commit ae0dbe10e47fcf8f27d67c32bc38f9d47263685c Author: blackicedbear Date: Mon May 25 14:44:40 2026 +0200 first commit diff --git a/dms/config/ad-ca.crt b/dms/config/ad-ca.crt new file mode 100644 index 0000000..950249f --- /dev/null +++ b/dms/config/ad-ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDjTCCAnWgAwIBAgIQMs1Xnvqa+4FCQq5hBIBWaTANBgkqhkiG9w0BAQsFADBZ +MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFglieXRldHJh +aWwxJTAjBgNVBAMTHGJ5dGV0cmFpbC1XSU4tR0tDUVJNTkMzQVUtQ0EwHhcNMjYw +NTI0MjA1NTI1WhcNMzEwNTI0MjEwNTI1WjBZMRUwEwYKCZImiZPyLGQBGRYFbG9j +YWwxGTAXBgoJkiaJk/IsZAEZFglieXRldHJhaWwxJTAjBgNVBAMTHGJ5dGV0cmFp +bC1XSU4tR0tDUVJNTkMzQVUtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDhdGKkuW/2dbr8yoUoS9MamUFzVD8IHRSkRx1BSBbiXXTny0B1ziEYCxOP +COh1GfJ+EvgUsjrJTfnP0Kl1+hi7ribGbzgDp+FrRWDDk1w9819aSqHfke1m8Qjr +MUYPwR/e2oNMwQan0E+/VNpP5FRXkyXTi+nXgAuv176uCMPN4WZcJzo42Yfomtj8 +lsCVSbuGDgztNWRprXVr8zhCRjO6nMWq5X9CKhTfdSSkpu5WdgM1gTSrUhMSZg1a +g5qqW5AeM2Z2cvSOCJ394N5r/wQ5C9kQmeGKpjjxYaGjvZzUNA2fXHdIrapGY9i4 +frM3JJlgzQNlv8zXCXSdxF8soIwtAgMBAAGjUTBPMAsGA1UdDwQEAwIBhjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBTnYOwmQanTgSyr1QrYpLpHMDhBoDAQBgkr +BgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQsFAAOCAQEAhYISThHMl3jBiTWdQPAK +Nycp4I8eUjHnesNTHDicK8cazx6oSCQW4lEj8L/mTpoHdxU1aMhDcml+LsZkv620 +uKIhd71mEAju7x+TzJ7xHuiG750OHlu5Q2Wbp3MvGZey8W3ZgfS5oUOisZRnomzD +H8NX8bGW2/JqdfgmBGfiUp30a7upSEqjdh1vyXEIWd6kOoTLIwFzGeILxy8GFsmP +dcgqlUtnOgzQ2a1EqK3Lcr/R5I6/Sc+lhIQmIyfX3EmJlMLGYF90ZTXDXN4LyJLb +AhKaOXPBs68Bl5EzSjB+Aar+laQKD7I6wEqLBCmjsCXt1wORkiC5iuavHXWBG0bu +RQ== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/dms/config/user-patches.sh b/dms/config/user-patches.sh new file mode 100644 index 0000000..68cf5bb --- /dev/null +++ b/dms/config/user-patches.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# 1. Anpassungen für Active Directory Gruppen-Auflösung (aus Schritt 1) +echo "Patsche ldap-groups.cf für Active Directory..." +grep -q '^leaf_result_attribute = mail$' /etc/postfix/ldap-groups.cf || echo "leaf_result_attribute = mail" >> /etc/postfix/ldap-groups.cf +grep -q '^special_result_attribute = member$' /etc/postfix/ldap-groups.cf || echo "special_result_attribute = member" >> /etc/postfix/ldap-groups.cf + +# 2. NEU: Windows AD Stammzertifikat importieren +if [ -f /tmp/docker-mailserver/ad-ca.crt ]; then + echo "AD-Zertifikat gefunden. Kopiere in den lokalen Vertrauensspeicher..." + cp /tmp/docker-mailserver/ad-ca.crt /usr/local/share/ca-certificates/ + + echo "Aktualisiere das Linux-Zertifikatsregister (update-ca-certificates)..." + update-ca-certificates +else + echo "HINWEIS: /tmp/docker-mailserver/ad-ca.crt wurde nicht gefunden. Stelle sicher, dass die Datei existiert, falls LDAPS fehlschlägt." +fi \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..17b1131 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,67 @@ +services: + mailserver: + image: ghcr.io/docker-mailserver/docker-mailserver:latest + container_name: mailserver + # Passe den Hostnamen an deinen tatsächlichen Mail-Server (nicht den DC) an + hostname: mail.bytetrail.at + extra_hosts: + - "WIN-GKCQRMNC3AU.bytetrail.local:192.168.56.10" + ports: + - "25:25" + - "143:143" + - "587:587" + - "993:993" + volumes: + - ./dms/mail-data/:/var/mail/ + - ./dms/mail-state/:/var/mail-state/ + - ./dms/mail-logs/:/var/log/mail/ + - ./dms/config/:/tmp/docker-mailserver/ + - ./mailserver-certs/:/tmp/dms/custom-certs/:ro + - /etc/localtime:/etc/localtime:ro + environment: + - ENABLE_SPAMASSASSIN=1 + - ENABLE_CLAMAV=1 + - ENABLE_FAIL2BAN=1 + - ENABLE_POSTGREY=1 + + # >>> LDAP / Active Directory Basis-Verbindung + - ACCOUNT_PROVISIONER=LDAP + - LDAP_SERVER_HOST=ldap://WIN-GKCQRMNC3AU.bytetrail.local + - LDAP_START_TLS=yes + - DOVECOT_TLS=yes + - SASLAUTHD_LDAP_START_TLS=yes + + # Bind-User (Hier der Standard-Administrator, besser wäre ein dedizierter Service-Account) + - LDAP_BIND_DN=CN=Mailserver Service Account,OU=Server,DC=bytetrail,DC=local + - LDAP_BIND_PW=Mail$$3rv!ceAcc2026 + - LDAP_SEARCH_BASE=DC=bytetrail,DC=local + + # >>> Postfix LDAP Integration + - LDAP_QUERY_FILTER_DOMAIN=(mail=*@%s) + - LDAP_QUERY_FILTER_USER=(&(objectclass=person)(mail=%s)) + - LDAP_QUERY_FILTER_ALIAS=(&(objectclass=person)(proxyAddresses=smtp:%s)) + - LDAP_QUERY_FILTER_GROUP=(&(objectClass=group)(mail=%s)) + + # SPOOF_PROTECTION: Beachte