dovecot-auth-proxy: replace directory traversal with LDAP lookups.

This provides better isolation opportunity as the service doesn't need
to run as ‘vmail’ user.  We use a dedicated system user instead, and
LDAP ACLs to limit its access to the strict minimum.

The new solution is also more robust to quoting/escaping, and doesn't
depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID
instead of %d/%n at some point to make user renaming simpler).

OTOH we no longer lists users that have been removed from LDAP but still
have a mailstore lingering around.  This is fair.

1 files changed, 4 insertions, 6 deletions

diff --git a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service
index d20f9c2..3ac0b31 100644
--- a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service
+++ b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service
@@ -4,8 +4,7 @@ After=dovecot.target
 Requires=dovecot-auth-proxy.socket
 
 [Service]
-User=vmail
-Group=vmail
+User=_dovecot-auth-proxy
 StandardInput=null
 SyslogFacility=mail
 ExecStart=/usr/local/bin/dovecot-auth-proxy.pl
@@ -13,14 +12,13 @@ ExecStart=/usr/local/bin/dovecot-auth-proxy.pl
 # Hardening
 NoNewPrivileges=yes
 PrivateDevices=yes
-ProtectSystem=strict
-ProtectHome=read-only
-PrivateDevices=yes
 PrivateNetwork=yes
+ProtectHome=yes
+ProtectSystem=strict
 ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
-RestrictAddressFamilies=
+RestrictAddressFamilies=AF_UNIX
 
 [Install]
 WantedBy=multi-user.target