Merge branch 'release/v3.6.4-3'

Author: sklein94

CHANGELOG.md

@@ -6,9 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v3.6.4-3] - 2022-05-24
+### Added
+- support for SASL authentication (#13)
+
 ## [v3.6.4-2] - 2022-04-06
 ### Change
-- Upgrade zlib package to fix CVE-2018-25032; #11
+- Upgrade zlib package to fix CVE-2018-25032; (#11)
 
 ## [v3.6.4-1] - 2022-02-10
 ### Fixed

Dockerfile

@@ -1,6 +1,6 @@
 FROM registry.cloudogu.com/official/base:3.15.3-1
 LABEL NAME="official/postfix" \
-      VERSION="3.6.4-2" \
+      VERSION="3.6.4-3" \
       [email protected]
 
 # INSTALL POSTFIX

docs/development/Send_Mails_locally_de.md

@@ -42,4 +42,38 @@ Konkret müssen folgende Schritte ausgeführt werden:
   
   <strg>+<d>
   ```
-* In Web-Oberfläche vom MailHog - ```localhost:8025``` - Mail-Empfang prüfen
+* In Web-Oberfläche vom MailHog - ```localhost:8025``` - Mail-Empfang prüfen
+
+
+## Einrichtung eines Proxy vor MailHog zum testen von Authentifizerungsworkflows
+MailHog unterstützt keine Authentifizerung, aus diesem Grund kann mithilfe des Tools [E-MailRelay](http://emailrelay.sourceforge.net/index.html) 
+ein Proxy vor dem MailHog aufgebaut werden.
+
+Dazu muss E-MailRelay [heruntergeladen](http://emailrelay.sourceforge.net/Download.html), 
+entpackt und installiert `sudo ./configure && sudo make && sudo make install` werden. 
+
+Für die Authentifizierung kann eine Password-Datei angelegt werden, die z.B. so aussehen kann:
+
+secret.auth
+```
+server plain adminuser adminpw
+```
+
+E-MailRelay kann mittels 
+```
+sudo emailrelay -t --as-server --forward-on-disconnect --log --verbose --log-file mailrelay.log --log-time --port 587 --forward-to localhost:1025 --server-auth ./secret.auth
+```
+als Proxy vor MailHog gestartet werden.
+
+Der Parameter `-t` startet den Proxy in einer Terminal-Sitzung. Das macht es einfacher, den Server neu zu starten.
+Der Relay-Host muss auf die mit dem `-port` spezifizierte Adresse zeigen. 
+```
+etcdctl set /config/postfix/relayhost 192.168.56.1:587
+```
+
+Anschließend kann das entsprechende Passwort für Postfix konfiguriert werden.
+Beim Verschicken von Mails wird dann die SASL-Authentifizierung verwendet:
+```
+etcdctl set /config/postfix/sasl_username adminuser
+etcdctl set /config/postfix/sasl_password adminpw
+```

docs/development/Send_Mails_locally_en.md

@@ -42,4 +42,38 @@ Specifically, the following steps need to be performed:
   
   <strg>+<d>
   ```
-* In web interface of MailHog - ```localhost:8025`` - check mail reception
+* In web interface of MailHog - ```localhost:8025`` - check mail reception
+
+
+## Setting up a proxy in front of MailHog to test authentication workflows.
+MailHog does not support authentication, therefore using the tool [E-MailRelay](http://emailrelay.sourceforge.net/index.html)
+tool to set up a proxy in front of MailHog.
+
+To do this, E-MailRelay must be [downloaded](http://emailrelay.sourceforge.net/Download.html),
+unpacked and installed `sudo ./configure && sudo make && sudo make install`.
+
+For the authentication a password file can be created, which can look like this for example
+
+secret.auth
+```
+server plain adminuser adminpw
+```
+
+E-MailRelay can be created using
+```
+sudo emailrelay -t --as-server --forward-on-disconnect --log --verbose --log-file mailrelay.log --log-time --port 587 --forward-to localhost:1025 --server-auth ./secret.auth
+```
+can be started as a proxy before MailHog.
+
+The `-t` parameter starts the proxy in a terminal session. This makes it easier to restart the server.
+The relay host must point to the address specified with the `-port`.
+```
+etcdctl set /config/postfix/relayhost 192.168.56.1:587
+```
+
+Afterwards the appropriate password for Postfix can be configured.
+SASL authentication is then used when sending mails:
+```
+etcdctl set /config/postfix/sasl_username adminuser
+etcdctl set /config/postfix/sasl_password adminpw
+```

docs/operations/Configure_Dogu_de.md

@@ -32,6 +32,12 @@ Postfix-Dogu bietet die folgenden Einstellungen:
   etcdctl set /config/postfix/relayhost <Wert für den Relayhost>
   ```
 
+### SASL Authentifizierung
+
+* Pfad des Konfigurationsschlüssels: `sasl_username` __und__ `sasl_password`
+* Sind beide Schlüssel vorhanden wird beim start SASL Authentifizierung konfiguriert 
+* Optional
+
 ### SMTP TLS Sicherheitsstufe
 
 * Pfad des Konfigurationsschlüssels: `smtp_tls_security_level`

docs/operations/Configure_Dogu_en.md

@@ -32,6 +32,12 @@ the following settings:
   etcdctl set /config/postfix/relayhost <value for the relay host>
   ```
 
