I came back with an update!!

The below is out of date:

I've tagged this as an issue as I've had to completely hack around with various parts of this docker project to get what I want it to do with regards to loading stuff how I want it to load, and I thought it would probably be nice to get this made far nicer.

I'd like to volunteer myself to at least partly solve this issue as I want to make what I've done far easier to main - at present I'm relocating init scripts in an attempt to modify fewer files.

c.f.: #2312

Life so far

COPY conf/dovecot/09-auth.conf /etc/dovecot/conf.d/09-auth.conf
COPY conf/dovecot/auth-ldap.conf.ext /etc/dovecot/conf.d/auth-ldap.conf.ext
COPY conf/dovecot/auth-oauth2.conf.ext /etc/dovecot/conf.d/auth-oauth2.conf.ext
COPY conf/dovecot/dovecot-oauth2.conf.ext /etc/dovecot/dovecot-oauth2.conf.ext

scripts/setup-stack.sh

Within my hijacked start-mailserver.sh I have the following:

configomat.sh OAUTH_ /etc/dovecot/dovecot-oauth2.conf.ext

Notwithstanding that I realise that this should actually be OAUTH2_ (sue me, I wasn't thinking) - this is a rather easy addition to the project as we can just stick it within setup-stack.sh somewhere.

dovecot/10-auth.conf

At present I'm doing weird magic in order to ensure that the OAUTH2 driver is being loaded before the LDAP driver i.e., I'm creating a separate file called 09-auth.conf and inserting my required config entries in there.

I had tried setting LDAP to specific authentication mechanisms but internally rewritten e-mails stopped getting delivered.

The project has its own 10-auth.conf file which has the following order:

#!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.inc
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

Where would we put the reference for auth-oauth2.conf.ext? I'd personally rank it above LDAP but below SQL.

dovecot/auth-oauth2.conf.ext

passdb {
    driver = oauth2
    mechanisms = oauthbearer xoauth2
    args = /etc/dovecot/dovecot-oauth2.conf.ext
    skip = authenticated
}

dovecot/dovecot-oauth2.conf.ext

client_id = ?
client_secret = ?
grant_url = https://localhost/grant
introspection_mode = post
introspection_url = https://localhost/introspection
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt

Other improvements

In my copy of dovecot-ldap.conf.ext I have removed the LDAP userdb and I've decided to solely rely on a static userdb entry instead.

That's probably a silly mistake on my behalf but what is a good idea to add to that file is something like skip = authenticated or even something skip = so that this can be modified out of the box via an environment variable

So, what do?

I think this is what we'll need to do:

• Implement an ENABLE_OAUTH2 that will uncomment and include the OAUTH2 driver
• Ensure that OAUTH2 is loaded before LDAP to avoid un-necessary failed auth attempts (it will shout at you because the JWT is unsurprisingly too long for LDAP to comprehend)

Seem fair?