From f7bbbde8c95568699c01b8385a4baa946be3ee06 Mon Sep 17 00:00:00 2001 From: andryyy Date: Tue, 8 Jun 2021 13:15:14 +0200 Subject: [PATCH] [Dovecot] Check protocol access in LUA API, remove postlogin script --- data/Dockerfiles/dovecot/Dockerfile | 1 - data/Dockerfiles/dovecot/docker-entrypoint.sh | 13 ++++++++----- data/Dockerfiles/dovecot/postlogin.sh | 3 --- 3 files changed, 8 insertions(+), 9 deletions(-) delete mode 100755 data/Dockerfiles/dovecot/postlogin.sh diff --git a/data/Dockerfiles/dovecot/Dockerfile b/data/Dockerfiles/dovecot/Dockerfile index de900e61..f48448bb 100644 --- a/data/Dockerfiles/dovecot/Dockerfile +++ b/data/Dockerfiles/dovecot/Dockerfile @@ -113,7 +113,6 @@ COPY clean_q_aged.sh /usr/local/bin/clean_q_aged.sh COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf COPY imapsync /usr/local/bin/imapsync -COPY postlogin.sh /usr/local/bin/postlogin.sh COPY imapsync_runner.pl /usr/local/bin/imapsync_runner.pl COPY report-spam.sieve /usr/lib/dovecot/sieve/report-spam.sieve COPY report-ham.sieve /usr/lib/dovecot/sieve/report-ham.sieve diff --git a/data/Dockerfiles/dovecot/docker-entrypoint.sh b/data/Dockerfiles/dovecot/docker-entrypoint.sh index 45ae6010..4305a084 100755 --- a/data/Dockerfiles/dovecot/docker-entrypoint.sh +++ b/data/Dockerfiles/dovecot/docker-entrypoint.sh @@ -158,7 +158,8 @@ function auth_password_verify(req, pass) local cur,errorString = con:execute(string.format([[SELECT password FROM mailbox WHERE username = '%s' AND active = '1' - AND domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')]], con:escape(req.user), con:escape(req.domain))) + AND domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1') + AND IFNULL(JSON_UNQUOTE(JSON_VALUE(attributes, '$.%s_access')), 1) = '1']], con:escape(req.user), con:escape(req.domain), con:escape(req.service))) local row = cur:fetch ({}, "a") while row do if req.password_verify(req, row.password, pass) == 1 then @@ -171,10 +172,13 @@ function auth_password_verify(req, pass) end -- check against app passwds - local cur,errorString = con:execute(string.format([[SELECT id, password FROM app_passwd + local cur,errorString = con:execute(string.format([[SELECT app_passwd.id, app_passwd.password FROM app_passwd + INNER JOIN mailbox ON mailbox.username = app_passwd.mailbox WHERE mailbox = '%s' - AND active = '1' - AND domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')]], con:escape(req.user), con:escape(req.domain))) + AND IFNULL(JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.%s_access')), 1) = '1' + AND app_passwd.active = '1' + AND mailbox.active = '1' + AND app_passwd.domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')]], con:escape(req.user), con:escape(req.service), con:escape(req.domain))) local row = cur:fetch ({}, "a") while row do if req.password_verify(req, row.password, pass) == 1 then @@ -360,7 +364,6 @@ chown root:tty /dev/console chmod +x /usr/lib/dovecot/sieve/rspamd-pipe-ham \ /usr/lib/dovecot/sieve/rspamd-pipe-spam \ /usr/local/bin/imapsync_runner.pl \ - /usr/local/bin/postlogin.sh \ /usr/local/bin/imapsync \ /usr/local/bin/trim_logs.sh \ /usr/local/bin/sa-rules.sh \ diff --git a/data/Dockerfiles/dovecot/postlogin.sh b/data/Dockerfiles/dovecot/postlogin.sh deleted file mode 100755 index 01a45f31..00000000 --- a/data/Dockerfiles/dovecot/postlogin.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -export MASTER_USER=$USER -exec "$@"