+### SASL authentication
+
+* Path of the configuration key: `sasl_username` __and__ `sasl_password`.
+* If both keys are present, SASL authentication is configured at startup.
+* Optional
+
 ### SMTP TLS security level
 
 * Configuration key path: `smtp_tls_security_level`

dogu.json

@@ -1,6 +1,6 @@
 {
   "Name": "official/postfix",
-  "Version": "3.6.4-2",
+  "Version": "3.6.4-3",
   "DisplayName": "Postfix",
   "Description": "Postfix - Mail Transfer Agent",
   "Logo": "https://cloudogu.com/images/dogus/postfix.png",
@@ -16,6 +16,17 @@
       "Name": "relayhost",
       "Description": "The next-hop destination of non-local mail"
     },
+    {
+      "Name": "sasl_username",
+      "Description": "username for sasl authentication",
+      "Optional": true
+    },
+    {
+      "Name": "sasl_password",
+      "Description": "password for sasl authentication, if the mail relay server needs an md5 encrypted password pass the encrypted password in here otherwise plain",
+      "Optional": true,
+      "Encrypted": false
+    },
     {
       "Name": "smtp_tls_security_level",
       "Description": "The default SMTP TLS security level for the Postfix SMTP client",

resources/startup.sh

@@ -33,6 +33,8 @@ function writeIntoFileAndSetIfConfigured {
 MAILRELAY=$(doguctl config relayhost)
 NAME=$(hostname)
 DOMAIN=$(doguctl config --global domain)
+POSTFIX_SASL_USER=$(doguctl config --default "NOT_SET" sasl_username)
+POSTFIX_SASL_PASSWORD=$(doguctl config --default "NOT_SET" sasl_password)
 NET=""
 OPTIONS=('smtp_tls_security_level' 'smtp_tls_loglevel'
 'smtp_tls_exclude_ciphers' 'smtp_tls_mandatory_ciphers'
@@ -45,15 +47,34 @@ for i in $(netstat -nr | grep -v ^0 | grep -v Dest | grep -v Kern| awk '{print $
   NET="${NET} ${i}/${CIDR}"
 done
 
+echo "start Postfix configuration ..."
+
 # POSTFIX CONFIG
+postconf -e relayhost="${MAILRELAY}"
 postconf -e mydomain="localhost.local"
 postconf -e myhostname="${NAME}.${DOMAIN}"
 postconf -e mydestination="${NAME}.${DOMAIN}, localhost.localdomain, localhost"
 postconf -e mynetworks="127.0.0.1 ${NET}"
 postconf -e smtputf8_enable=no
-postconf -e relayhost="${MAILRELAY}"
 postconf -e smtpd_recipient_restrictions="permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination"
 
+
+# check if SASL authentication should be configured
+if [ "${POSTFIX_SASL_USER}" != "NOT_SET" ] && [ "${POSTFIX_SASL_PASSWORD}" != "NOT_SET" ]; then
+      echo "found SASL pw and user ... configure Postfix to use SASL authentication"
+
+      # SASL security in postfix
+      echo "${MAILRELAY} ${POSTFIX_SASL_USER}:${POSTFIX_SASL_PASSWORD}"> /etc/postfix/sasl_passwd
+      postmap /etc/postfix/sasl_passwd
+
+      postconf -e smtp_sasl_auth_enable="yes" # enable SASL authentication in the Postfix SMTP client. By default, the Postfix SMTP client uses no authentication.
+      postconf -e smtp_sasl_security_options="noanonymous" # removes the prohibition on plaintext password
+      postconf -e smtp_sasl_password_maps="lmdb:/etc/postfix/sasl_passwd" #hash:/ is deprecated using lmdb:/ instead
+else
+      echo "configure no SASL authentication"
+fi
+
+
 for option in "${OPTIONS[@]}"; do
   setValueIfConfigured "${option}"
 done
@@ -66,5 +87,6 @@ writeIntoFileAndSetIfConfigured "smtp_tls_CAfile" "/etc/postfix/CAcert.pem"
 # LOGGING CONFIG
 ./logging.sh
 
+echo "finished configuration, start Postfix ..."
 # START POSTFIX
 exec /usr/bin/supervisord -c /etc/supervisord.conf