feat: Add Kerberos (GSSAPI) Login support via SASL#4633
feat: Add Kerberos (GSSAPI) Login support via SASL#4633MatthieuCoder wants to merge 13 commits intodocker-mailserver:masterdocker-mailserver/docker-mailserver:masterfrom
Conversation
There was a problem hiding this comment.
This project tends to be reluctant towards new features without prior discussion/approval, especially when there is low demand from users.
Could you please add context to why Kerberos would be beneficial? (I'm not familiar with it beyond name, nor do I recall any users requesting it over the past 5 years) I am interested to know why it may be preferred over existing auth support.
If it were to be approved documentation would need to be added, along with tests. Often that is more effort than just adding a docs example for the benefits of other interested users.
The LDAP auth has tests and docs but lacks proper maintainer support over the years, yet has much more demand/adoption from users than Kerberos. So while I appreciate the PR I'm not sure if we want to take this feature on. It'll likely have some breaking changes that'd need to be changed for the Dovecot 2.4 upgrade too 😅
I've provided an example compose.yaml below that might work well enough for you?
| # name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab | ||
| # entries. | ||
| #auth_gssapi_hostname = | ||
| auth_gssapi_hostname = "$ALL" |
There was a problem hiding this comment.
I'm not familiar with this, when is gethostname() a no go?
There was a problem hiding this comment.
From my understanding, a user could use different dns entries for smtp, imap and pop. These could be included in the keytab but not be the actual hostname of the machine, a keytab could include keys to multiple Kerberos principals, hance the $ALL usage
| passdb { | ||
| driver = ldap | ||
| args = /etc/dovecot/dovecot-ldap.conf.ext | ||
| mechanisms = gssapi | ||
| default_fields = nopassword=y | ||
| } | ||
|
|
There was a problem hiding this comment.
This is only relevant when opting into the feature no?
It could be handled via a separate config that is toggled just like with LDAP:
docker-mailserver/target/scripts/startup/setup.d/ldap.sh
Lines 54 to 55 in 0f5763c
Is this form of auth only relevant in the LDAP context?
There was a problem hiding this comment.
This auth is only relevant in the ldap context in order to match principals names to users; It's complementary to the auth; I used the same configuration files because kerberos only requires nopassword (there are no passwords because the user is already authenticated)
There was a problem hiding this comment.
I will be moving the gssapi passdb to auth-kerberos.inc
| tls = no | ||
| ldap_version = 3 | ||
| pass_attrs = uniqueIdentifier=user,userPassword=password | ||
| pass_attrs = uniqueIdentifier=user,userPassword=password,krbPrincipalName=k5principals |
There was a problem hiding this comment.
Is krbPrincipalName set to a fixed value here for some reason? Is that not related to auth_gssapi_hostname? (which has some relevance to "GSSAPI principal names")
There was a problem hiding this comment.
krbPrincipalName is an ldap value containing the principals of the user,
the "k5principals" dovecot setting is used by dovecot to match the gssapi user principal to the actual ldap user (see: https://doc.dovecot.org/2.4.2/core/config/auth/passdb.html#k5principals)
Alternative (DIY without landing the PR)Usually when I demonstrate (like below) how to approach without upstreaming via PR a user is happy with that as it's much less burden for both parties involved 😅 You would have your typical DMS services:
dms:
image: ghcr.io/docker-mailserver/docker-mailserver:latest # :15.0
hostname: mail.example.test
# ... Any other DMS related config ...You can then append/merge this additional config, or layer it on with:
Here is roughly the same functionality as your PR, but as a single file you can carry/reference that doesn't require upstreaming into DMS with docs + tests. services:
dms:
# You'd normally use `volumes` here but for simplicity of the example, all config is contained within `compose.yaml`:
configs:
- source: dovecot-custom
target: /tmp/docker-mailserver/dovecot.cf
- source: dovecot-gssapi-auth
target: /etc/dovecot/conf.d/auth-kerberos.inc
- source: dovecot-gssapi-passdb
target: /etc/dovecot/conf.d/auth-kerberos.conf.ext
# Using the Docker Compose `configs.content` feature instead of volume mounting separate files.
# NOTE: This feature requires Docker Compose v2.23.1 (Nov 2023) or newer:
# https://github.com/compose-spec/compose-spec/pull/446
configs:
# Enable Kerberos PassDB (Authentication):
dovecot-custom:
content: |
auth_gssapi_hostname = "$ALL"
!include auth-kerberos.inc
!include auth-kerberos.conf.ext
dovecot-gssapi-auth:
content: |
auth_gssapi_hostname = mail.example.com
auth_krb5_keytab = /etc/dovecot/krb5.keytab
auth_realms = example.com
auth_default_realm = example.com
dovecot-gssapi-passdb:
content: |
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
mechanisms = gssapi
default_fields = nopassword=y
}
dms-user-patches:
content: |
#!/bin/bash
# Ensure custom CA certificates are recognized:
update-ca-certificates
# Add GSSAPI support:
apt-get update && apt-get install dovecot-gssapi
# Append `,krbPrincipalName=k5principals` to end of `pass_attrs`
# if the line appears unmodified:
sed -i -r -e \
'|^(pass_attrs.*userPassword=password)$|\1,krbPrincipalName=k5principals|' \
/etc/dovecot/dovecot-ldap-conf.extIf you still needed to use this helper function for ENV based overrides, that would still be possible in source /usr/local/bin/helpers/index.sh
_replace_by_env_in_file 'KERBEROS_' '/etc/dovecot/conf.d/auth-kerberos.inc'NOTE: The package install in services:
dms:
hostname: mail.example.com
# The `image` setting now represents the tag for the local build configured below:
image: localhost/dms:${DMS_TAG?Must set DMS image tag}
# Local build (no need to try pull `image` remotely):
pull_policy: build
# `Dockerfile` to build is embedded into the Docker Compose config:
build:
dockerfile_inline: |
FROM docker.io/mailserver/docker-mailserver:${DMS_TAG?Must set DMS image tag}
RUN apt-get update && apt-get install dovecot-gssapiLikewise the The main caveat apart from carrying all that yourself instead of offloading it to the project is potential maintenance burden when upgrading if anything changes internally within DMS that'd affect those configs. |
Yes. I saw that but wanted to contribute either way, I already have a working setup with kerberos.
