mailUSerStatus=inactive))(uid=%n))
Configuration Active Directory (dovecot-ad.conf.ext)
L’Active Directory n’étant pas configuré via un attribut mailHost, j’ai forcé l’utilisation d’un serveur spécifique dans la configuration globale grâce à la directive « override_fields ».
A savoir, le port 3268 est celui à utiliser car cela nous permet d’interroger l’ensemble de la hiérarchie AD.
hosts = ad.domain.local:3268
ldap_version = 3
auth_bind = yes
dn = CN=rancher.bind,OU=Services,DC=domain,DC=local
dnpass = ********
base = DC=users,DC=domain,DC=local
scope = subtree
deref = never
user_filter = (&(sAMAccountName=%n)(objectClass=person))
pass_filter = (&(sAMAccountName=%n)(objectClass=person))
pass_attrs = %[email protected]=user,=starttls=y,=proxy=y
Sources
- http://www.pegasus45.lautre.net/index.php/LAB01_:part_07:CentOS_7:IMAP1:_Configuration_du_proxy_IMAP
- https://www.vennedey.net/resources/2-LDAP-managed-mail-server-with-Postfix-and-Dovecot-for-multiple-domains
- https://www.howtoforge.com/postfix-dovecot-authentication-against-active-directory-on-centos-5.x
- https://doc.dovecot.org/configuration_manual/authentication/ldap/
- https://doc.dovecot.org/configuration_manual/config_file/config_variables/
- https://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds
- https://dovecot.org/pipermail/dovecot/2015-September/102057.html
- https://tibius.be/2009/08/31/active-directory-ldap-port-389-3268/
