Skip to content
/ ldap-mailcow-linuxmuster Public
forked from Programmierus/ldap-mailcow

LDAP account synchronization and authentication for mailcow-dockerized

2 stars 37 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sys-fn-de/ldap-mailcow-linuxmuster

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
templates
templates
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
api.py
api.py
 
 
filedb.py
filedb.py
 
 
syncer.py
syncer.py
 
 

Repository files navigation

ldap-mailcow-linuxmuster

Adds LDAP accounts to mailcow-dockerized and enables LDAP (e.g., linuxmuster) authentication.

Security risk

In order to work in a linuxmuster environment, this repo contains changes to allow self signed certificates, which is a security risk.

How does it work

A python script periodically checks and creates new LDAP accounts and deactivates deleted and disabled ones with mailcow API. It also enables LDAP authentication in SOGo and dovecot.

Build

```
git clone https://github.com/sys-fn-de/ldap-mailcow-linuxmuster
cd ldap-mailcow-linuxmuster
sudo docker login
sudo docker build -t <username>/ldap-mailcow .
sudo docker push <username>/ldap-mailcow
```

Logs

```
docker-compose logs -f ldap-mailcow
```

Usage

  1. Create a data/ldap directory. SQLite database for synchronization will be stored there.

  2. Extend your docker-compose.override.yml with an additional container:

    ldap-mailcow:
    image: lexodexo/ldap-mailcow
    network_mode: host
    container_name: mailcowcustomized_ldap-mailcow
    depends_on:
        - nginx-mailcow
    volumes:
        - ./data/ldap:/db:rw
        - ./data/conf/dovecot:/conf/dovecot:rw
        - ./data/conf/sogo:/conf/sogo:rw
    environment:
        - LDAP-MAILCOW_LDAP_URI=ldap(s)://dc.example.local
        - LDAP-MAILCOW_LDAP_BASE_DN=OU=Mail Users,DC=example,DC=local
        - LDAP-MAILCOW_LDAP_BASE_DOMAIN=example.local
        - LDAP-MAILCOW_LDAP_BIND_DN=CN=Bind DN,CN=Users,DC=example,DC=local
        - LDAP-MAILCOW_LDAP_BIND_DN_PASSWORD=BindPassword
        - LDAP-MAILCOW_API_HOST=https://mailcow.example.local
        - LDAP-MAILCOW_API_KEY=XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX
        - LDAP-MAILCOW_SYNC_INTERVAL=300
        - LDAP-MAILCOW_LDAP_FILTER=(sophomorixStatus=U)
        - LDAP-MAILCOW_SOGO_LDAP_FILTER=sophomorixStatus='U'

  3. Configure environmental variables:

    • LDAP-MAILCOW_LDAP_URI - LDAP (e.g., Active Directory) URI (must be reachable from within the container). The URIs are in syntax protocol://host:port. For example ldap://localhost or ldaps://secure.domain.org
    • LDAP-MAILCOW_LDAP_BASE_DN - base DN where user accounts can be found
    • LDAP-MAILCOW_LDAP_BASE_DOMAIN - base Domain (most likely a combination of BASE_DN (e.g. DC=example, DC=local -> example.local)
    • LDAP-MAILCOW_LDAP_BIND_DN - bind DN of a special LDAP account that will be used to browse for users
    • LDAP-MAILCOW_LDAP_BIND_DN_PASSWORD - password for bind DN account
    • LDAP-MAILCOW_API_HOST - mailcow API url. Make sure it's enabled and accessible from within the container for both reads and writes
    • LDAP-MAILCOW_API_KEY - mailcow API key (read/write)
    • LDAP-MAILCOW_SYNC_INTERVAL - interval in seconds between LDAP synchronizations
    • Optional LDAP filters (see example above). SOGo uses special syntax, so you either have to specify both or none:
      • LDAP-MAILCOW_LDAP_FILTER - LDAP filter to apply, defaults to (&(objectClass=user)(objectCategory=person))
      • LDAP-MAILCOW_SOGO_LDAP_FILTER - LDAP filter to apply for SOGo (special syntax), defaults to objectClass='user' AND objectCategory='person'

  4. Start additional container: docker-compose up -d ldap-mailcow

  5. Check logs docker-compose logs ldap-mailcow

  6. Restart dovecot and SOGo if necessary docker-compose restart sogo-mailcow dovecot-mailcow

LDAP Fine-tuning

Container internally uses the following configuration templates:

  • SOGo: /templates/sogo/plist_ldap
  • dovecot: /templates/dovecot/ldap/passdb.conf

These files have been tested against linuxmuster. If necessary, you can edit and remount them through docker volumes. Some documentation on these files can be found here: dovecot, SOGo

Limitations

WebUI and EAS authentication

This tool enables authentication for Dovecot and SOGo, which means you will be able to log into POP3, SMTP, IMAP, and SOGo Web-Interface. You will not be able to log into mailcow UI or EAS using your LDAP credentials by default.

As a workaround, you can hook IMAP authentication directly to mailcow by adding the following code above this line:

    $mbox = imap_open ("{dovecot:993/imap/ssl/novalidate-cert}INBOX", $user, $pass);
    if ($mbox != false) {
        imap_close($mbox);
        return "user";
    }

As a side-effect, It will also allow logging into mailcow UI using mailcow app passwords (since they are valid for IMAP). It is not a supported solution with mailcow and has to be done only at your own risk!

Two-way sync

Users from your LDAP directory will be added (and deactivated if disabled/not found) to your mailcow database. Not vice-versa, and this is by design.

Customizations and Integration support

External authentication (identity federation) is an enterprise feature for mailcow. That’s why I developed an external solution, and it is unlikely that it’ll be ever directly integrated into mailcow.

About

LDAP account synchronization and authentication for mailcow-dockerized

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 96.6%
  • Dockerfile 3.4%