add: ldap auth

README.md

@@ -2,32 +2,60 @@
 
 🐳Dockerized postfix which relays emails to SendGrid. Just adding some environment variables, you can setup the container.
 
+<b>Note: This image is made for send-only mail server.</b>
+
 ## Features
 - 📩 Realy emails to SendGrid
 - 🔐 SMTP AUTH (with automated account creation)
 - 📇 Sender Canonical
-- ✅ SMTP AUTH with LDAP (not implemented yet)
+- ✅ SMTP AUTH with LDAP
 
 ## How to use
 Just pull the image and run the container with environment variables. 
+
 You need to provide the hostname of the container to give the postfix hostname, otherwise it uses the container ID as a hostname.
 
 For example,
 ```bash
 docker run -d --hostname example.com -e SENDGRID_API_KEY=YOUR_API_KEY -e SMTP_USER=user -e SMTP_PASSWORD=abcdef -p 25:25 -p 587:587 ghcr.io/seieric/postfix-sendgrid-relay-docker:latest
 ```
 
-### Environment variables
+## Environment variables
 #### SENDGRID_API_KEY (Required)
 Your SENDGRID's API key. The container wouldn't start if not set.
 
-#### SMTP_USER (Optional)
+## Environment variables for SMTP AUTH
+If none of the following variables are set, you can use only port 25.
+### Basic (single account)
+Just create a single account with SMTP_USER and SMTP_PASSWORD.
+#### SMTP_USER (Required)
 User for SMTP AUTH. If not set, you cannot use submission port 587. Must be used with SMTP_PASSWORD.
 
-#### SMTP_PASSWORD (Optional)
+#### SMTP_PASSWORD (Required)
 Password for SMTP AUTH. If not set, you cannot use submission port 587. Must be used with SMTP_USER.
 
-### Feature: sender canonical
+### LDAP authentication
+Use LDAP authentication for SMTP AUTH. You need to set the following variables.
+
+<b>If you configure LDAP authentication, SMTP_USER and SMTP_PASSWORD will be ignored.</b>
+
+#### LDAP_SERVER (Required)
+LDAP server address. For example, ```ldap://127.0.0.1``` or ```ldaps://ldap.example.com```.
+You can set multiple servers.
+
+#### LDAP_BIND_DN (Required)
+LDAP bind DN.
+
+#### LDAP_BIND_PWD (Required)
+LDAP bind password.
+
+#### LDAP_SEARCH_BASE (Required)
+LDAP search base. For example, ```ou=accounts,dc=example,dc=com```.
+
+#### LDAP_SEARCH_FQDN (Optional)
+LDAP search filter. Default is  ```(&(objectClass=inetOrgPerson)(uid=%U))```.
+
+## Feature: sender canonical
 This image supports sender canonical feature included in postfix.
 
 To use this feature, just mount your sender canonical file to ```/etc/postfix/sender_canonical```

init-postfix.sh

@@ -6,9 +6,25 @@ fi
 
 echo "[smtp.sendgrid.net]:587 apikey:$SENDGRID_API_KEY" >> /etc/postfix/sasl_passwd
 
-# create user
-if [[ -n $SMTP_USER ]] && [[ -n $SMTP_PASSWORD ]]; then
+if [[ -n $LDAP_SERVER ]] && [[ $LDAP_BIND_DN ]] && [[ $LDAP_BIND_PW ]] && [[ $LDAP_SEARCH_BASE ]]; then
+  echo "Use LDAP authentication. Ignoring SMTP_USER and SMTP_PASSWORD."
+  cat << EOF >> /etc/saslauthd.conf
+ldap_servers: $LDAP_SERVER
+ldap_use_sasl: no
+ldap_bind_dn: $LDAP_BIND_DN
+ldap_password: $LDAP_BIND_PW
+ldap_mech: PLAIN
+ldap_auth_method: bind
+ldap_filter: ${LDAP_FILTER:-"(&(objectClass=inetOrgPerson)(uid=%U))"}
+ldap_scope: sub
+ldap_search_base: $LDAP_SEARCH_BASE
+ldap_deref: always
+EOF
+  /usr/sbin/saslauthd -a ldap -O /etc/saslauthd.conf
+elif [[ -n $SMTP_USER ]] && [[ -n $SMTP_PASSWORD ]]; then
+  echo "Use SMTP_USER and SMTP_PASSWORD"
   echo $SMTP_PASSWORD | saslpasswd2 -p -u localhost.localdomain $SMTP_USER
+  /usr/sbin/saslauthd -a sasldb
 fi
 
 adduser postfix sasl
@@ -18,5 +34,4 @@ if [[ -e /etc/postfix/sender_canonical ]]; then
   echo "sender_canonical_maps = hash:/etc/postfix/sender_canonical" >> /etc/postfix/main.cf
 fi
 /usr/sbin/postmap /etc/postfix/sasl_passwd && rm /etc/postfix/sasl_passwd && chmod 600 /etc/postfix/sasl_passwd.db && \
-/usr/sbin/saslauthd -a sasldb
 /usr/sbin/postfix start-fg