From e06f2e201c4db1f216affda99489f4415632efe5 Mon Sep 17 00:00:00 2001 From: "fox.cpp" Date: Mon, 4 May 2020 21:43:06 +0300 Subject: [PATCH] Implement Dovecot authentication client support --- docs/man/maddy-auth.5.scd | 27 +++++ go.mod | 1 + go.sum | 4 + internal/auth/dovecot_sasl/dovecot_sasl.go | 131 +++++++++++++++++++++ maddy.go | 1 + 5 files changed, 164 insertions(+) create mode 100644 internal/auth/dovecot_sasl/dovecot_sasl.go diff --git a/docs/man/maddy-auth.5.scd b/docs/man/maddy-auth.5.scd index 632df9a..941b235 100644 --- a/docs/man/maddy-auth.5.scd +++ b/docs/man/maddy-auth.5.scd @@ -230,3 +230,30 @@ Configuration block for any auth. provider module can be used here, even The used auth. provider must provide username:password pair-based authentication. + +# Dovecot authentication client (dovecot_sasl) + +The 'dovecot_sasl' module implements the client side of the Dovecot +authentication protocol, allowing maddy to use it as a credentials source. + +Currently SASL mechanisms support is limited to mechanisms supported by maddy +so you cannot get e.g. SCRAM-MD5 this way. + +``` +dovecot_sasl { + endpoint unix://socket_path +} + +dovecot_sasl unix://socket_path +``` + +## Configuration directives + +*Syntax*: endpoint _schema://address_ ++ +*Default*: not set + +Set the address to use to contact Dovecot SASL server in the standard endpoint +format. + +tcp://10.0.0.1:2222 for TCP, unix:///var/lib/dovecot/auth.sock for Unix +domain sockets. diff --git a/go.mod b/go.mod index b7be08b..f8065cc 100644 --- a/go.mod +++ b/go.mod @@ -18,6 +18,7 @@ require ( github.com/emersion/go-msgauth v0.4.1-0.20200429175443-e4c87369d72f github.com/emersion/go-sasl v0.0.0-20191210011802-430746ea8b9b github.com/emersion/go-smtp v0.12.2-0.20200219094142-f9be832b5554 + github.com/foxcpp/go-dovecot-sasl v0.0.0-20200504181415-c4db6731332d // indirect github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005 github.com/foxcpp/go-imap-sql v0.4.1-0.20200426175844-c3172a53940a github.com/foxcpp/go-mockdns v0.0.0-20200503193630-ff72b88723f2 diff --git a/go.sum b/go.sum index 6ea1bea..ba5159d 100644 --- a/go.sum +++ b/go.sum @@ -56,6 +56,10 @@ github.com/emersion/go-smtp v0.12.2-0.20200219094142-f9be832b5554 h1:/Wxg1q8rzmz github.com/emersion/go-smtp v0.12.2-0.20200219094142-f9be832b5554/go.mod h1:SD9V/xa4ndMw77lR3Mf7htkp8RBNYuPh9UeuBs9tpUQ= github.com/emersion/go-textwrapper v0.0.0-20160606182133-d0e65e56babe h1:40SWqY0zE3qCi6ZrtTf5OUdNm5lDnGnjRSq9GgmeTrg= github.com/emersion/go-textwrapper v0.0.0-20160606182133-d0e65e56babe/go.mod h1:aqO8z8wPrjkscevZJFVE1wXJrLpC5LtJG7fqLOsPb2U= +github.com/foxcpp/go-dovecot-sasl v0.0.0-20200504173201-4582a99ffc3f h1:eT/8SMQqCbE2hU9x0JL7Zvkjyqiu+3f7SnHiYMqRyN0= +github.com/foxcpp/go-dovecot-sasl v0.0.0-20200504173201-4582a99ffc3f/go.mod h1:5yZUmwr851vgjyAfN7OEfnrmKOh/qLA5dbGelXYsu1E= +github.com/foxcpp/go-dovecot-sasl v0.0.0-20200504181415-c4db6731332d h1:R2o7Kw2CJEy2N8ycjDxFTMxU0xp8gsGv7ZjWyR65LQs= +github.com/foxcpp/go-dovecot-sasl v0.0.0-20200504181415-c4db6731332d/go.mod h1:5yZUmwr851vgjyAfN7OEfnrmKOh/qLA5dbGelXYsu1E= github.com/foxcpp/go-imap-backend-tests v0.0.0-20200426175250-4110e9b66176 h1:qyze36XjZnwK9geEzr5qlChS8zJgz7L+YZ5O8JNhh90= github.com/foxcpp/go-imap-backend-tests v0.0.0-20200426175250-4110e9b66176/go.mod h1:yUISYv/uXLQ6tQZcds/p/hdcZ5JzrEUifyED2VffWpc= github.com/foxcpp/go-imap-i18nlevel v0.0.0-20200208001533-d6ec88553005 h1:pfoFtkTTQ473qStSN79jhCFBWqMQt/3DQ3NGuXvT+50= diff --git a/internal/auth/dovecot_sasl/dovecot_sasl.go b/internal/auth/dovecot_sasl/dovecot_sasl.go new file mode 100644 index 0000000..2107918 --- /dev/null +++ b/internal/auth/dovecot_sasl/dovecot_sasl.go @@ -0,0 +1,131 @@ +package dovecotsasl + +import ( + "fmt" + "net" + + "github.com/emersion/go-sasl" + dovecotsasl "github.com/foxcpp/go-dovecot-sasl" + "github.com/foxcpp/maddy/internal/auth" + "github.com/foxcpp/maddy/internal/config" + "github.com/foxcpp/maddy/internal/log" + "github.com/foxcpp/maddy/internal/module" +) + +type Auth struct { + instName string + serverEndpoint string + log log.Logger + + network string + addr string + + mechanisms map[string]dovecotsasl.Mechanism +} + +const modName = "dovecot_sasl" + +func New(_, instName string, _, inlineArgs []string) (module.Module, error) { + a := &Auth{ + instName: instName, + log: log.Logger{Name: modName, Debug: log.DefaultLogger.Debug}, + } + + switch len(inlineArgs) { + case 0: + case 1: + a.serverEndpoint = inlineArgs[0] + default: + return nil, fmt.Errorf("%s: one or none arguments needed", modName) + } + + return a, nil +} + +func (a *Auth) Name() string { + return modName +} + +func (a *Auth) InstanceName() string { + return a.instName +} + +func (a *Auth) getConn() (*dovecotsasl.Client, error) { + // TODO: Connection pooling + conn, err := net.Dial(a.network, a.addr) + if err != nil { + return nil, fmt.Errorf("%s: unable to contact server: %v", modName, err) + } + + cl, err := dovecotsasl.NewClient(conn) + if err != nil { + return nil, fmt.Errorf("%s: unable to contact server: %v", modName, err) + } + + return cl, nil +} + +func (a *Auth) returnConn(cl *dovecotsasl.Client) { + cl.Close() +} + +func (a *Auth) Init(cfg *config.Map) error { + cfg.String("endpoint", false, false, a.serverEndpoint, &a.serverEndpoint) + if _, err := cfg.Process(); err != nil { + return err + } + if a.serverEndpoint == "" { + return fmt.Errorf("%s: missing server endpoint", modName) + } + + endp, err := config.ParseEndpoint(a.serverEndpoint) + if err != nil { + return fmt.Errorf("%s: invalid server endpoint: %v", modName, err) + } + if endp.Path == "" { + return fmt.Errorf("%s: unexpected path in endpoint ", modName) + } + + // Dial once to check usability and also to get list of mechanisms. + conn, err := net.Dial(endp.Scheme, endp.Address()) + if err != nil { + return fmt.Errorf("%s: unable to contact server: %v", modName, err) + } + + cl, err := dovecotsasl.NewClient(conn) + if err != nil { + return fmt.Errorf("%s: unable to contact server: %v", modName, err) + } + + defer cl.Close() + a.mechanisms = cl.ConnInfo().Mechs + + a.network = endp.Scheme + a.addr = endp.Address() + + return nil +} + +func (a *Auth) AuthPlain(username, password string) error { + if _, ok := a.mechanisms[sasl.Plain]; ok { + cl, err := a.getConn() + if err != nil { + return err + } + + // Pretend it is SMTP even though we really don't know. + // We also have no connection information to pass to the server... + return cl.Do("SMTP", sasl.NewPlainClient("", username, password)) + } + if _, ok := a.mechanisms[sasl.Login]; ok { + cl, err := a.getConn() + if err != nil { + return err + } + + // Pretend it is SMTP even though we really don't know. + return cl.Do("SMTP", sasl.NewLoginClient(username, password)) + } + + return auth.ErrUnsupportedMech +} diff --git a/maddy.go b/maddy.go index 3895208..8b76eae 100644 --- a/maddy.go +++ b/maddy.go @@ -19,6 +19,7 @@ import ( parser "github.com/foxcpp/maddy/pkg/cfgparser" // Import packages for side-effect of module registration. + _ "github.com/foxcpp/maddy/internal/auth/dovecot_sasl" _ "github.com/foxcpp/maddy/internal/auth/external" _ "github.com/foxcpp/maddy/internal/auth/pam" _ "github.com/foxcpp/maddy/internal/auth/pass_table"