fix: LDAP config auf plain ldap ohne TLS + LDAPS Setup-Skript fuer DC

2026-05-08 06:05:14 -07:00
parent 09514f78c3
commit 9b43446f65
2 changed files with 114 additions and 4 deletions
@@ -0,0 +1,110 @@
+# ============================================================
+#  LDAPS Zertifikat Setup fuer Domain Controller
+#  Ausfuehren auf: SRV-DC01 (10.10.10.10) als Administrator
+#  Zweck: Aktiviert LDAPS (Port 636) fuer docker-mailserver
+# ============================================================
+
+Write-Host "`n=== LDAPS Zertifikat Setup ===" -ForegroundColor Cyan
+
+# Schritt 1: INF-Datei erstellen
+Write-Host "[1/4] Erstelle Zertifikat-Request (INF)..." -ForegroundColor Yellow
+
+$infContent = @"
+[Version]
+Signature="`$Windows NT`$"
+
+[NewRequest]
+Subject = "CN=SRV-DC01.byte.trail"
+KeySpec = 1
+KeyLength = 2048
+Exportable = TRUE
+MachineKeySet = TRUE
+SMIME = FALSE
+PrivateKeyArchive = FALSE
+UserProtected = FALSE
+UseExistingKeySet = FALSE
+ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
+ProviderType = 12
+RequestType = Cert
+KeyUsage = 0xa0
+HashAlgorithm = SHA256
+
+[EnhancedKeyUsageExtension]
+OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
+
+[Extensions]
+2.5.29.17 = "{text}"
+_continue_ = "dns=SRV-DC01.byte.trail&"
+_continue_ = "dns=byte.trail&"
+_continue_ = "ip=10.10.10.10"
+"@
+
+Set-Content -Path "C:\ldaps.inf" -Value $infContent -Encoding ASCII
+Write-Host "  [OK] C:\ldaps.inf erstellt" -ForegroundColor Green
+
+# Schritt 2: Zertifikat erstellen und im Machine Store installieren
+Write-Host "[2/4] Erstelle und installiere Zertifikat..." -ForegroundColor Yellow
+
+$result = certreq -new "C:\ldaps.inf" "C:\ldaps.cer" 2>&1
+if ($LASTEXITCODE -eq 0) {
+    Write-Host "  [OK] Zertifikat erstellt und installiert" -ForegroundColor Green
+} else {
+    Write-Host "  [!] Fehler bei certreq: $result" -ForegroundColor Red
+    Write-Host "  [!] Versuche Fallback mit New-SelfSignedCertificate..." -ForegroundColor Yellow
+    
+    # Fallback: New-SelfSignedCertificate mit Legacy CSP
+    $cert = New-SelfSignedCertificate `
+        -Subject "CN=SRV-DC01.byte.trail" `
+        -DnsName "SRV-DC01.byte.trail","byte.trail","10.10.10.10" `
+        -CertStoreLocation "Cert:\LocalMachine\My" `
+        -KeyAlgorithm RSA `
+        -KeyLength 2048 `
+        -KeyExportPolicy Exportable `
+        -NotAfter (Get-Date).AddYears(10) `
+        -Provider "Microsoft RSA SChannel Cryptographic Provider" `
+        -KeyUsage DigitalSignature, KeyEncipherment `
+        -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
+    
+    if ($cert) {
+        Write-Host "  [OK] Zertifikat erstellt (Fallback)" -ForegroundColor Green
+    } else {
+        Write-Host "  [!] FEHLER: Zertifikat konnte nicht erstellt werden!" -ForegroundColor Red
+        exit 1
+    }
+}
+
+# Schritt 3: NTDS neu starten
+Write-Host "[3/4] Starte NTDS-Dienst neu..." -ForegroundColor Yellow
+Restart-Service NTDS -Force
+Start-Sleep -Seconds 5
+Write-Host "  [OK] NTDS neugestartet" -ForegroundColor Green
+
+# Schritt 4: LDAPS testen
+Write-Host "[4/4] Teste LDAPS (Port 636)..." -ForegroundColor Yellow
+Start-Sleep -Seconds 3
+
+try {
+    $tcp = New-Object System.Net.Sockets.TcpClient
+    $tcp.Connect("localhost", 636)
+    
+    if ($tcp.Connected) {
+        $ssl = New-Object System.Net.Security.SslStream($tcp.GetStream(), $false, {$true})
+        try {
+            $ssl.AuthenticateAsClient("SRV-DC01.byte.trail")
+            Write-Host "  [OK] LDAPS funktioniert! Zertifikat: $($ssl.RemoteCertificate.Subject)" -ForegroundColor Green
+        } catch {
+            Write-Host "  [!] Port 636 offen, aber SSL-Handshake fehlgeschlagen: $($_.Exception.Message)" -ForegroundColor Red
+            Write-Host "  [!] Moeglicherweise muss der Server komplett neugestartet werden (Restart-Computer)" -ForegroundColor Yellow
+        } finally {
+            $ssl.Close()
+        }
+    }
+    $tcp.Close()
+} catch {
+    Write-Host "  [!] Port 636 nicht erreichbar: $($_.Exception.Message)" -ForegroundColor Red
+    Write-Host "  [!] Versuche: Restart-Computer -Force" -ForegroundColor Yellow
+}
+
+Write-Host "`n=== Setup abgeschlossen ===" -ForegroundColor Cyan
+Write-Host "Falls LDAPS nicht funktioniert, fuehre 'Restart-Computer -Force' aus und teste erneut." -ForegroundColor Yellow
+Write-Host ""
@@ -455,7 +455,7 @@ OAUTH2_INTROSPECTION_URL=

 # empty => no
 # yes => LDAP over TLS enabled for Postfix
-LDAP_START_TLS=yes
+LDAP_START_TLS=no

 # empty => mail.example.com
 # Specify the `<dns-name>` / `<ip-address>` where the LDAP server is reachable via a URI like: `ldaps://mail.example.com`.
@@ -480,11 +480,11 @@ LDAP_QUERY_FILTER_USER=(mail=%s)

 # e.g. `"(&(mailGroupMember=%s)(mailEnabled=TRUE))"`
 # => Specify how ldap should be asked for groups
-LDAP_QUERY_FILTER_GROUP=(|)
+LDAP_QUERY_FILTER_GROUP=(&(objectClass=group)(mail=%s))

 # e.g. `"(&(mailAlias=%s)(mailEnabled=TRUE))"`
 # => Specify how ldap should be asked for aliases
-LDAP_QUERY_FILTER_ALIAS=(|)
+LDAP_QUERY_FILTER_ALIAS=(&(objectClass=person)(proxyAddresses=smtp:%s))

 # e.g. `"(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))"`
 # => Specify how ldap should be asked for domains
@@ -496,7 +496,7 @@ LDAP_QUERY_FILTER_DOMAIN=(mail=*@%s)

 # empty => no
 # yes => LDAP over TLS enabled for Dovecot
-DOVECOT_TLS=yes
+DOVECOT_TLS=no

 # e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"`
 DOVECOT_USER_FILTER=(&(objectClass=person)(mail=%u))