I will review this PR ASAP, but it's going into v11.1.0 and not in the upcoming v11.0.0 release as there already are plenty of changes for v11. Hope that this is okay, you will be able to immediate get with the :edge tag.

Not a strict requirement, but it would be nice, if you could also add a test for this, to ensure it's working. This can also prevent accidentally regressions done in future PRs.

You might take a look at the current IMAP tests.

I've fixed master accounts not being created on container start-up; previously they were only created while container was running when setup.sh.

I've also added a test to check a master user can log in. I will investigate more tests around setup.sh functionality, and checking the master user can actually read another users email once logged in when I have time.

I think I have worked out why my new test is failing - I added a new function "generate-masters" to the makefile, and added it to "all". When you follow the documentation for running the tests, this function gets run and the test passes.

I think the command used to run the tests on github only runs "generate-accounts" and "tests", which means my "generate-masters" does not get run - so there isn't a master account...so the test fails.

@georglauterbach, would you prefer I move the contents of "generate-masters" into "generate-accounts" or do you want to change the command used to run the tests in github (to include "generate-masters")?

@georglauterbach, would you prefer I move the contents of "generate-masters" into "generate-accounts" or do you want to change the command used to run the tests in github (to include "generate-masters")?

Definitely. I'd go as far as to say that this is a requirement :) It should definitely go into the generate-accounts target.

Sorry for the slow response - I have been away on holiday. I think I have addressed all your comments above, with one still waiting on input from you.

Assuming you're happy with my changes, would we now be ready to merge?

Sorry for the slow response - I have been away on holiday. I think I have addressed all your comments above, with one still waiting on input from you.

Assuming you're happy with my changes, would we now be ready to merge?

The feature freeze for v11.0.0 is over, but I'd like to see #2535 (comment) being resolved first :) Then we will again review the PR and merge it afterwards :) You will in the meantime need to resolve the one merge conflict in setup-stack.sh.

LGTM but tests are still failing. If they are resolved, we can merge this :)

To be honest I'm struggling to work out where to start with the failed tests. I'll keep trying but if anyone has any pointers I'd be very grateful!

To be honest I'm struggling to work out where to start with the failed tests. I'll keep trying but if anyone has any pointers I'd be very grateful!

I'd start by going through the commits that did not show success first, i.e. 177220c, then 50e45b0, etc.

It seems as if the test users are not created (no such file or directory).

• mail_ssl_letsencrypt.bats should be an easy fix, your PR isn't breaking it with any code, but a side-effect issue that is a common problem with the test. (Fix available)
• mail_with_ldap.bats is going to be more difficult. We lack LDAP experience, but something about this PR when used with LDAP is breaking the Dovecot IMAP auth and mail delivery, which is unexpected? (Resolved, drop feature support in LDAP)

LetsEncrypt failure (mail_ssl_letsencrypt.bats)

