LAB01 : part 07 : CentOS 7 : IMAP1 : Configuration du proxy IMAP

De Pegasus45

Ce serveur servira de point d'entrée pour les connexions IMAP. En fonction du login (et de l'attribut mailHost), il va établir une connexion IMAP vers le serveur STORE qui héberge la BAL de l'utilisateur. On va donc configurer Dovecot en mode Proxy.


On commence par installer Dovecot:

Command
yum install dovecot

Et on configure plusieurs fichiers de configuration:

Configuration File vi /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = no
auth_mechanisms = plain login
#!include auth-system.conf.ext
!include auth-ldap.conf.ext

Configuration File vi /etc/dovecot/conf.d/auth-ldap.conf.ext
passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
}

#userdb {
#  driver = ldap
#  args = /etc/dovecot/dovecot-ldap.conf.ext
#}

On récupère un fichier d'exemple:

Command
cp /usr/share/doc/dovecot-2.2.10/example-config/dovecot-ldap.conf.ext /etc/dovecot/

Et on le modifie comme suit:

Configuration File vi /etc/dovecot/dovecot-ldap.conf.ext
hosts = ldap1.in.lab01-mail.lan
dn = uid=ldap-readuser,ou=Special Users,dc=lab01-mail,dc=lan
dnpass = mot_passe_complique
base = dc=lab01-mail,dc=lan
pass_attrs = mail=user,userPassword=password,mailHost=host,=proxy=y,=nopassword=y
pass_filter = (&(objectClass=mailrecipient)(inetUSerStatus=active)(mail=%u))
default_pass_scheme = SSHA

Configuration File vi /etc/dovecot/conf.d/10-master.conf
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}


Configuration File vi /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/dovecot/cert_dovecot.pem
ssl_key  = </etc/dovecot/key_dovecot.pem

Pour générer une paire de certificats auto-signés, on utilisera la commande suivante:

Command
openssl req -new -x509 -days 3650 -nodes -newkey rsa:4096 -out /etc/dovecot/cert_dovecot.pem -keyout /etc/dovecot/key_dovecot.pem

On modifie les droits et on redémarre Dovecot:

Command
chmod 640 /etc/dovecot/dovecot-ldap.conf.ext
systemctl restart dovecot


Pour tester l'authentification et la connexion en IMAPS:

