From 2aef18d1309f380aa533d862b3eef1607c3f33c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@servercow.de>
Date: Thu, 12 Jul 2018 00:23:12 +0200
Subject: [PATCH] [Dovecot] Remove user queries from passdb + add a second
 passdb for additional algorithms + create userdb without password queries

---
 data/Dockerfiles/dovecot/docker-entrypoint.sh | 22 +++++++++++++++----
 data/conf/dovecot/dovecot.conf                |  8 +++++--
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh
index be095355..21c38107 100755
--- a/data/Dockerfiles/dovecot/docker-entrypoint.sh
+++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh
@@ -83,14 +83,28 @@ map {
 EOF
 
 
-# Create user and pass dict for Dovecot
-cat <<EOF > /usr/local/etc/dovecot/sql/dovecot-dict-sql-passdb.conf
+# Create userdb dict for Dovecot
+cat <<EOF > /usr/local/etc/dovecot/sql/dovecot-dict-sql-userdb.conf
+driver = mysql
+connect = "host=mysql dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
+user_query = SELECT CONCAT('maildir:/var/vmail/',maildir) AS mail, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND active = '1'
+iterate_query = SELECT username FROM mailbox WHERE active='1';
+EOF
+
+# Create default pass dict for Dovecot
+cat <<EOF > /usr/local/etc/dovecot/sql/dovecot-dict-sql-ssha256-passdb.conf
 driver = mysql
 connect = "host=mysql dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
 default_pass_scheme = SSHA256
 password_query = SELECT password FROM mailbox WHERE username = '%u' AND domain IN (SELECT domain FROM domain WHERE domain='%d' AND active='1') AND JSON_EXTRACT(attributes, '$.force_pw_update') NOT LIKE '%%1%%'
-user_query = SELECT CONCAT('maildir:/var/vmail/',maildir) AS mail, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND active = '1'
-iterate_query = SELECT username FROM mailbox WHERE active='1';
+EOF
+
+# Create additional passdb dict for Dovecot
+cat <<EOF > /usr/local/etc/dovecot/sql/dovecot-dict-sql-additional-passdb.conf
+driver = mysql
+connect = "host=mysql dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
+default_pass_scheme = ${ADDITIONAL_HASH_SCHEME}
+password_query = SELECT password FROM mailbox WHERE username = '%u' AND domain IN (SELECT domain FROM domain WHERE domain='%d' AND active='1') AND JSON_EXTRACT(attributes, '$.force_pw_update') NOT LIKE '%%1%%'
 EOF
 
 # Create global sieve_after script
diff --git a/data/conf/dovecot/dovecot.conf b/data/conf/dovecot/dovecot.conf
index f4369937..7138c98a 100644
--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@@ -43,7 +43,11 @@ passdb {
   pass = yes
 }
 passdb {
-  args = /usr/local/etc/dovecot/sql/dovecot-dict-sql-passdb.conf
+  args = /usr/local/etc/dovecot/sql/dovecot-dict-sql-ssha256-passdb.conf
+  driver = sql
+}
+passdb {
+  args = /usr/local/etc/dovecot/sql/dovecot-dict-sql-additional-passdb.conf
   driver = sql
 }
 # Set doveadm_password=your-secret-password in data/conf/dovecot/extra.conf (create if missing)
@@ -238,7 +242,7 @@ listen = *,[::]
 ssl_cert = </etc/ssl/mail/cert.pem
 ssl_key = </etc/ssl/mail/key.pem
 userdb {
-  args = /usr/local/etc/dovecot/sql/dovecot-dict-sql-passdb.conf
+  args = /usr/local/etc/dovecot/sql/dovecot-dict-sql-userdb.conf
   driver = sql
 }
 protocol imap {