not ok 93 ssl(letsencrypt): Traefik 'acme.json' (*.example.test) in 28763ms
# (from function `assert_output' in file test/test_helper/bats-assert/src/assert.bash, line 231,
#  from function `_should_extract_on_changes' in file test/mail_ssl_letsencrypt.bats, line 240,
#  from function `_acme_rsa' in file test/mail_ssl_letsencrypt.bats, line 141,
#  in test file test/mail_ssl_letsencrypt.bats, line 179)
#   `_acme_rsa' failed
# [   INF   ]  mail.example.test is up and running
# [  DEBUG  ]  2022-05-04 09:58:31  Chagedetector is ready
# 
# -- output does not contain substring --
# substring (1 lines):
#   Change detected
# output (30 lines):
#   ]  2022-05-04 09:58:33  '/etc/letsencrypt/acme.json' has changed - extracting certificates
#   [  DEBUG  ]  Setting up SSL
#   [  DEBUG  ]  TLS configured with 'modern' ciphers
#   [  DEBUG  ]  Configuring SSL using 'letsencrypt'
#   [ WARNING ]  _extract_certs_from_acme | Unable to find key and/or cert for '*.example.test' in '/etc/letsencrypt/acme.json'
#   [  TRACE  ]  _extract_certs_from_acme | Certificate successfully extracted for 'mail.example.test'
#   [  TRACE  ]  letsencrypt (acme.json) extracted certificate using HOSTNAME: 'mail.example.test'
#   [  TRACE  ]  Adding mail.example.test SSL certificate to the postfix and dovecot configuration
#   [  TRACE  ]  SSL configured with 'letsencrypt' certificates
#   [  TRACE  ]  Checking file line endings
#   [  TRACE  ]  Regenerating postfix user list
#   [  DEBUG  ]  Creating user 'user1' for domain 'localhost.localdomain'
#   [  DEBUG  ]  Creating user 'user2' for domain 'otherdomain.tld'
#   [  DEBUG  ]  Creating user 'user3' for domain 'localhost.localdomain' with attributes 'userdb_mail=mbox:~/mail:INBOX=~/inbox'
#   [  DEBUG  ]  Adding alias '[email protected]' for user '[email protected]' to Dovecot's userdb
#   [  DEBUG  ]  Alias '[email protected]' is non-local (or mapped to a non-existing account) and will not be added to Dovecot's userdb
#   [  DEBUG  ]  Adding alias '@localdomain2.com' for user '[email protected]' to Dovecot's userdb
#   [  TRACE  ]  Checking file line endings
#   [  TRACE  ]  Regenerating dovecot masters list
#   [  DEBUG  ]  Creating master user 'masterusername'
#   [  TRACE  ]  Adding regexp alias file postfix-regexp.cf
#   virtual_alias_maps = texthash:/etc/postfix/virtual pcre:/etc/postfix/regexp
#   [  TRACE  ]  Configuring root alias
#   [  DEBUG  ]  2022-05-04 09:58:36  Restarting services due to detected changes
#   postfix: stopped
#   postfix: started
#   dovecot: stopped
#   dovecot: started
#   [  TRACE  ]  Removed lock '/tmp/docker-mailserver/check-for-changes.sh.lock'
#   [  DEBUG  ]  2022-05-04 09:58:41  Completed handling of detected change
# --
# 
# mail_ssl_letsencrypt

Your PR has just slightly pushed the log line we wanted out of scope due to adding these:

#   [  TRACE  ]  Regenerating dovecot masters list
#   [  DEBUG  ]  Creating master user 'masterusername'

To fix this, increase the amount of bytes we fetch from logs here to... 2200 perhaps? (we don't want this too high, so that we don't accidentally get duplicate logs from acme_ecdsa test, that would be a false-positive):

LDAP failures (mail_with_ldap.bats )

not ok 114 checking dovecot: ldap imap connection and authentication works in 141ms
# (from function `assert_success' in file test/test_helper/bats-assert/src/assert.bash, line 114,
#  in test file test/mail_with_ldap.bats, line 144)
#   `assert_success' failed
# 
# -- command failed --
# status : 1
# output : 
# --
# 

not ok 115 checking dovecot: ldap mail delivery works in 10333ms
# (from function `assert_output' in file test/test_helper/bats-assert/src/assert.bash, line 239,
#  in test file test/mail_with_ldap.bats, line 152)
#   `assert_output 1' failed
# 
# -- output differs --
# expected (1 lines):
#   1
# actual (2 lines):
#   ls: cannot access '/var/mail/localhost.localdomain/some.user/new': No such file or directory
#   0
# --
# 

not ok 116 checking dovecot: ldap mail delivery works for a different domain then the mailserver in 10289ms
# (from function `assert_output' in file test/test_helper/bats-assert/src/assert.bash, line 239,
#  in test file test/mail_with_ldap.bats, line 160)
#   `assert_output 1' failed
# 
# -- output differs --
# expected (1 lines):
#   1
# actual (2 lines):
#   ls: cannot access '/var/mail/localhost.localdomain/some.other.user/new': No such file or directory
#   0
# --
# 