Command
openssl s_client -connect localhost:993

CONNECTED(00000003)
depth=0 C = FR, ST = LOIRET, L = BEAUGENCY, O = LAB01 Mail, CN = imap.lab01-mail.lan
verify error:num=18:self signed certificate
verify return:1
depth=0 C = FR, ST = LOIRET, L = BEAUGENCY, O = LAB01 Mail, CN = imap.lab01-mail.lan
verify return:1
---
Certificate chain
 0 s:/C=FR/ST=LOIRET/L=BEAUGENCY/O=LAB01 Mail/CN=imap.lab01-mail.lan
   i:/C=FR/ST=LOIRET/L=BEAUGENCY/O=LAB01 Mail/CN=imap.lab01-mail.lan
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFnTCCA4WgAwIBAgIJAPCwGWyPYV/UMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNV
BAYTAkZSMQ8wDQYDVQQIDAZMT0lSRVQxEjAQBgNVBAcMCUJFQVVHRU5DWTETMBEG
A1UECgwKTEFCMDEgTWFpbDEcMBoGA1UEAwwTaW1hcC5sYWIwMS1tYWlsLmxhbjAe
Fw0xNTA4MDkxNjM4MjNaFw0yNTA4MDYxNjM4MjNaMGUxCzAJBgNVBAYTAkZSMQ8w
DQYDVQQIDAZMT0lSRVQxEjAQBgNVBAcMCUJFQVVHRU5DWTETMBEGA1UECgwKTEFC
MDEgTWFpbDEcMBoGA1UEAwwTaW1hcC5sYWIwMS1tYWlsLmxhbjCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMWFdUcGcQHLw6BlWHEiMDy4co1NXIt5P9sN
7aXN1SolUZIgrfsNUA9Y5mFIv4478VwQF74hD9lZvuuNwFkJRSzM76A1n2Zzm8rh
nAFmqhC9eGzuNtcLTxzfbVESdipD++GejrsPrZATy8emU5N1wiKcaM7ipQt3RDaS
I+eVDh5UXEJuf1ASFn+P4ljGywb+cXEKXMvEBh6ZDJfOUKHld0AeXQbNYTcJy9wl
S+i6WnV9Qrx54CxV1XVfC8kHBRRMaj3snpnFEEPDTCKJsA9p/JdFHkxhPVP0uXU9
+5na7N4NXYDw86S4AREMjDbtGD7OSsuHNHVSUklKVVf3D5GyW6Wb5JLNZ7TAyyyM
K6o0xl9lTcuHiOoTheomfRuunSZhD5YeFoamNNADRWpISPvlkpGfYV7zhZnmOXno
kZAeZf4xYsFiYkLCiORsfA+04dDmWy0DWusuwYVtOqyJvThSVzPAYqVF11Txhevi
abx1/WoYoUD4iOrjnsicBDfbSiFBoySrV0iOajRdCwp/tM7A9VJmd0faD0ek4Okw
gKYDG0QF2l0ClcHLLlG0C9FeG2klrk98B65XzZWx/60+ZxKgZQOJGzdtCJVgukQ5
Q3NKSy5u8J4ghAX4263I4fWVGTlQELsZJiS1l214a/LS/6eXvrcXl27Uxtu69+Lv
ct17N9b3AgMBAAGjUDBOMB0GA1UdDgQWBBRmt+C4w8Txy1qtKzSGJJwPex523jAf
BgNVHSMEGDAWgBRmt+C4w8Txy1qtKzSGJJwPex523jAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4ICAQAIxSZOshK5evebqWM7ubW2S7SqxM0Z+Sj46Zd3qGw1
G165yItAKk+eOaGS39JEfvBXR8QSG+WlzIg4iWy6XJL3Pxg0q5dJ5VTDlXIXd6Wy
GkiWNvl91c3ykilPCAU/QUi79/lQIag+oawYFPnvKkEEQ8RemqlDcKwJphtIZUAI
jfsKVpaFCbILfVX3GY2swzv1n9SdVpjpKTaJomfmKR935anFZyOXZdAqF3yNRxNg
jmUFrYH3EoFDITwLsOMff5T7e7rT7I0aKhbsEfy1XkQLnJZnhMcGrTt2PEnv9t22
gC6CmjNO4bZPBrgqXmbPUJc8R/wyKpzY3QMtpykLPN0hMPdhmDgwHkAtqzrNo9Ra
wJsogQ3fnpc+Ic4sKeFrRnx6q69V1DAIIc2cHdYlWflXKQlz/oarZ/0FNd6zjT7b
SyD6/nszG2CUUJOnxX4M1/vz2phF3NE+Ps0zUTqe1hmWpxBr0tfpwcGSI5cMCzac
w0jrqRM54s21xZ8NxSXsJvmMz8gci3HIUgUYx90lOLjqJCDSH1TH0MVYPEKzt5Ac
yiVbjcN690QlPaPvQM2ECVx4o6rIqLwrnRWsQM5ms8tnM5iJhHvixEUNklEr+pn3
deoDDk5HzHO/A7r3pZ8q4KAR6ddRGJ6fjLpfynTMu3VMjNlvpmcCZgkh2IWV2He5
+Q==
-----END CERTIFICATE-----
subject=/C=FR/ST=LOIRET/L=BEAUGENCY/O=LAB01 Mail/CN=imap.lab01-mail.lan
issuer=/C=FR/ST=LOIRET/L=BEAUGENCY/O=LAB01 Mail/CN=imap.lab01-mail.lan
---
No client certificate CA names sent
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 2388 bytes and written 407 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: FB970FBBD7BE01C973A01BBAC9A9D920A69744338B86CB6770895E9A245855C7
    Session-ID-ctx: 
    Master-Key: 0C755F9B163B6C6E0DF33F3CD364D77053E7B10FD7DDCF2C687DC7ED6E32F7B2FE42E19D19B4EBA92C146DDAEAF75424
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 65 98 0c 32 64 dc 89 8d-69 b8 35 a6 83 54 1e db   e..2d...i.5..T..
    0010 - ac e0 86 60 de fd 2a dc-66 17 8e ee 4d da af e4   ...`..*.f...M...
    0020 - d1 88 5e 05 8d cf 6b d7-00 8d 92 9b 4e 72 9f 8a   ..^...k.....Nr..
    0030 - 12 8a 51 1c f8 48 19 b0-66 03 29 2b 6b f8 2f 74   ..Q..H..f.)+k./t
    0040 - 60 62 17 77 c3 73 32 6f-1c 61 35 ad e5 45 78 04   `b.w.s2o.a5..Ex.
    0050 - ab 71 dc df bc 59 47 6a-09 3a 3f 66 26 00 a0 a8   .q...YGj.:?f&...
    0060 - 7d 13 a8 4b 0f f4 61 93-c6 32 de bd 3c 9e b6 85   }..K..a..2..<...
    0070 - 4d a6 21 dc 33 97 1a c9-d1 e2 18 1f dc d6 23 7d   M.!.3.........#}
    0080 - e6 d1 1b 39 90 ab 00 7b-d2 8f c1 be eb cb 2b cc   ...9...{......+.
    0090 - 18 0a 52 bd fc 12 62 f7-48 c2 db 7e d3 19 5d 3c   ..R...b.H..~..]<

    Start Time: 1439138429
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

a login user01@lab01-mail.lan summersun
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS 
THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC
 ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in

a examine inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS ()] Read-only mailbox.
* 2 EXISTS
* 2 RECENT
* OK [UNSEEN 1] First unseen.
* OK [UIDVALIDITY 1439136068] UIDs valid
* OK [UIDNEXT 3] Predicted next UID
a OK [READ-ONLY] Examine completed (0.000 secs).

a logout
* BYE Logging out
a OK Logout completed.
closed


On peut voir le proxyage dans le fichier maillog:

Configuration File cat /var/log/maillog
[...]
Aug  9 18:40:47 imap1 dovecot: auth: Error: ldap(user01@lab01-mail.lan,::1,<GOX1h+McOgAAAAAAAAAAAAAAAAAAAAAB>): nopassword set but password is
 non-empty
Aug  9 18:40:48 imap1 dovecot: imap-login: proxy(user01@lab01-mail.lan): started proxying to store1.in.lab01-mail.lan:143: user=<user01@lab01-
mail.lan>, method=PLAIN, rip=::1, lip=::1, TLS, session=<GOX1h+McOgAAAAAAAAAAAAAAAAAAAAAB>
Aug  9 18:41:04 imap1 dovecot: imap-login: proxy(user01@lab01-mail.lan): disconnecting ::1 (Disconnected by server): user=<user01@lab01-
mail.lan>, method=PLAIN, rip=::1, lip=::1, TLS, session=<GOX1h+McOgAAAAAAAAAAAAAAAAAAAAAB>