mirror/docker-mailserver.docker-mailserver
1
0
Fork 0
mirror of https://github.com/docker-mailserver/docker-mailserver.git synced 2025-08-01 16:45:15 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

deploy: 0698ad9370

Browse source
This commit is contained in:
github-actions[bot] 2024-07-21 22:01:19 +00:00
parent f811be1c2c
commit fbc68b5962
53 changed files with 15755 additions and 4627 deletions
Download patch file Download diff file Expand all files Collapse all files

305
edge/examples/use-cases/auth-lua/index.html
View file

@ -559,12 +559,52 @@
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_4_2" >
<label class="md-nav__link" for="__nav_4_2" id="__nav_4_2_label" tabindex="0">
<span class="md-ellipsis">
Account Management
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_2">
<span class="md-nav__icon md-icon"></span>
Account Management
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../config/user-management/" class="md-nav__link">
<a href="../../../config/account-management/overview/" class="md-nav__link">
<span class="md-ellipsis">
User Management
Overview
</span>
@ -587,6 +627,194 @@
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_4_2_2" >
<label class="md-nav__link" for="__nav_4_2_2" id="__nav_4_2_2_label" tabindex="0">
<span class="md-ellipsis">
Provisioner
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="3" aria-labelledby="__nav_4_2_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_2_2">
<span class="md-nav__icon md-icon"></span>
Provisioner
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../config/account-management/provisioner/file/" class="md-nav__link">
<span class="md-ellipsis">
File Based
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../config/account-management/provisioner/ldap/" class="md-nav__link">
<span class="md-ellipsis">
LDAP Service
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_4_2_3" >
<label class="md-nav__link" for="__nav_4_2_3" id="__nav_4_2_3_label" tabindex="0">
<span class="md-ellipsis">
Supplementary
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="3" aria-labelledby="__nav_4_2_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_2_3">
<span class="md-nav__icon md-icon"></span>
Supplementary
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../config/account-management/supplementary/master-accounts/" class="md-nav__link">
<span class="md-ellipsis">
Master Accounts
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../config/account-management/supplementary/oauth2/" class="md-nav__link">
<span class="md-ellipsis">
OAuth2 Authentication
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
@ -1148,48 +1376,6 @@
<li class="md-nav__item">
<a href="../../../config/advanced/auth-ldap/" class="md-nav__link">
<span class="md-ellipsis">
LDAP Authentication
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../config/advanced/auth-oauth2/" class="md-nav__link">
<span class="md-ellipsis">
OAuth2 Authentication
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../config/advanced/mail-sieve/" class="md-nav__link">
@ -1266,10 +1452,10 @@
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_4_8_9" >
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_4_8_7" >
<label class="md-nav__link" for="__nav_4_8_9" id="__nav_4_8_9_label" tabindex="0">
<label class="md-nav__link" for="__nav_4_8_7" id="__nav_4_8_7_label" tabindex="0">
<span class="md-ellipsis">
@ -1280,8 +1466,8 @@
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="3" aria-labelledby="__nav_4_8_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_8_9">
<nav class="md-nav" data-md-level="3" aria-labelledby="__nav_4_8_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_8_7">
<span class="md-nav__icon md-icon"></span>
Email Forwarding
</label>
@ -1442,27 +1628,6 @@
<li class="md-nav__item">
<a href="../../../config/advanced/dovecot-master-accounts/" class="md-nav__link">
<span class="md-ellipsis">
Dovecot Master Accounts
</span>
</a>
</li>
</ul>
</nav>
@ -2246,7 +2411,7 @@
<li>How to debug your Lua script.</li>
</ul>
<h2 id="the-example-scenario"><a class="toclink" href="#the-example-scenario">The example scenario</a></h2>
<p>This scenario starts with <a href="../../../config/advanced/auth-ldap/">DMS being configured to use LDAP</a> for mailbox identification, user authorization and user authentication. In this scenario, <a href="https://nextcloud.com/">Nextcloud</a> is also a service that uses the same LDAP server for user identification, authorization and authentication.</p>
<p>This scenario starts with <a href="../../../config/account-management/provisioner/ldap/">DMS being configured to use LDAP</a> for mailbox identification, user authorization and user authentication. In this scenario, <a href="https://nextcloud.com/">Nextcloud</a> is also a service that uses the same LDAP server for user identification, authorization and authentication.</p>
<p>The goal of this scenario is to have Dovecot not authenticate the user against LDAP, but against Nextcloud using an <a href="https://docs.nextcloud.com/server/latest/user_manual/en/session_management.html#managing-devices">application password</a>. The idea behind this is that a compromised mailbox password does not compromise the user's account entirely. To make this work, Nextcloud is configured to <a href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#token-auth-enforced">deny the use of account passwords by clients</a> and to <a href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#lost-password-link">disable account password reset through mail verification</a>.</p>
<p>If the application password is configured correctly, an adversary can only use it to access the user's mailbox on DMS, and CalDAV and CardDAV data on Nextcloud. File access through WebDAV can be disabled for the application password used to access mail. Having CalDAV and CardDAV compromised by the same password is a minor setback. If an adversary gets access to a Nextcloud application password through a device of the user, it is likely that the adversary also gets access to the user's calendars and contact lists anyway (locally or through the same account settings used for mail and CalDAV/CardDAV synchronization). The user's stored files in Nextcloud, the LDAP account password and any other services that rely on it would still be protected. A bonus is that a user is able to revoke and renew the mailbox password in Nextcloud for whatever reason, through a friendly user interface with all the security measures with which the Nextcloud instance is configured (e.g. verification of the current account password).</p>
<p>A drawback of this method is that any (compromised) Nextcloud application password can be used to access the user's mailbox. This introduces a risk that a Nextcloud application password used for something else (e.g. WebDAV file access) is compromised and used to access the user's mailbox. Discussion of that risk and possible mitigations fall outside of the scope of this scenario.</p>