These are all here:

After more careful inspection, it seems LDAP support might not meant to be using the passdb block that you're including with this PR into 10-auth.conf, we were aware of auth_bind = yes, but it seems for LDAP it includes an ldap config with no block scoping and just has a top-level auth_bind that's explicitly disabled (no is the default though):

We have some docs regarding LDAP and auth_bind:

• https://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds
• https://doc.dovecot.org/configuration_manual/authentication/ldap_settings_auth/
• https://doc.dovecot.org/configuration_manual/authentication/ldap/

I don't have time to read through all that, but the last link does have this to say:

NOTE: SASL binds are currently incompatible with authentication binds.

So it doesn't seem like this will work, as from what I understand, our LDAP support is only documented/tested with SASL config.

Let's revert the support for LDAP and document that this feature is not supported with LDAP.

Drop feature support in LDAP setups

1. Revert from _setup_ldap:

     if [[ -f /etc/dovecot/conf.d/auth-master.inc ]]
     then
       # Support Dovecot master user: https://doc.dovecot.org/configuration_manual/authentication/master_users/
       # > `result_success=continue` doesn’t work with PAM or LDAP without `auth_bind=yes`, because both of them require knowing the user’s password.
       sed -i -r '/auth_bind = yes/s/^(\s*)#/\1/' /etc/dovecot/conf.d/auth-master.inc
     fi

2. Shift _create_masters into _create_accounts method, leveraging the same LDAP guard:

   1. Revert from _setup_dovecot_local_user:

        _log 'debug' 'Setting up Dovecot Master User'
        _create_masters

   2. Revert in check-for-changes.sh:

          # regenerate postfix accounts & dovecot masters
          if [[ ${SMTP_ONLY} -ne 1 ]]
          then
            _create_accounts
            _create_masters
          fi

      back to:

          # regenerate postfix accounts
          [[ ${SMTP_ONLY} -ne 1 ]] && _create_accounts

   3. Refactor the start of _create_accounts to call _create_masters and shift the LDAP guard to apply to both:

      docker-mailserver/target/scripts/helpers/accounts.sh

      Line 16 in b4c49d2

      if [[ -f /tmp/docker-mailserver/postfix-accounts.cf ]] && [[ ${ENABLE_LDAP} -ne 1 ]]

      to:

      [[ ${ENABLE_LDAP} -eq 1 ]] && return 0
      
      _create_masters
      if [[ -f /tmp/docker-mailserver/postfix-accounts.cf ]]

3. Document for maintainers:

   # Support Dovecot master user: https://doc.dovecot.org/configuration_manual/authentication/master_users/
   # Supporting LDAP users requires `auth_bind = yes` in `dovecot-ldap.conf.ext`, see docker-mailserver/docker-mailserver/pull/2535 for details
   function _create_masters

4. Document for users:

   ## Configuration
   
   It is possible to create, update, delete and list dovecot master accounts using `setup.sh`. See `setup.sh help` for usage.
   
   This feature is presently [not supported with LDAP](https://github.com/docker-mailserver/docker-mailserver/pull/2535).

Thank you very much for the help - it's helped me to work out what is actually going on a bit more. I've committed those changes (verbose) and the the tests that failed last time now pass on my machine - waiting for the github ones run to be sure.

On the note of dropping LDAP support, that is a shame. If I have time I will try and look into it properly so we can add support back in - if I get anywhere I'll raise another PR.

Documentation preview for this PR is ready! 🎉

Built with commit: 2af0c11

Hey, @groupmsl!

Have you had time to check this functionality with LDAP?

The concern discussed earlier related to this feature and LDAP was incorrect IIRC. Just neither of us understood LDAP at the time well enough, should be doable.

I need to find time to allocate to wrapping up the open LDAP rework PR of mine first though.

@polarathene just maybe a helpful link, here there is a guy implementing this in Nextcloud, maybe his work, especially the configs he mentioned/showed can be helpful.

