SYS-656 dovecot 2.4.1 image update (#256)

Author: instantlinux

images/dovecot/Dockerfile

@@ -1,4 +1,4 @@
-FROM instantlinux/postfix:3.10.2-r0
+FROM instantlinux/postfix:3.10.5-r0
 
 ARG BUILD_DATE
 ARG VCS_REF
@@ -9,20 +9,32 @@ LABEL org.opencontainers.image.authors="Rich Braun docker@instantlinux.net" \
     org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
 
 ARG DOVECOT_VERSION=2.4.1-r2
+ARG PROCMAIL_VERSION=3.22-r4
 ARG MKCERT_SHA=d1efad065f9ef34da372847ff4a4d5ffd86b97410b303d8a43ea25aa2119c86d
-
+ARG PROCMAIL_SHA=4ac9f21c3d7dbed5b32e7547da39f4d429de480679b4c856026caea39ca842f9
+ARG TARGETPLATFORM
 ENV LDAP_SECRETNAME=ldap-ro-password \
     SSL_DH=
 
-# TODO - procmail is missing from 3.12 repo, unsure if support ended
-RUN echo '@old http://dl-cdn.alpinelinux.org/alpine/v3.11/main' \
-      >>/etc/apk/repositories && \
-    apk add --no-cache dovecot=$DOVECOT_VERSION dovecot-ldap=$DOVECOT_VERSION \
-      procmail@old && \
+RUN cd /tmp && \
+    case ${TARGETPLATFORM} in \
+    linux/amd64) \
+      wget -q https://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/procmail-$PROCMAIL_VERSION.apk && \
+      echo "$PROCMAIL_SHA  procmail-$PROCMAIL_VERSION.apk" | sha256sum -c ;; \
+    linux/arm64) \
+      wget -q https://dl-cdn.alpinelinux.org/alpine/v3.11/main/aarch64/procmail-$PROCMAIL_VERSION.apk ;; \
+    linux/arm/v6) \
+      wget -q https://dl-cdn.alpinelinux.org/alpine/v3.11/main/armhf/procmail-$PROCMAIL_VERSION.apk ;; \
+    linux/arm/v7) \
+      wget -q https://dl-cdn.alpinelinux.org/alpine/v3.11/main/armv7/procmail-$PROCMAIL_VERSION.apk ;; \
+    *) echo Unrecognized ${TARGETPLATFORM} ;; \
+    esac && \
+    apk add --no-cache dovecot=$DOVECOT_VERSION dovecot-ldap=$DOVECOT_VERSION && \
+    apk add --allow-untrusted procmail-$PROCMAIL_VERSION.apk && \
     cd /usr/local/bin && \
     wget -q https://raw.githubusercontent.com/dovecot/core/release-2.4.1/doc/mkcert.sh && \
     echo "$MKCERT_SHA  mkcert.sh" | sha256sum -c && \
-    chmod 755 /usr/local/bin/mkcert.sh
+    rm /tmp/* && chmod 755 /usr/local/bin/mkcert.sh
 
 EXPOSE 143 993 
 VOLUME /etc/dovecot/conf.local /home /var/spool/mail

images/dovecot/README.md

@@ -11,7 +11,7 @@ Configuration is defined as files in a volume mounted as
 
 * Define your local settings as dovecot.conf.
 
-* If you have an LDAP server, put its settings in dovecot-ldap.conf. The helm chart provided here can support either Active Directory or openldap.
+* If you have an LDAP server, put its settings in passdb section of dovecot.conf. The helm chart provided here can support either Active Directory or openldap.
 
