From f7548d6d28c313cf80e6f3ef89aed16a19815df1 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 28 Apr 2024 11:51:24 +0200
Subject: Adding upstream version 1:2.3.19.1+dfsg1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 doc/wiki/HowTo.ImapcProxy.txt | 174 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 174 insertions(+)
 create mode 100644 doc/wiki/HowTo.ImapcProxy.txt

(limited to 'doc/wiki/HowTo.ImapcProxy.txt')

diff --git a/doc/wiki/HowTo.ImapcProxy.txt b/doc/wiki/HowTo.ImapcProxy.txt
new file mode 100644
index 0000000..805c989
--- /dev/null
+++ b/doc/wiki/HowTo.ImapcProxy.txt
@@ -0,0 +1,174 @@
+Dovecot imapc proxy
+===================
+
+Using Dovecot as a secure IMAP Proxy in front of Exchange, using Exchange
+Authentication and IMAPC. This requires Dovecot 2.1.rc1 or newer.
+
+Many thanks to Timo on the Dovecot mailing list for all his help!
+
+This " <HowTo.txt>" is based on already having Dovecot already compiled and
+installed.
+
+ 1. Create an unprivileged, non-system account user and group for the proxy,
+    with a home directory. This needs to have a writable home directory, but no
+    other privileges.
+
+    ---%<---------------------------------------------------------------------
+    [root@localhost]# useradd imapproxy
+    ---%<---------------------------------------------------------------------
+
+ 2. Verify that the user can not login:
+
+    ---%<---------------------------------------------------------------------
+    [root@localhost]# grep imapproxy /etc/shadow
+    ---%<---------------------------------------------------------------------
+
+     You should see something like:
+
+    ---%<---------------------------------------------------------------------
+    imapproxy:!!:nnnn:0:nn:n:::
+    ---%<---------------------------------------------------------------------
+
+     The important part is the "!!". This indicates that the account is locked.
+    If you don't see this, lockout the account (check man passwd)
+ 3. Create '/etc/dovecot/dovecot.conf' or
+    ('/usr/local/etc/dovecot/dovecot.conf') as appropriate:
+
+    ---%<---------------------------------------------------------------------
+    ## Dovecot configuration file
+
+    mail_uid = imapproxy
+    mail_gid = imapproxy
+
+    protocols = imap
+
+    listen = *, ::
+
+    mail_location = imapc:~/imapc
+    # Change the line below to reflect the IP address of your Exchange Server.
+    imapc_host = 10.1.2.3
+    imapc_port = 143
+
+    passdb {
+      driver = imap
+      # Change the line below to reflect the IP address of your Exchange
+    Server.
+      args = host=10.1.2.3
+      default_fields = userdb_imapc_user=%u userdb_imapc_password=%w
+    }
+    userdb {
+      driver = prefetch
+    }
+
+    # /home/imapproxy is the home directory for the imapproxy user, and
+    # %u is a subdir that will be automatically created for each IMAP user when
+    they connect
+
+    mail_home = /home/imapproxy/%u
+
+    auth_mechanisms = plain login
+
+    # This is the auth service used by Postfix to do dovecot auth.
+    service auth {
+      unix_listener auth-userdb {
+      }
+      inet_listener {
+        port = 12345
+      }
+    }
+
+    ##
+    ## SSL settings
+    ##
+
+    # These will need to ba adjusted to point to *your* certificates, not mine
+    8-)
+    # The ssl_ca line refers to the intermediate certificate bundle which may
+    or may not be required by your SSL provider
+
+    ssl_cert = </etc/pki/tls/certs/machine.example.org.crt
+    ssl_key = </etc/pki/tls/private/machine.example.org.key
+    ssl_ca = </etc/pki/tls/certs/gd_bundle.crt
+    ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+    ---%<---------------------------------------------------------------------
+
+Start dovecot and test it with openssl as:
+
+---%<-------------------------------------------------------------------------
+openssl s_client -connect machine.example.org:143 -starttls imap
+---%<-------------------------------------------------------------------------
+
+You should see a whole bunch of SSL information, and the last line should say:
+
+---%<-------------------------------------------------------------------------
+. OK Pre-login capabilities listed, post-login capabilities have more.
+---%<-------------------------------------------------------------------------
+
+Next, type:
+
+---%<-------------------------------------------------------------------------
+01 LOGIN username badpassword
+---%<-------------------------------------------------------------------------
+
+You should then see:
+
+---%<-------------------------------------------------------------------------
+01 NO [AUTHENTICATIONFAILED] Authentication failed
+---%<-------------------------------------------------------------------------
+
+And should see a list similar to this:
+
+---%<-------------------------------------------------------------------------
+* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT
+SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN
+NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT
+SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS FUZZY
+02 OK Logged in
+---%<-------------------------------------------------------------------------
+
+If you get this far, the proxy is working and is authenticating against your
+exchange server.
+
+Postfix Configuration
+---------------------
+
+My configuration is for a closed server that will never allow inbound SMTP from
+unauthenticated clients, and authenticates inbound SMTP TLS connections against
+the above Dovecot auth service, which in turn authenticates against Exchange,
+which authenticates against Active Directory.
+
+This means that disabling an account in Active Directory, also disables inbound
+and outbound mail access.
+
+If this is what you want, add the following to you /etc/postfix/main.cf file.:
+
+---%<-------------------------------------------------------------------------
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = inet:127.0.0.1:12345
+smtpd_sasl_auth_enable = yes
+
+smtpd_client_restrictions = permit_sasl_authenticated, reject
+## Don't relay for anybody from or to anywhere, unless they authenticated
+
+smtpd_recipient_restrictions = permit_sasl_authenticated reject
+
+broken_sasl_auth_clients = yes
+# Talk to outlook <= 2003 and O Express <=6
+
+smtpd_tls_security_level = encrypt
+smtpd_tls_received_header = yes
+
+smtpd_tls_cert_file = /etc/pki/tls/certs/machine.example.org.crt
+smtpd_tls_key_file = /etc/pki/tls/private/machine.example.org.key
+
+smtpd_tls_CAfile = /etc/pki/tls/certs/gd_bundle.crt
+# If your Certification Authority requires intermediate certificates, the
+bundle goes here.
+
+tls_random_source = dev:/dev/urandom
+
+smtpd_tls_auth_only = yes
+# only allow auth if it's encrypted
+---%<-------------------------------------------------------------------------
+
+(This file was created from the wiki on 2019-06-19 12:42)
-- 
cgit v1.2.3