fix: Correctly support multiple Dovecot PassDBs (#3812)

* fix: Dovecot PassDB should restrict allowed auth mechanisms

This prevents PassDBs incompatible with certain auth mechanisms from logging failures which accidentally triggers Fail2Ban.

Instead only allow the PassDB to be authenticated against when it's compatible with the auth mechanism used.

* tests: Use `curl` for OAuth2 login test-cases instead of netcat

`curl` provides this capability for both IMAP and SMTP authentication with a bearer token. It supports both `XOAUTH2` and `OAUTHBEARER` mechanisms, as these updated test-cases demonstrate.

* chore: Add entry to `CHANGELOG.md`
This commit is contained in:
Brennan Kinney 2024-01-24 07:11:05 +13:00 committed by GitHub
parent d40a17f7e0
commit 611a66bf98
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 85 additions and 16 deletions

View file

@ -0,0 +1,21 @@
# NOTE: This is effectively the same default LDAP config shipped by Dovecot
# The only difference is the addition of the passdb mechanisms field,
# which restricts what auth mechanisms are supported / expected.
# This prevents unnecessary auth failure logs triggering Fail2Ban when
# additional passdb are enabled (OAuth2).
passdb {
driver = ldap
mechanism = plain login
# Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
# Default fields can be used to specify defaults that LDAP may override
#default_fields = home=/home/virtual/%u
}