 * (Optional, to save startup time) generate a dh.pem file for TLS:
   ```
@@ -39,6 +39,14 @@ make dovecot
 
 See the Makefile and Makefile.vars files under k8s directory for default values referenced within kubernetes.yaml.
 
+To provide high availability across the cluster, the helm chart here includes an optional data-sync service to keep the inbox, mail and spool directories synchronized across 2 or more worker nodes. Minor data loss can occur when the service shifts from one worker to another, so this feature isn't recommended for large production deployments (when running on a cloud provider, simply use their block storage capabilities). That said, unison-based data-sync service has been rock-solid on a bare-metal cluster for years.
+
+Auth is the most challenging aspect of implementing dovecot. Use the following command from with the container to verify user authentication:
+```
+doveadm auth login <user>
+```
+If using openldap, turn on log setting `BER` to view raw packet contents as you troubleshoot login from dovecot.
+
 ### Variables
 
 | Variable | Default | Description |
@@ -47,7 +55,7 @@ See the Makefile and Makefile.vars files under k8s directory for default values
 | SSL_DH |  | Filename (in conf.local) of DH parameters |
 | TZ | UTC | time zone |
 
-Need more configurability? Edit the ConfigMap defined in kubernetes.yaml.
+Need more configurability? Edit the ConfigMap defined in the helm chart.
 
 ### Secrets
 
@@ -65,3 +73,21 @@ If you want to make improvements to this image, see [CONTRIBUTING](https://githu
 ### Upgrade Notes
 
 * When upgrading to 2.3.14+, replace any references to `hash:` with `lmdb:` in your config files.
+
+* When upgrading to 2.4+, there are a lot of gratuitous [config-directive changes](https://doc.dovecot.org/main/installation/upgrade/2.3-to-2.4.html). The Docker image doesn't contain configs but the helm chart provided here has a configmap template that contains the following changes:
+
+|Helm var|2.3|2.4|Notes|
+|uris|hosts | ldap_uris | <host> becomes ldap://<host>:389 |
+| |ldap_version| (unchanged)| |
+|base|base| ldap_base| |
+|bind|auth_bind| ldap_bind | |
+|bind_userdn|auth_bind_userdn|ldap_bind_userdn | |
+|tls|tls|ldap_starttls | |
+| | |dovecot_config_version|new|
+| | |dovecot_storage_version|new|
+|filter| |ldap_filter|now required|
+| |args|(removed)|directives moved to passdb config|
+| |address|listen| |
+| |ssl_cert|ssl_server_cert_file|angle bracket removed|
+| |ssl_dh|ssl_server_dh_file|angle bracket removed|
+| |ssl_key|ssl_server_key_file|angle bracket removed|

images/dovecot/entrypoint-dovecot.sh

@@ -27,9 +27,9 @@ if [ -s $ETC/conf.local/dovecot.conf ]; then
 fi
 if [ -z "$SSH_DH" ]; then
   openssl dhparam -dsaparam -out $ETC/dh.pem 4096
-  echo "ssl_dh = <$ETC/dh.pem" >> $ETC/dovecot.conf
+  echo "ssl_server_dh_file = $ETC/dh.pem" >> $ETC/dovecot.conf
 else
-  echo "ssl_dh = <$ETC/conf.local/$SSH_DH" >> $ETC/dovecot.conf
+  echo "ssl_server_dh_file = $ETC/conf.local/$SSH_DH" >> $ETC/dovecot.conf
 fi
 if [ -s $ETC/conf.local/dovecot-ldap.conf ]; then
   cp $ETC/conf.local/dovecot-ldap.conf $ETC

images/dovecot/helm/Chart.yaml

