Mail

dovecot/Dockerfile

@@ -0,0 +1,17 @@
+FROM dovecot/dovecot:latest
+
+COPY --chown=mail:mail start.sh /
+COPY --chown=mail:mail templates/ /templates/
+COPY config/ /config/
+
+RUN mkdir /run/dovecot /cert /dh && \
+    chown mail:mail /config /cert /dh /run/dovecot
+
+VOLUME /cert
+VOLUME /dh
+
+EXPOSE 10993/tcp
+
+USER mail
+
+CMD ["/start.sh"]

dovecot/config/dovecot.conf

@@ -0,0 +1,127 @@
+auth_mechanisms = plain login
+disable_plaintext_auth = no
+info_log_path = /dev/stdout
+log_path = /dev/stderr
+
+## Mailbox location
+
+## UID/GID 1000 = 'vmail' in dovecot container image
+## UID/GID 8 = 'mail' in dovecot container image
+
+default_internal_user = mail
+default_login_user = mail
+default_internal_group = mail
+
+mail_uid = 8
+mail_gid = 8
+first_valid_uid = 8
+last_valid_uid = 8
+first_valid_gid = 8
+last_valid_gid = 8
+mail_privileged_group = mail
+
+## Inbox
+
+namespace inbox {
+    inbox = yes
+    location =
+    mailbox Drafts {
+    auto = subscribe
+    special_use = \Drafts
+    }
+    mailbox Sent {
+    auto = subscribe
+    special_use = \Sent
+    }
+    mailbox Spam {
+    auto = subscribe
+    special_use = \Junk
+    }
+    mailbox Trash {
+    auto = subscribe
+    special_use = \Trash
+    }
+    prefix =
+}
+
+## Services
+
+## UID/GID 100 (postfix) = '_apt' in dovecot container image
+## UID/GID 101 (postfix) = 'ssl-cert' in dovecot container image
+## For service unix sockets, Dovecot is too retarded to interpret raw UID/GID integers
+## So we must reference these users by their local names.
+
+protocols = imap lmtp
+service auth {
+    chroot = 
+    unix_listener /socket/sasl {
+    mode = 0666
+    }
+    vsz_limit = 2 G
+}
+service imap-login {
+    chroot = 
+    inet_listener imap {
+    port = 0
+    }
+    inet_listener imaps {
+    address = *
+    port = 10993
+    ssl = yes
+    }
+}
+service lmtp {
+    chroot = 
+    unix_listener /socket/lmtp {
+    mode = 0666
+    }
+}
+service stats {
+    chroot = 
+    inet_listener http {
+    address = *
+    port = 9090
+    }
+}
+service anvil {
+    chroot = 
+}
+
+## TLS
+
+ssl = required
+verbose_ssl = no
+ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
+ssl_prefer_server_ciphers = yes
+
+## Authentication
+
+passdb {
+    driver = ldap
+    args = /config/dovecot-ldap-pass.conf.ext
+}
+
+## Users
+
+userdb {
+    driver = ldap
+    args = /config/dovecot-ldap-users.conf.ext
+}
+
+mail_home = /mail/%n/home
+mail_location = sdbox:/mail/%n/mailbox:LAYOUT=fs
+
+verbose_proctitle = yes
+
+## Protocols
+
+protocol imap {
+    imap_idle_notify_interval = 5 mins
+    mail_max_userip_connections = 20
+    ssl_cert = </cert/tls.crt
+    ssl_key = </cert/tls.key
+    ssl_dh = </dh/dhparams.pem
+}
+protocol lmtp {
+    postmaster_address = postmaster@balsillie.net
+}

dovecot/start.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# Template out LDAP config
+eval "echo \"$(cat /templates/dovecot-ldap.conf.ext.tmpl)\"" > /config/dovecot-ldap.conf.ext
+
+# Symlink the config
+ln -s /config/dovecot-ldap.conf.ext /config/dovecot-ldap-users.conf.ext
+ln -s /config/dovecot-ldap.conf.ext /config/dovecot-ldap-pass.conf.ext
+
+# Start Dovecot
+/usr/sbin/dovecot -c /config/dovecot.conf -F

dovecot/templates/dovecot-ldap.conf.ext.tmpl

@@ -0,0 +1,12 @@
+uris = ldaps://ldap.balsillie.net:636
+ldap_version = 3
+base = ou=users,dc=balsillie,dc=net
+scope = subtree
+dn = cn=bind,dc=balsillie,dc=net
+dnpass = ${LDAP_BIND_PW}
+auth_bind = yes
+debug_level = 0
+pass_filter = (&(objectClass=mailAccount)(mailEnabled=TRUE)(uid=%n))
+user_filter = (&(objectClass=mailAccount)(mailEnabled=TRUE)(uid=%n))
+pass_attrs = uid=user
+user_attrs = uid=user