From 5118f8d3394579a245b355c863c69410fe92e26e Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 21 May 2020 01:35:28 +0200
Subject: dovecot-auth-proxy: replace directory traversal with LDAP lookups.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This provides better isolation opportunity as the service doesn't need
to run as ‘vmail’ user.  We use a dedicated system user instead, and
LDAP ACLs to limit its access to the strict minimum.

The new solution is also more robust to quoting/escaping, and doesn't
depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID
instead of %d/%n at some point to make user renaming simpler).

OTOH we no longer lists users that have been removed from LDAP but still
have a mailstore lingering around.  This is fair.
---
 roles/IMAP/files/usr/local/bin/list-users.pl | 45 ----------------------------
 1 file changed, 45 deletions(-)
 delete mode 100755 roles/IMAP/files/usr/local/bin/list-users.pl

(limited to 'roles/IMAP/files/usr/local/bin/list-users.pl')

diff --git a/roles/IMAP/files/usr/local/bin/list-users.pl b/roles/IMAP/files/usr/local/bin/list-users.pl
deleted file mode 100755
index 1bcab35..0000000
--- a/roles/IMAP/files/usr/local/bin/list-users.pl
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/usr/bin/perl
-
-# Copyright © 2017 Guilhem Moulin <guilhem@fripost.org>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-use warnings;
-use strict;
-use Net::LDAPI;
-use Net::LDAP::Util qw/ldap_explode_dn escape_dn_value/;
-use Authen::SASL;
-
-my $BASE = 'ou=virtual,dc=fripost,dc=org';
-
-my $LDAP = Net::LDAPI::->new();
-$LDAP->bind( undef, sasl => Authen::SASL::->new(mechanism => 'EXTERNAL') )
-    or die "Error: Couldn't bind";
-
-my $mesg = $LDAP->search( base => $BASE, scope => 'children', deref => 'never'
-                        , filter => '(objectClass=FripostVirtualUser)'
-                        , attrs => ['1.1']
-                        );
-die $mesg->error if $mesg->code;
-
-while (defined (my $entry = $mesg->pop_entry())) {
-    my $dn = $entry->dn() // next;
-    $dn = ldap_explode_dn($dn, casefold => 'lower');
-    next unless defined $dn and $#$dn == 4;
-    my $l = $dn->[0]->{fvl} // next;
-    my $d = $dn->[1]->{fvd} // next;
-    printf "%s@%s\n", $l, $d;
-}
-
-$LDAP->unbind;
-- 
cgit v1.2.3