@@ -6,13 +6,13 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - https://github.com/vdukhovni/dovecot
 type: application
-version: 0.1.12
-  # appVersion: "2.4.1-r2"
-appVersion: "2.3.21.1-r0"
+version: 0.1.13
+appVersion: "2.4.1-r2"
 dependencies:
 - name: chartlib
   version: 0.1.8
   repository: https://instantlinux.github.io/docker-tools
 - name: data-sync
   version: 0.1.3
   repository: https://instantlinux.github.io/docker-tools
+  condition: data-sync.enabled

images/dovecot/helm/templates/configmap.yaml

@@ -7,7 +7,8 @@ metadata:
     {{- include "local.labels" . | nindent 4 }}
 data:
   dovecot.conf: |
-    dovecot_config_version = 2.4
+    dovecot_config_version = {{ .Values.version.config }}
+    dovecot_storage_version = {{ .Values.version.storage }}
     auth_mechanisms = plain login
     auth_allow_cleartext = no
     mail_access_groups = mail
@@ -19,12 +20,29 @@ data:
     mail_debug = no
 
     first_valid_uid = 300
-    passdb dovecot {
+    passdb ldap {
       driver = ldap
-      args = /etc/dovecot/dovecot-ldap.conf
+      ldap_uris = {{ .Values.ldap.uris }}
+      {{- if .Values.ldap.dn }}
+      ldap_dn = {{ .Values.ldap.dn }}
+      ldap_dnpass = PASSWORD
+      {{- end }}
+      ldap_version = {{ .Values.ldap.version }}
+      ldap_base = {{ .Values.ldap.base }}
+      ldap_bind = {{ .Values.ldap.bind }}
+      ldap_filter = {{ .Values.ldap.filter }}
+      {{- if .Values.ldap.bind_userdn }}
+      ldap_bind_userdn = {{ .Values.ldap.bind_userdn }}
+      {{- end }}
+      {{- if .Values.ldap.active_directory }}
+      ldap_user_attrs = sAMAccountName=home=/home/%$
+      ldap_user_filter = (&(ObjectClass=user)(sAMAccountName=%{user}))
+      ldap_pass_filter = (&(ObjectClass=user)(sAMAccountName=%{user}))
+      {{- end }}
+      ldap_starttls = {{ .Values.ldap.tls }}
     }
-    userdb dovecot {
-      driver = passwd
+    userdb passwd {
+      use_worker = yes
     }
     service auth {
       user = root
@@ -36,33 +54,13 @@ data:
     }
     service imap-login {
       inet_listener imaps {
-        address = 0.0.0.0
+        listen = 0.0.0.0
         port = 993
         ssl = yes
       }
     }
-    # ssl_cert = </etc/ssl/certs/smtpd-cert.pem
-    # ssl_key = </etc/ssl/private/smtpd-key.pem
     ssl_min_protocol = TLSv1.2
     ssl_server_cert_file = /etc/ssl/certs/smtpd-cert.pem
     ssl_server_key_file = /etc/ssl/private/smtpd-key.pem
     syslog_facility = "local1"
-  dovecot-ldap.conf: |
-    hosts = {{ .Values.ldap.hosts }}
-    {{- if .Values.ldap.dn }}
-    dn = {{ .Values.ldap.dn }}
-    dnpass = PASSWORD
-    {{- end }}
-    ldap_version = {{ .Values.ldap.version }}
-    base = {{ .Values.ldap.base }}
-    auth_bind = {{ .Values.ldap.auth_bind }}
-    {{- if .Values.ldap.auth_bind_userdn }}
-    auth_bind_userdn = {{ .Values.ldap.auth_bind_userdn }}
-    {{- end }}
-    {{- if .Values.ldap.active_directory }}
-    user_attrs = sAMAccountName=home=/home/%$
-    user_filter = (&(ObjectClass=user)(sAMAccountName=%u))
-    pass_filter = (&(ObjectClass=user)(sAMAccountName=%u))
-    {{- end }}
-    tls = {{ .Values.ldap.tls }}
 {{- end }}

images/dovecot/helm/values.yaml

