email: Revert to LDAP auth as pam does not allow non-admin users

Since FreedomBox does not allow any users but those belonging to 'admin' group
to login, using passwd driver for auth means that only admin can login to
postfix/dovecot. Fix this by reverting to using LDAP driver.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>

plinth/modules/email/__init__.py

@@ -90,8 +90,8 @@ class EmailApp(plinth.app.App):
         packages = Packages(
             'packages-email', [
                 'postfix', 'postfix-sqlite', 'dovecot-pop3d', 'dovecot-imapd',
-                'dovecot-lmtpd', 'dovecot-managesieved', 'rspamd',
+                'dovecot-lmtpd', 'dovecot-managesieved', 'dovecot-ldap',
-                'redis-server', 'openssl'
+                'rspamd', 'redis-server', 'openssl'
             ], conflicts=['exim4-base', 'exim4-config', 'exim4-daemon-light'],
             conflicts_action=Packages.ConflictsAction.IGNORE)
         self.add(packages)

plinth/modules/email/data/etc/dovecot/conf.d/05-freedombox-passdb.conf

@@ -0,0 +1,15 @@
+# Do not edit this file. Manage your settings on FreedomBox.
+
+# See:
+# https://doc.dovecot.org/configuration_manual/authentication/password_databases_passdb/
+#
+# For passdb, the passwd driver looks up using NSS. In FreedomBox, NSS is
+# configured to lookup LDAP with the help of libnss-ldapd. Lookup using passdb
+# would have been sufficient if FreedomBox allowed all its users to login using
+# pam. However, by default, FreedomBox disallows all users but 'admin' group to
+# login. Hence, the need for LDAP lookup.
+#
+passdb {
+  driver = ldap
+  args = /etc/dovecot/conf.d/freedombox-ldap.conf.ext
+}

plinth/modules/email/data/etc/dovecot/conf.d/05-freedombox-userdb.conf

@@ -13,15 +13,16 @@
 # FreedomBox. So, authenticate and store mails based on username only instead of
 # including domain names in storage path.
 #
-# For authdb and userdb, the passwd driver looks up using NSS. In FreedomBox,
-# NSS is configured to lookup LDAP with the help of libnss-ldapd. There is no
-# need to configure LDAP lookup separately.
-#
 # Directories are created under /var/mail as necessary by dovecot. Permissions
 # for newly created directories are inherited from parent directory. FreedomBox
 # will remove all permissions for 'others' from /var/mail to ensure that mail is
 # not read by non-root users.
+#
+# userdb provides lookup for three parameters after authentication of a user.
+# These parameters are uid, gid, and home directory of the user. If these do not
+# change from user to user, a 'static' database type with fixed values is
+# sufficient as userdb.
 userdb {
-    driver = passwd
+    driver = static
-    override_fields = home=/var/mail/%Ln uid=mail gid=mail
+    args = home=/var/mail/%Ln uid=mail gid=mail
 }

plinth/modules/email/data/etc/dovecot/conf.d/freedombox-ldap.conf.ext

@@ -0,0 +1,8 @@
+# Do not edit this file. Manage your settings on FreedomBox.
+
+# See: https://wiki.dovecot.org/AuthDatabase/LDAP/AuthBinds
+
+uris = ldapi:///
+base =
+auth_bind = yes
+auth_bind_userdn = uid=%u,ou=users,dc=thisbox