From 9d4ae972e9b4cce02a8ea5ec4dafacfe381cfc3c Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Thu, 24 Feb 2022 17:06:46 -0800
Subject: [PATCH] email: Revert to LDAP auth as pam does not allow non-admin
 users

Since FreedomBox does not allow any users but those belonging to 'admin' group
to login, using passwd driver for auth means that only admin can login to
postfix/dovecot. Fix this by reverting to using LDAP driver.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 plinth/modules/email/__init__.py                  |  4 ++--
 .../etc/dovecot/conf.d/05-freedombox-passdb.conf  | 15 +++++++++++++++
 ...dombox-mail.conf => 05-freedombox-userdb.conf} | 13 +++++++------
 .../etc/dovecot/conf.d/freedombox-ldap.conf.ext   |  8 ++++++++
 4 files changed, 32 insertions(+), 8 deletions(-)
 create mode 100644 plinth/modules/email/data/etc/dovecot/conf.d/05-freedombox-passdb.conf
 rename plinth/modules/email/data/etc/dovecot/conf.d/{05-freedombox-mail.conf => 05-freedombox-userdb.conf} (74%)
 create mode 100644 plinth/modules/email/data/etc/dovecot/conf.d/freedombox-ldap.conf.ext

diff --git a/plinth/modules/email/__init__.py b/plinth/modules/email/__init__.py
index 54a463837..a5d7a81f7 100644
--- a/plinth/modules/email/__init__.py
+++ b/plinth/modules/email/__init__.py
@@ -90,8 +90,8 @@ class EmailApp(plinth.app.App):
         packages = Packages(
             'packages-email', [
                 'postfix', 'postfix-sqlite', 'dovecot-pop3d', 'dovecot-imapd',
-                'dovecot-lmtpd', 'dovecot-managesieved', 'rspamd',
-                'redis-server', 'openssl'
+                'dovecot-lmtpd', 'dovecot-managesieved', 'dovecot-ldap',
+                'rspamd', 'redis-server', 'openssl'
             ], conflicts=['exim4-base', 'exim4-config', 'exim4-daemon-light'],
             conflicts_action=Packages.ConflictsAction.IGNORE)
         self.add(packages)
diff --git a/plinth/modules/email/data/etc/dovecot/conf.d/05-freedombox-passdb.conf b/plinth/modules/email/data/etc/dovecot/conf.d/05-freedombox-passdb.conf
new file mode 100644
index 000000000..efc226d78
--- /dev/null
+++ b/plinth/modules/email/data/etc/dovecot/conf.d/05-freedombox-passdb.conf
@@ -0,0 +1,15 @@
+# Do not edit this file. Manage your settings on FreedomBox.
+
+# See:
+# https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/
+#
+# For passdb, the passwd driver looks up using NSS. In FreedomBox, NSS is
+# configured to lookup LDAP with the help of libnss-ldapd. Lookup using passdb
+# would have been sufficient if FreedomBox allowed all its users to login using
+# pam. However, by default, FreedomBox disallows all users but 'admin' group to
+# login. Hence, the need for LDAP lookup.
+#
+passdb {
+  driver = ldap
+  args = /etc/dovecot/conf.d/freedombox-ldap.conf.ext
+}
diff --git a/plinth/modules/email/data/etc/dovecot/conf.d/05-freedombox-mail.conf b/plinth/modules/email/data/etc/dovecot/conf.d/05-freedombox-userdb.conf
similarity index 74%
rename from plinth/modules/email/data/etc/dovecot/conf.d/05-freedombox-mail.conf
rename to plinth/modules/email/data/etc/dovecot/conf.d/05-freedombox-userdb.conf
index 70f8996b8..4932085ab 100644
--- a/plinth/modules/email/data/etc/dovecot/conf.d/05-freedombox-mail.conf
+++ b/plinth/modules/email/data/etc/dovecot/conf.d/05-freedombox-userdb.conf
@@ -13,15 +13,16 @@
 # FreedomBox. So, authenticate and store mails based on username only instead of
 # including domain names in storage path.
 #
-# For authdb and userdb, the passwd driver looks up using NSS. In FreedomBox,
-# NSS is configured to lookup LDAP with the help of libnss-ldapd. There is no
-# need to configure LDAP lookup separately.
-#
 # Directories are created under /var/mail as necessary by dovecot. Permissions
 # for newly created directories are inherited from parent directory. FreedomBox
 # will remove all permissions for 'others' from /var/mail to ensure that mail is
 # not read by non-root users.
+#
+# userdb provides lookup for three parameters after authentication of a user.
+# These parameters are uid, gid, and home directory of the user. If these do not
+# change from user to user, a 'static' database type with fixed values is
+# sufficient as userdb.
 userdb {
-    driver = passwd
-    override_fields = home=/var/mail/%Ln uid=mail gid=mail
+    driver = static
+    args = home=/var/mail/%Ln uid=mail gid=mail
 }
diff --git a/plinth/modules/email/data/etc/dovecot/conf.d/freedombox-ldap.conf.ext b/plinth/modules/email/data/etc/dovecot/conf.d/freedombox-ldap.conf.ext
new file mode 100644
index 000000000..708caf22a
--- /dev/null
+++ b/plinth/modules/email/data/etc/dovecot/conf.d/freedombox-ldap.conf.ext
@@ -0,0 +1,8 @@
+# Do not edit this file. Manage your settings on FreedomBox.
+
+# See: https://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds
+
+uris = ldapi:///
+base =
+auth_bind = yes
+auth_bind_userdn = uid=%u,ou=users,dc=thisbox