Should I open an issue to track this?

maybe his work, especially the configs he mentioned/showed can be helpful.

nextcloud/mail#8917 (comment)

• There is currently an open PR for Dovecot Lua auth (unofficial, DMS isn't implementing it, it's just a package with community guide in docs, specifically for delegating auth to Nextcloud accounts IIRC which were managed via LDAP).
• We already have the SASL auth for Postfix to Dovecot by default.
• We don't support SQL database and I don't think other maintainers will approve such.

I don't think it's particularly wise to use a master account (meant for admin) to grant Nextcloud the ability to login as any user in Dovecot, but I guess that's up to the sysadmin deploying DMS 🤷‍♂️

There is the OIDC WIP PR, which would contribute a Dovecot passdb config to authenticate/login with SSO. AFAIK that would need to rely on one of the existing provisioners for accounts though, so supporting it may require some changes to how DMS currently manages passdb/userdb config setup.

If there is another possible approach, I would also recommend it.

I am not sure how Nextcloud will redirect the token to DMS in this case, I mean even if the OIDC PR gets merged, I hope soon, Nextcloud should also be forwarding the token somehow. I am not sure if it supports this at the moment.

I have been thinking about using Master Password for Dovecot again. Actually if the password is being rotated frequently, and DMS is configured to accept connections to use Master Password only from a specific IP CIDR (I am not sure if this is possible), then this should be no problem. What do you think?

Do you have any any clue where the issue with LDAP could be located?

UPDATE:

OIDC seems to be supported by Nextcloud particularly. This is mentioned here to be supported by Mailcow. Can this be helpful for the PR with OIDC? Is this the PR you meant? Because it seems kind of inactive to me.

only from a specific IP CIDR (I am not sure if this is possible)

Dovecot can be restricted to a subnet/IP I think. DMS doesn't have any direct configuration for that at present AFAIK.

Postfix submission ports can use a CIDR table config, something PERMIT_DOCKER option would likely also use in future when that gets reworked.

then this should be no problem. What do you think?

If you trust that Nextcloud won't be compromised with some vulnerability that an attacker could exploit, go for it? It's just another attack vector.

It's just that letting users connect to their account through a master account intended for admins seems like something you should be cautious about. I'm not sure if the feature was intended to be used that way. Dovecot / Postfix LDAP support does similar I think depending on config for LDAP queries but IIRC can be restricted to read-only or via auth that is restricted in scope like a subtree.

Is this the PR you meant? Because it seems kind of inactive to me.

Yes, and correct it's not that active.

As I mentioned, supporting OIDC will likely require some restructuring with how DMS currently approaches Dovecot auth + accounts management. I don't anticipate much movement on that front unless someone has time to dig into that and also convince maintainers to be comfortable with that. I may have input on such at a later date, but my available time is scarce for new features currently.

Do you have any any clue where the issue with LDAP could be located?

Are you asking about the Lua + Nextcloud + LDAP? It's a PR: #3579

Hello,
I seen this post and I'm wondering if 2 years later, is it possible to use master account with LDAP users (my setup is DMS, LLDAP, Authelia and Snappy mail) ?
Sorry for the noise on a closed PR.

LDAP support is mostly dependent upon community. There is an open PR of mine that seeks to refactor it as an improvement but it's reliant upon me finding time to push it over the finish line.

As for this feature, without sinking some time into refreshing on it and the concerns with LDAP, I can't say. Chances are it's probably possible, someone just needs to look at what we're doing with the feature here and the concerns I raised/documented about LDAP support.

Once you're able to grok that, you should be able to put DMS aside and configure Dovecot directly (we also have dovecot.cf in our override support (see docs) to add extra Dovecot config as a convenience). Once verified, if it works for LDAP and the config necessary is communicated in a manner I can reproduce easily enough, then I can assist with updating any DMS integration.

For the time being though I'm unable to take on more commitments, my backlog is too large.

Thanks a lot @polarathene for your reply ❤️
I will try with my current setup and let you know my feedback (whether it works or not) for possible future support of this feature.