Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Allow system users to auth on the mail stack and send emails #815

Draft
wants to merge 1 commit into
base: stretch
Choose a base branch
from

Conversation

@alexAubin
Copy link
Member

@alexAubin alexAubin commented Sep 27, 2019

The problem

c.f. YunoHost/issues#947

This is not easy to configure an app to send emails. While packaging an app (transpay), it explicitly required to be able to auth on the mail server. I started creating a system user ... but realized it could not authenticated (because only LDAP accounts are able to with the current conf).

Solution

Thanks to the help of @taziden I was able to configure dovecot to accept system users to authenticate. But postfix also needs to be tweak to allow foobar to send emails with From equal to foobar@somedomain.tld. For this, I added a new file /etc/postfix/sender_login_maps to the smtpd_sender_login_maps. It needs to be filled with :

foobar@somedomain.tld foobar

and then you gotta run postmap /etc/postfix/sender_login_maps ... (and possibly reload postfix ?)

This PR is not yet done, as we need to find some mechanism to manage this file automatically. I think we'd like to have some helper like

user_password=$(openssl rand -hex 16)
ynh_create_system_user foobar --password ${user_password} --allow-email foobar@domain.tld
  • the password stuff is necessary to configure the app
  • --allow-email would add the appropriate stuff in /etc/postfix/sender_login_maps and run postmap ... the removal of the user shall also be tweaked to remove the corresponding line from the file... and the tricky part is to handle the domain change during change_url (I mean that's doable but meh can't we find something more clever)

PR Status

Kind of tested ... need to work on the app helpers at some point

How to test

Zblerg, you can use a small python script with smtplib that auth and sends an email with a custom system user

Validation

  • Principle agreement 0/2 :
  • Quick review 0/1 :
  • Simple test 0/1 :
  • Deep review 0/1 :
@Josue-T
Copy link
Contributor

@Josue-T Josue-T commented Sep 27, 2019

Hello,

The other solution would be to create a "special" user in LDAP for the app in, by example, ou=apps,dc=yunohost,dc=org. The idea is to create a helper which create this specific user. The other adventage is that we also solve the issue said by @yalh76, about the authentication of some apps to LDAP with a specific user and password.

@alexAubin
Copy link
Member Author

@alexAubin alexAubin commented Sep 27, 2019

The other adventage is that we also solve the issue said by @yalh76, about the authentication of some apps to LDAP with a specific user and password.

Uh can you elaborate on this ?

@Josue-T
Copy link
Contributor

@Josue-T Josue-T commented Sep 27, 2019

So, @yalh76 said at one meeting that some apps (like mastodon) need a user and password to access to LDAP, even if the access is free. So one solution was to create a yunohost user and use this user to be able to authenticate to LDAP. But this solution is not really clean because an app is not really a user. So my purpose to solve this is (and I think @yalh76 said the same thing) to create a user but in a other place in LDAP, so the real user is separated to the "app" user. So to the solution is by example to put the real user in LDAP in ou=users,dc=yunohost,dc=org and the user for the apps in ou=apps,dc=yunohost,dc=org. The other advantage of that is that you can also use this user for email by example, so by this you can have more flexibility.

If I would implement this (I've written this in my todo list but I have just no many things, so it might be never done...), I would create a function in the core based on the function for the user, but maybe with just some customization more adapted on to the apps.

@zamentur
Copy link
Contributor

@zamentur zamentur commented Sep 23, 2020

So what's the status? is this PR needed ? Or #977 is enough to fix the issue ?

@zamentur zamentur added this to the Horizon milestone Jan 3, 2021
@zamentur zamentur added this to Technical / political choice needed in Pending Jan 4, 2021
@zamentur zamentur removed this from the Horizon milestone Jan 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Pending
Divergence of opinion
3 participants