email: Revert to LDAP auth as pam does not allow non-admin users

Since FreedomBox does not allow any users but those belonging to 'admin' group to login, using passwd driver for auth means that only admin can login to postfix/dovecot. Fix this by reverting to using LDAP driver. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2026-01-28 08:03:36 +00:00 · 2022-02-24 17:06:46 -08:00 · 2022-02-24 17:06:46 -08:00 · 9d4ae972e9
commit 9d4ae972e9
parent 56f95ddf97
4 changed files with 32 additions and 8 deletions
--- a/plinth/modules/email/init.py
+++ b/plinth/modules/email/init.py
@ -90,8 +90,8 @@ class EmailApp(plinth.app.App):
        packages = Packages(
            'packages-email', [
                'postfix', 'postfix-sqlite', 'dovecot-pop3d', 'dovecot-imapd',
-                'dovecot-lmtpd', 'dovecot-managesieved', 'rspamd',
-                'redis-server', 'openssl'
+                'dovecot-lmtpd', 'dovecot-managesieved', 'dovecot-ldap',
+                'rspamd', 'redis-server', 'openssl'
            ], conflicts=['exim4-base', 'exim4-config', 'exim4-daemon-light'],
            conflicts_action=Packages.ConflictsAction.IGNORE)
        self.add(packages)
--- a/plinth/modules/email/data/etc/dovecot/conf.d/05-freedombox-passdb.conf
+++ b/plinth/modules/email/data/etc/dovecot/conf.d/05-freedombox-passdb.conf
@ -0,0 +1,15 @@
+# Do not edit this file. Manage your settings on FreedomBox.
+
+# See:
+# https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/
+#
+# For passdb, the passwd driver looks up using NSS. In FreedomBox, NSS is
+# configured to lookup LDAP with the help of libnss-ldapd. Lookup using passdb
+# would have been sufficient if FreedomBox allowed all its users to login using
+# pam. However, by default, FreedomBox disallows all users but 'admin' group to
+# login. Hence, the need for LDAP lookup.
+#
+passdb {
+  driver = ldap
+  args = /etc/dovecot/conf.d/freedombox-ldap.conf.ext
+}
--- a/plinth/modules/email/data/etc/dovecot/conf.d/05-freedombox-userdb.conf
+++ b/plinth/modules/email/data/etc/dovecot/conf.d/05-freedombox-userdb.conf
@ -13,15 +13,16 @@
 # FreedomBox. So, authenticate and store mails based on username only instead of
 # including domain names in storage path.
 #
-# For authdb and userdb, the passwd driver looks up using NSS. In FreedomBox,
-# NSS is configured to lookup LDAP with the help of libnss-ldapd. There is no
-# need to configure LDAP lookup separately.
-#
 # Directories are created under /var/mail as necessary by dovecot. Permissions
 # for newly created directories are inherited from parent directory. FreedomBox
 # will remove all permissions for 'others' from /var/mail to ensure that mail is
 # not read by non-root users.
+#
+# userdb provides lookup for three parameters after authentication of a user.
+# These parameters are uid, gid, and home directory of the user. If these do not
+# change from user to user, a 'static' database type with fixed values is
+# sufficient as userdb.
 userdb {
-    driver = passwd
-    override_fields = home=/var/mail/%Ln uid=mail gid=mail
+    driver = static
+    args = home=/var/mail/%Ln uid=mail gid=mail
 }
--- a/plinth/modules/email/data/etc/dovecot/conf.d/freedombox-ldap.conf.ext
+++ b/plinth/modules/email/data/etc/dovecot/conf.d/freedombox-ldap.conf.ext
@ -0,0 +1,8 @@
+# Do not edit this file. Manage your settings on FreedomBox.
+
+# See: https://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds
+
+uris = ldapi:///
+base =
+auth_bind = yes
+auth_bind_userdn = uid=%u,ou=users,dc=thisbox