@@ -64,17 +64,19 @@ aliases: |
   gnats-admin:	root
   mailman:	root
   mailman-owner:	mailman
+configVersion: 2.4.1
 dhcpSubnet1: 192.168.2.0/24
 domain: example.com
 hostnameEmail: example.com
 ldap:
   active_directory: false
-  auth_bind: "yes"
-  auth_bind_userdn: ""
   base: cn=Users,DC=workgroup,DC=example,DC=com
+  bind: "yes"
+  bind_userdn: ""
   dn: ""
-  hosts: dc01 dc02
+  filter: (&(objectClass=inetOrgPerson)(uid=%{user}))
   tls: "no"
+  uris: ldap://dc01:389
   version: 3
 # Force reload of certs at least every 30 days
 livenessProbe:
@@ -96,6 +98,9 @@ users: {}
   # - username: user2
   #   name: John Doe
   #   uid: 301
+version:
+  config: 2.4.1
+  storage: 2.4.1
 
 deployment:
   command: [/bin/sh]
@@ -189,6 +194,7 @@ configmapPostfix:
 
 # Subchart data-sync, maintains persistent data across nodes
 data-sync:
+  enabled: false
   statefulset:
     containerPorts: [ containerPort: 22 ]
     env:

k8s/Makefile.helm

@@ -12,33 +12,27 @@ helm_list:
 	@helm list --time-format="Mon Jan 2 15:04" --all-namespaces \
 	  --kube-context=sudo
 
-# TODO get rid of global.yaml and values.yaml, the idea made sense before
-#  adopting helm when values were from environment variables but makes no
-#  sense with per-instance yaml override files; helm's developers explicitly
-#  exclude the possibility of reading env vars from the shell enviroment
-#  in which helm is running - so global is leftover from my decade-earlier
-#  LXC-era designs
-$(CHARTS):: %: ../admin/services/values.yaml helm/%/Chart.lock
+$(CHARTS):: %: helm/%/Chart.lock
 	@echo --$(NOTICE) $@--
 ifeq ($(ACTION), delete)
 	@helm uninstall --kube-context=sudo -n $(K8S_NAMESPACE) $@
 else
 	@$(eval OVERRIDE := $(shell [ -s ../admin/services/values/$@.yaml ] \
 	  && echo "-f ../admin/services/values/$@.yaml"))
-	helm upgrade --install -f global.yaml -f $< $(OVERRIDE) $(XARGS) $@ ./helm/$@
+	helm upgrade --install -f $< $(OVERRIDE) $(XARGS) $@ ./helm/$@
 endif
 	@helm list --time-format="Mon Jan 2 15:04" --selector name=$@
 
 # TODO this is identical to above but for subdir, DRY it out
 #   the helmify project is just too exhausting
-$(INSTANCES):: %: ../admin/services/values.yaml helm/instances/%/Chart.lock
+$(INSTANCES):: %: helm/instances/%/Chart.lock
 	@echo --$(NOTICE) $@--
 ifeq ($(ACTION), delete)
 	@helm uninstall --kube-context=sudo -n $(K8S_NAMESPACE) $@
 else
 	@$(eval OVERRIDE := $(shell [ -s ../admin/services/values/$@.yaml ] \
 	  && echo "-f ../admin/services/values/$@.yaml"))
-	helm upgrade --install -f global.yaml -f $< $(OVERRIDE) $(XARGS) $@ ./helm/instances/$@
+	helm upgrade --install -f $< $(OVERRIDE) $(XARGS) $@ ./helm/instances/$@
 endif
 	@helm list --time-format="Mon Jan 2 15:04" --selector name=$@
 

k8s/Makefile.vars

@@ -32,8 +32,6 @@ export TZ                   ?= UTC
 export K8S_INGRESS_NGINX_IP ?= 10.101.1.2
 export AUTHELIA_IP          ?= 10.101.1.5
 export MONITOR_EXT_IP       ?= 192.168.1.20
-# export PROMETHEUS_IP      ?= 10.101.1.21
-# export PROM_ALERT_IP      ?= 10.101.1.22
 export RSYSLOGD_IP          ?= 10.101.1.40
 export COREDNS_IP           ?= 10.96.0.10
 export NODE_LOCAL_DNS_IP    ?= 169.254.0.10