Dovecot va nous permettre de proxifier toute connexion vers nos serveurs IMAP en validant la connexion via l’authentification LDAP ou AD.
L’intĂ©rĂȘt Ă©tant de pouvoir fĂ©dĂ©rer l’ensemble des serveurs IMAP (Oracle, Dovecot, Exchange, etc).
J’ai utilisĂ© l’image docker officielle disponible sur le docker hub que j’ai dĂ©ployĂ© sous mon infrastructure Rancher v2.
Table of Contents
Configuration globale
mail_uid = 1000 mail_gid = 1000 protocols = imap pop3 ssl = yes ssl_cert = <cert.pem ssl_key = <key.pem verbose_ssl = yes ssl_ca = </certs/certs-exchange.cer ssl_require_crl = no listen = * passdb userdb { driver = ldap username_filter = *@domain, *@domain.local args = /etc/dovecot/dovecot-ad.conf.ext override_fields = host=owa-exchange.domain.local port=143 user=%n@domain auth_verbose = yes } passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext auth_verbose = yes } userdb { driver = prefetch } disable_plaintext_auth = no mail_home = /srv/mail/%u auth_mechanisms = plain login log_path = /var/log/dovecot.log # If not set, use the value from log_path info_log_path = /var/log/dovecot-info.log # If not set, use the value from info_log_path debug_log_path = /var/log/dovecot-debug.log
Configuration LDAP (dovecot-ldap.conf.ext)
On rĂ©cupĂšre l’attribut mailHost de la fiche LDAP de l’utilisateur afin de savoir quel serveur attaquer.
uris = ldap://ldap.domain.local dn = cn=Directory Manager dnpass = ******** base = ou=users,o=domain,c=local scope = subtree pass_attrs = uid=user,userPassword=password,mailHost=host,=proxy=y pass_filter=(&(!(mailUSerStatus=inactive))(uid=%n)) user_filter = (&(!(mailUSerStatus=inactive))(uid=%n))
Configuration Active Directory (dovecot-ad.conf.ext)
L’Active Directory n’Ă©tant pas configurĂ© via un attribut mailHost, j’ai forcĂ© l’utilisation d’un serveur spĂ©cifique dans la configuration globale grĂące Ă la directive « override_fields ».
A savoir, le port 3268 est celui Ă utiliser car cela nous permet d’interroger l’ensemble de la hiĂ©rarchie AD.
hosts = ad.domain.local:3268 ldap_version = 3 auth_bind = yes dn = CN=rancher.bind,OU=Services,DC=domain,DC=local dnpass = ******** base = DC=users,DC=domain,DC=local scope = subtree deref = never user_filter = (&(sAMAccountName=%n)(objectClass=person)) pass_filter = (&(sAMAccountName=%n)(objectClass=person)) pass_attrs = %n@domain=user,=starttls=y,=proxy=y
Sources
- http://www.pegasus45.lautre.net/index.php/LAB01_:part_07:CentOS_7:IMAP1:_Configuration_du_proxy_IMAP
- https://www.vennedey.net/resources/2-LDAP-managed-mail-server-with-Postfix-and-Dovecot-for-multiple-domains
- https://www.howtoforge.com/postfix-dovecot-authentication-against-active-directory-on-centos-5.x
- https://doc.dovecot.org/configuration_manual/authentication/ldap/
- https://doc.dovecot.org/configuration_manual/config_file/config_variables/
- https://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds
- https://dovecot.org/pipermail/dovecot/2015-September/102057.html
- https://tibius.be/2009/08/31/active-directory-ldap-port-389-3268/