hier "CN=Domänen-Admins" aus deinem Screenshot + - SPOOF_PROTECTION=1 + - LDAP_QUERY_FILTER_SENDERS=(|(mail=%s)(proxyAddresses=smtp:%s)(memberOf=CN=Domänen-Admins,CN=Users,DC=bytetrail,DC=local)) + + # >>> Dovecot LDAP Integration + - DOVECOT_AUTH_BIND=yes + - DOVECOT_USER_FILTER=(&(objectclass=person)(sAMAccountName=%n)) + - DOVECOT_PASS_ATTRS=sAMAccountName=user,userPassword=password + # AD Workaround laut Doku: Hardcoded UID/GID 5000, um Rechte-Probleme zu vermeiden + - DOVECOT_USER_ATTRS==uid=5000,=gid=5000,=home=/var/mail/%Ln,=mail=maildir:~/Maildir + + # >>> SASL LDAP Authentication + - ENABLE_SASLAUTHD=1 + - SASLAUTHD_MECHANISMS=ldap + - SASLAUTHD_LDAP_FILTER=(&(sAMAccountName=%U)(objectClass=person)) + + - SSL_TYPE=manual + - SSL_CERT_PATH=/tmp/dms/custom-certs/cert.pem + - SSL_KEY_PATH=/tmp/dms/custom-certs/key.pem + + - PERMIT_DOCKER=host + cap_add: + - NET_ADMIN \ No newline at end of file diff --git a/mailserver-certs/cert.pem b/mailserver-certs/cert.pem new file mode 100644 index 0000000..d303ffb --- /dev/null +++ b/mailserver-certs/cert.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFcTCCA1mgAwIBAgIUd5bpjI5W/zFjmmDsM2jxXVcqvhEwDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRbWFpbC5ieXRldHJhaWwuYXQwHhcNMjYwNTIzMTUxNTA0 +WhcNMjcwNTIzMTUxNTA0WjAcMRowGAYDVQQDDBFtYWlsLmJ5dGV0cmFpbC5hdDCC +AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOVhqAXJxgExbxNGw3z1ENKv +ixvP8jpc2aPkCpYQvfd6yS32FncgzuDSQlKJLZAFcb0MBf8UpS4plQ/ziG4B4u2r +Uzc6M3s+qErCLNQWgmMMr3qCJNpTBZ69O5mUTAOHkuuvUa+Z/ceStR5zDtrMsV/3 +Wxt3ar5lIenvNHo6NlDpB17DM3J97Ee+crAveJISHGCio+1JR3IpjMLbwsVxw3sF +eSz8gEGcOa1k9SS9rxEkN2hEqiqRNe2cRcV7GAd/jiNLRDHWVBmrQ/LB+pODHK/W +kfu2vOqs7MBWY93KwD44WY4rVmTOY3yL3mXz4y7IQ+aSbCB0F0Ywwd8jtqgO9FOD +eiFT/jFHVSSt/v+KPdGDU5zDkaxAHPZb9+CAWmXFgjc7yX0yIwLZcRXzZOKOFdOv +b5eSMNQjdAsUVLdpYvk+lYx5oaGtTqtKDBOhkU+7/WkTmhaipw3RXr1i9Rnpypmt +QlNSz/MrnkUYOsAs4SF0yEdJWD9ZV079tCLFFJvqxCDNLWr7O1uHzC3Iss0TvJhk +6Qh4+qN8BJBpKJHvjd0RvNbi9bs/PzUOODO8Z6TNOAELLVhQrRVvkj6IQ1T4Pvu4 +siF5xsdoptadi+lZqqh551+eOdazJVR90X7kNk+1sVPg20DASicYLQS26A1QdbDq +v4QG7Iw6+DMjI/pKpaYNAgMBAAGjgaowgacwHQYDVR0OBBYEFP97kdYqMU0VBIqy +bvWOdOLDG2RUMB8GA1UdIwQYMBaAFP97kdYqMU0VBIqybvWOdOLDG2RUMA8GA1Ud +EwEB/wQFMAMBAf8wVAYDVR0RBE0wS4IRbWFpbC5ieXRldHJhaWwuYXSCFG1haWwu +Ynl0ZXRyYWlsLmxvY2Fsgg9tYWlsLmJ5dGUudHJhaWyCD21haWwuYnl0ZS50cmFp +bDANBgkqhkiG9w0BAQsFAAOCAgEAipWrx9lLmz3OPAX5Y3l2c9dMfwE8yq6CWbmU +qJWKmCB+mGR6EbOEABnIyqrIKx6QOHTwDGuLQ0gvPK4wv1Al3XJq4BWU7WNJzhMM +OwkgPZcLVGa47R+mxlOG/ezqqq9dRIGbHj+PjgDWPDqChgrOAXb/1WERwXEVvF1N +8gBa/Xi1MgnhqThBOAygOsHicCgLtp/DEotjmajbQHB/ULP/6evl5x/0nY7F1zv0 +qaArhjopDeVIfnrWY68M4HDO5o3EyZOgUdN6mQbyeorpPx8BU3Y5gLHYlG05tQ8a +M1PNCDputZJblPssc0VNlhAkKB3UaT4qVAVRK0IQESXeGGx/eIeCWGN2OflAOMm7 +eX4zkXJZt7h8cjeWy26I8KYQboEc58LprDK8QIj8YEKJlXY/JsZdq/VxFq9R5oD8 +os74pn1zEvvUWnps9cz/0zQz+v8nQE/m2gh/vvA7poW9ElqoFjCMqwNIDSopIJ4H +9izv4ITvLnSlQq0Y/cSQm05emJD/gHr4eYKQhAMD9XS2SDyIVsU/NZVGqcAQVfap +6QeoyvMbw/Psq/X9fTM7eCb8M80UrcdJxlsnjftftUXEgOq83rf36qwJrXKA6eSL +3Ydny4imnlsd1IVN7ZxjeBgMOT2vsyUQ6w2qu3+ElQvcIds+MvSwscYtzLny36ZX +3ELX648= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/mailserver-certs/key.pem b/mailserver-certs/key.pem new file mode 100644 index 0000000..8d81b0d --- /dev/null +++ b/mailserver-certs/key.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDlYagFycYBMW8T +RsN89RDSr4sbz/I6XNmj5AqWEL33eskt9hZ3IM7g0kJSiS2QBXG9DAX/FKUuKZUP +84huAeLtq1M3OjN7PqhKwizUFoJjDK96giTaUwWevTuZlEwDh5Lrr1Gvmf3HkrUe +cw7azLFf91sbd2q+ZSHp7zR6OjZQ6QdewzNyfexHvnKwL3iSEhxgoqPtSUdyKYzC +28LFccN7BXks/IBBnDmtZPUkva8RJDdoRKoqkTXtnEXFexgHf44jS0Qx1lQZq0Py +wfqTgxyv1pH7trzqrOzAVmPdysA+OFmOK1ZkzmN8i95l8+MuyEPmkmwgdBdGMMHf +I7aoDvRTg3ohU/4xR1Ukrf7/ij3Rg1Ocw5GsQBz2W/fggFplxYI3O8l9MiMC2XEV +82TijhXTr2+XkjDUI3QLFFS3aWL5PpWMeaGhrU6rSgwToZFPu/1pE5oWoqcN0V69 +YvUZ6cqZrUJTUs/zK55FGDrALOEhdMhHSVg/WVdO/bQixRSb6sQgzS1q+ztbh8wt +yLLNE7yYZOkIePqjfASQaSiR743dEbzW4vW7Pz81DjgzvGekzTgBCy1YUK0Vb5I+ +iENU+D77uLIhecbHaKbWnYvpWaqoeedfnjnWsyVUfdF+5DZPtbFT4NtAwEonGC0E +tugNUHWw6r+EBuyMOvgzIyP6SqWmDQIDAQABAoICAGaV/E1KZjGWaDTYywkRmQqA +09gGcjDD4do4XLuslSkfUuYpTvbMR3moz1yWWTg2Fx4TSINCOnWgxzexFO0ODu14 +V+k1MF0IMr/sg5v+zSV7QOerWMwDoVnTC9qtxik18vFRIVlFp4ggBrytfJFCRnnC +6I4qJCUumbJD9tZLPouFDHTHHDUyOAAGHsjJEkVRsDtPwbyXr0pRZtCm9D7VmDVm +x0DlVH8DXZA8vJ5H7wndhqItQ2VyOAoif9nIKYEA/RKv0LnxPv+T5vmk42ohkyzY +68UFfwv9doy2lkdVLBEnpnW80BCZdUj4TOiP4KTFkAiIp68D/Hy5xZsEH+adeYsf +JlyV1HrnzPtfsUDsTinE5++Zu3/YJ3EaHcHTohRvj7ji2YPmDh2L6NIR1bDqegaP +oKsSmB+8FTQH3XhYVzjuoVPrIIykyPA+v/8seol3O4/uhD1L+t1HnUr6SRwV0tU+ +lVBX4oSxz4rLcjS12xLyRAL20AahHpYOHu4IsC/s5nnMrJq0d0gsyiAyAutmTwfQ +52k1iRWbPUiyhkRhXU6wX/c7j+rq/GOnWe150nIZtIGSO1PTmyNhrsLYHTF6RPXq +9m3+2TYHqh6nXjs22c0NVqa5jJWt3uJsnH+jvM/Be+a+uMTPmfaXoe3hSDCz1GwH +9I/hFli58ttsKr777i0JAoIBAQD9IsjpfPjV4e4Xsu9vD+/UYSiFvsV/i7ud8U97 +idkMqwozqPRHDoDv5c3bQokD5AG2LNdHijldZOqr+gvXYAjkN0qiCqR2lqOUiYMX +kYxXsBjoAnbSaeACMRcQeNF6tWaNr5E2dxOtBXElt4CEi37JCN78wupckgDWFyXJ +Ww0imeVC8wlGO0saLOJ6ois0CF4ukLDHQ3jyp/BxFJXH6dp+9ldoY/vzFB6q8v/x +Rc8gEdM1cK0Hdw59ZBzi+1orkU8lVRNeOGDvD1g1ZrbUkpSPD+StMmQ5rtcd+mg5 +WP2Ez0i/NAmCZqtsKR6+KlZQeY8BNweeNaoFRuTu8d1qPqkXAoIBAQDn+hDzcrKh +6JLMDzuAarS+xqx5rbb6o32QHG/9xpMZ5NCZ6knuS083+WKodeUPDSUXb3tQrzax +9lIGsUbiSGHdPU6SmlPc70qQP2qlVvdYT0bk032A5Vqlh09eNL8WwR1hVkq4j1Wl +7xB3gjd23aNAzCqGB0QaVYymkLTgfVay3hBme+29/yH7vit1clIsDggUFCmIyMyf +l2Om9rMxQEPJKph2eL7nxAkYt/rvluipyjbKLrhTphQcLE9jSPqcsFPjl8+BzlO9 +vB9QJ0VgWVuz43sCd/fXj3eP0WRCm+OCIbbFWqxUWKRpcD3qJ4D8wsjoQLWn+60M ++jB2slasedh7AoIBAATZ7c/LvVkcA1wg6cXPIGGJmyU1CsPvAaF9RnCvq6E6he+H +hWb3ODFgzhktpUKV1BKRuW59j6viizzQhfmStZjqFlwUqCI9sNTf7cs91tq3XULV +CUHvFYP1POPr7NfVMin0+2t3zMC8Ifb/FU90/PENYnilo6gyhCGWP/sj65SGLoah +8cOOz1mpEo4XHYzZvDRYQYsQF/lOjqUcJ+K08KMORY6Sm/mEoTHVhmIxXE7ZCJs1 +lZtXBMgSaxtOhePf3QxyHPTpT7JFMQOU/FwGkyJKw68uEA2q9CR28BhpRDKPZm2D +qcr9/LsN7rDmTtEsAzmavGKj1KZVPX321K98k/ECggEAJ3EuRqZe1wabRxTj8g6y +kqlnE/1EWlNH+yPKquSDiGiOS005qsmlO4gsjSYWfzul7dknp21TKGkQQ1ELE1hp +Q1u0K1sQHUWWcPZHZLtnrN012ZxX/31/rxtVlFf1kaHeI/mvFLhSQLdoHlnGonBG +3LKaHFXJ74xSMNPz3SOShTEaqsIxhxeFKK+J5hs8+36bQwa2lSpHGG9+IxpZF2us +2txiNeqL0w5S2aAWi3wmLRBTxoaxEo/vZWbnTKNQ8SlN6imav6BcPqtoy5ERy7MF +040/Eglh24XqN0rL+ENXKH4g/GdRW7oCombSMCjtVoyr6kluWZSCNO2pJdVmxUam +VwKCAQEArVC1aY6D09lKsqUYQbUpSRrlkgnifAqRu5f6Q8Dywl5mFk2OQw/T4hHv +/ocCauWs4ZuOB6nXOwuD52n2YqbYKbwQiSca+9W/8AS4bC2WLHIbCBWIUWRpp8K3 +UuOO2XmFxOUsLRk4odKL8+2KYeqCkb+PGk0Uf6nD6cYlMcafsMcY08Mnlf8GCtHv +RFxPOFx2rTxtSLSVA+NqEMd6d4nmAWD2p78fZGZauWwicDKiKnoY+wvoryU2RT8T +VcK8FEPKk935GLdFwxgeEYAxCbeAywbR3p/abmPqlH6NJEIv25ne4cptmdafXS+G +ngzZf9T1kzSVdKeez2NHBfF09wqg8Q== +-----END PRIVATE KEY----- \ No newline at end of file