From 9b43446f652130e7bbdc3cbc77f1ce1d76ca38a9 Mon Sep 17 00:00:00 2001 From: unknown Date: Fri, 8 May 2026 06:05:14 -0700 Subject: [PATCH] fix: LDAP config auf plain ldap ohne TLS + LDAPS Setup-Skript fuer DC --- Setup-LDAPS-Certificate.ps1 | 110 ++++++++++++++++++++++++++++++++++++ mailserver.env | 8 +-- 2 files changed, 114 insertions(+), 4 deletions(-) create mode 100644 Setup-LDAPS-Certificate.ps1 diff --git a/Setup-LDAPS-Certificate.ps1 b/Setup-LDAPS-Certificate.ps1 new file mode 100644 index 0000000..1920449 --- /dev/null +++ b/Setup-LDAPS-Certificate.ps1 @@ -0,0 +1,110 @@ +# ============================================================ +# LDAPS Zertifikat Setup fuer Domain Controller +# Ausfuehren auf: SRV-DC01 (10.10.10.10) als Administrator +# Zweck: Aktiviert LDAPS (Port 636) fuer docker-mailserver +# ============================================================ + +Write-Host "`n=== LDAPS Zertifikat Setup ===" -ForegroundColor Cyan + +# Schritt 1: INF-Datei erstellen +Write-Host "[1/4] Erstelle Zertifikat-Request (INF)..." -ForegroundColor Yellow + +$infContent = @" +[Version] +Signature="`$Windows NT`$" + +[NewRequest] +Subject = "CN=SRV-DC01.byte.trail" +KeySpec = 1 +KeyLength = 2048 +Exportable = TRUE +MachineKeySet = TRUE +SMIME = FALSE +PrivateKeyArchive = FALSE +UserProtected = FALSE +UseExistingKeySet = FALSE +ProviderName = "Microsoft RSA SChannel Cryptographic Provider" +ProviderType = 12 +RequestType = Cert +KeyUsage = 0xa0 +HashAlgorithm = SHA256 + +[EnhancedKeyUsageExtension] +OID=1.3.6.1.5.5.7.3.1 ; Server Authentication + +[Extensions] +2.5.29.17 = "{text}" +_continue_ = "dns=SRV-DC01.byte.trail&" +_continue_ = "dns=byte.trail&" +_continue_ = "ip=10.10.10.10" +"@ + +Set-Content -Path "C:\ldaps.inf" -Value $infContent -Encoding ASCII +Write-Host " [OK] C:\ldaps.inf erstellt" -ForegroundColor Green + +# Schritt 2: Zertifikat erstellen und im Machine Store installieren +Write-Host "[2/4] Erstelle und installiere Zertifikat..." -ForegroundColor Yellow + +$result = certreq -new "C:\ldaps.inf" "C:\ldaps.cer" 2>&1 +if ($LASTEXITCODE -eq 0) { + Write-Host " [OK] Zertifikat erstellt und installiert" -ForegroundColor Green +} else { + Write-Host " [!] Fehler bei certreq: $result" -ForegroundColor Red + Write-Host " [!] Versuche Fallback mit New-SelfSignedCertificate..." -ForegroundColor Yellow + + # Fallback: New-SelfSignedCertificate mit Legacy CSP + $cert = New-SelfSignedCertificate ` + -Subject "CN=SRV-DC01.byte.trail" ` + -DnsName "SRV-DC01.byte.trail","byte.trail","10.10.10.10" ` + -CertStoreLocation "Cert:\LocalMachine\My" ` + -KeyAlgorithm RSA ` + -KeyLength 2048 ` + -KeyExportPolicy Exportable ` + -NotAfter (Get-Date).AddYears(10) ` + -Provider "Microsoft RSA SChannel Cryptographic Provider" ` + -KeyUsage DigitalSignature, KeyEncipherment ` + -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") + + if ($cert) { + Write-Host " [OK] Zertifikat erstellt (Fallback)" -ForegroundColor Green + } else { + Write-Host " [!] FEHLER: Zertifikat konnte nicht erstellt werden!" -ForegroundColor Red + exit 1 + } +} + +# Schritt 3: NTDS neu starten +Write-Host "[3/4] Starte NTDS-Dienst neu..." -ForegroundColor Yellow +Restart-Service NTDS -Force +Start-Sleep -Seconds 5 +Write-Host " [OK] NTDS neugestartet" -ForegroundColor Green + +# Schritt 4: LDAPS testen +Write-Host "[4/4] Teste LDAPS (Port 636)..." -ForegroundColor Yellow +Start-Sleep -Seconds 3 + +try { + $tcp = New-Object System.Net.Sockets.TcpClient + $tcp.Connect("localhost", 636) + + if ($tcp.Connected) { + $ssl = New-Object System.Net.Security.SslStream($tcp.GetStream(), $false, {$true}) + try { + $ssl.AuthenticateAsClient("SRV-DC01.byte.trail") + Write-Host " [OK] LDAPS funktioniert! Zertifikat: $($ssl.RemoteCertificate.Subject)" -ForegroundColor Green + } catch { + Write-Host " [!] Port 636 offen, aber SSL-Handshake fehlgeschlagen: $($_.Exception.Message)" -ForegroundColor Red + Write-Host " [!] Moeglicherweise muss der Server komplett neugestartet werden (Restart-Computer)" -ForegroundColor Yellow + } finally { + $ssl.Close() + } + } + $tcp.Close() +} catch { + Write-Host " [!] Port 636 nicht erreichbar: $($_.Exception.Message)" -ForegroundColor Red + Write-Host " [!] Versuche: Restart-Computer -Force" -ForegroundColor Yellow +} + +Write-Host "`n=== Setup abgeschlossen ===" -ForegroundColor Cyan +Write-Host "Falls LDAPS nicht funktioniert, fuehre 'Restart-Computer -Force' aus und teste erneut." -ForegroundColor Yellow +Write-Host "" diff --git a/mailserver.env b/mailserver.env index 4e20dcd..570467f 100644 --- a/mailserver.env +++ b/mailserver.env @@ -455,7 +455,7 @@ OAUTH2_INTROSPECTION_URL= # empty => no # yes => LDAP over TLS enabled for Postfix -LDAP_START_TLS=yes +LDAP_START_TLS=no # empty => mail.example.com # Specify the `` / `` where the LDAP server is reachable via a URI like: `ldaps://mail.example.com`. @@ -480,11 +480,11 @@ LDAP_QUERY_FILTER_USER=(mail=%s) # e.g. `"(&(mailGroupMember=%s)(mailEnabled=TRUE))"` # => Specify how ldap should be asked for groups -LDAP_QUERY_FILTER_GROUP=(|) +LDAP_QUERY_FILTER_GROUP=(&(objectClass=group)(mail=%s)) # e.g. `"(&(mailAlias=%s)(mailEnabled=TRUE))"` # => Specify how ldap should be asked for aliases -LDAP_QUERY_FILTER_ALIAS=(|) +LDAP_QUERY_FILTER_ALIAS=(&(objectClass=person)(proxyAddresses=smtp:%s)) # e.g. `"(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))"` # => Specify how ldap should be asked for domains @@ -496,7 +496,7 @@ LDAP_QUERY_FILTER_DOMAIN=(mail=*@%s) # empty => no # yes => LDAP over TLS enabled for Dovecot -DOVECOT_TLS=yes +DOVECOT_TLS=no # e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"` DOVECOT_USER_FILTER=(&(objectClass=person)(mail=%u))