Kerberos enables no-password logins to imap, pop and smtp, by using the user's sessions TGT (Ticket Granting Ticket), It's more of a complement to regular ldap login that is pretty well deployed in the enterprise space (ex. Windows Single Sign On). There have been some issues regarding this, namely #1024 and #1021
Yes, of course, I sent the PR to gather feedback regarding my changes, and will be documenting everything accordingly.
The upgrade of these changes to 2.4 shouldn't really be such a burden given that Kerberos auth didn't change
Thanks! But I already have a setup of my own ^^" |
|
I still have several things in my todo for this PR:
|
That's nice, but not the point. You opening the issue is not for you, but for us. I am not against adding this functionality, but we need to make sure we can maintain it and we need to make sure there is enough need to justify maintenance. |
I have a working setup. This is not for me, I want my work to benefit the community - hence my contribution.
Maintaining this shouldn't be and issue given that the configuration in dovecot do not seems to have went through major changes in the last few years. Regarding usage, I do agree that Kerberos is not well-known and is rather niche. His usage is mainly in Microsoft Windows Active Directory and FreeIPA (the one I tested with) and allows the single sign-on using clients like Thunderbird ref. This is mostly used in enterprise environments, but some people (like me) like to run it for their own infrastructure and such. I pointed out an issue requesting Kerberos / GSSAPI authentication in my earlier messages. I do not mind my PR being rejected, I offer my contribution, and it's not my project at the end. |
Appreciated, but there has been no one else engaging in this community requesting GSSAPI support for a long time (your references are from 2018, with one comment in 2020, nothing else for 5+ years). Hence maintainers are understandably reluctant to have the burden of looking after the feature as it can add friction for us to support when there's only 1 (or few) users interested in the feature. This is why we have a process to defer to a docs contribution first when viable (I already demonstrated how this feature could be supported easily that way).
There's been a notable change between Dovecot 2.3 and Dovecot 2.4. The burden is usually on support from users seeking help, or if we do run into any issues like we have with LDAP. Beyond support requests and docs not being in good shape for LDAP, we've not been able to as easily offer feature parity as it's slightly out of sync with the file based provisioning and some differences. Additionally the tests could fail (we've gone through refactoring in the past where the lack of LDAP knowledge added friction, and the external deps like an LDAP container has required maintenance due to upstreams dropping maintenance support of their images). We've also had issues with other features that had been contributed previously such as Dovecot FTS with Xapian (where we ended up needing to compile the plugin support ourselves) and Solr (we carried a package with docs that had become stale/unmaintained, the package lacked ARM64 support requiring extra support on our end_). Your PR already adds to the burden of LDAP support with the changes this PR proposes as it adds additional complexity (not for you but for us). Once we officially support a feature, user support and maintenance is offloaded onto us. As we will require tests like we do with LDAP, this does add extra burden when maintainers need to interact with the related feature support. A similar feature for SQL DB support offers a bit more value but would also have similar costs for maintainers, along with adding friction to refactoring to some degree in my experience 😓
It's small enough that I might be ok with it, but I'm also wanting to step down from my maintainer status at some point, thus the other maintainers would need to approve. You'd still have docs (for which I tend to be a bit strict on for quality), and tests (that you've already raised is a bit tricky to approach)... Are you sure you want to push for upstreaming this into DMS straight away vs the much simpler documentation contribution? (I'm more lax on review when it's an unofficial guide) Docs would still be discoverable and benefit any interested users. It can also be as simple as a small FAQ entry (or similar location) to reference a link to the PR here (or my A reference You could almost avoid the
|
Definitely appreciated!
Whether this is the case is up to us - not to you. This project mandates holding the discussion beforehand in an issue.
I'd like to see this become an additional page in the documentation, as @polarathene has pointed out. Can you do that @MatthieuCoder? |
Yes I can do that. Sorry I'm a bit busy currently, I'll get to it in a few weeks |
|
@MatthieuCoder is this still something you want to tackle and will find time for at some point? |
Yes. Might be better to move this to an issue |
Description
This is a PR adding Kerberos login support to docker-mailserver - using a keytab
Type of change
Checklist
docs/)CHANGELOG.md