Docker-mailserver: configomat.sh does change var values
I was trying to get the mailserver up and running using ldap as mechanism for authentification and i received a lot of Invalid Credentials and authentication failure messages. After double checking all vars and passwords i found no issue with my configuration so i started debugging the container vars and files. I found that the conf files inside the container have a different password set then the var in docker-compose.yml
Comes out that the configomat.sh script does not 100% work. Especially on passwords where you have a lot of special characters the conversion does not work and the escaping of special chars failes so that the password is changed.
Context
So i started investigating what went wrong with my password and found this line:
https://github.com/tomav/docker-mailserver/blob/a564cca0e55feba40e273a5419d4c9a864460bf6/target/start-mailserver.sh#L608
in the start-mailserver.sh where configomat.sh is used to translate the vars from the docker-compose.yml into (in this case) the dovecot-ldap.conf.ext
So the error must occur inside this script. I looked into the used repository and i think the problem line must be this one:
https://github.com/alinmear/docker-configomat/blob/b42a6eb65dc1e059c8bf3661e51f3ce308469e19/configomat.sh#L53
So in my case the (changed ;)) password from the var in docker-compose.yml was:
- LDAP_BIND_PW=abC1+[de[-2)_f@g3HIJ4][kL
and the configomat script saved the following into dovecot-ldap.conf.ext:
dnpass = abC1+[de[-2)_f@g3HIJ4[]][kL
As you can see there is an additional [] in the saved password which will cause dovecot to not be able to login to ldap server.
Not only the dovecot config files are processed this way, also the four postfix files are containing that wrong password.
What is affected by this bug?
Every variable which is processed by configomat.sh could be affected if special chars are used in a specific order that the regex can not recognize correctly. As far as I can see it it is only the case for LDAP related vars but the problem ist not LDAP ;)
When does this occur?
On the startup of the mailserver for every line where configomat.sh is called.
How do we replicate the issue?
- Configure docker-mailserver to be used with ldap
- Set one of the vars to e.g. the password shown above (
abC1+[de[-2)_f@g3HIJ4][kL) - Start Mailserver
- Check content of the affected files (e.g.:
docker exec -it mail cat /etc/postfix/ldap-aliases.cf)
Actual Behavior
Password is changed during conversion from var to conf file
Expected behavior (i.e. solution)
Every var (not only passwords) should be converted as they are without changes
Your Environment
- Mailserver version used: 7.1.0
- Docker version used: 19.03.12
- Environment settings relevant to the config:
- LDAP_BIND_PW=abC1+[de[-2)_f@g3HIJ4][kL
wernerfred
All 8 comments
Could be a stupid question, but for
- LDAP_BIND_PW=abC1+[de[-2)_f@g3HIJ4][kL
have you tried
- LDAP_BIND_PW="abC1+[de[-2)_f@g3HIJ4][kL"
# or
- LDAP_BIND_PW='abC1+[de[-2)_f@g3HIJ4][kL'
?
aendeavor
on 30 Sep 2020
i have tried both variants you mentioned and this one as well:
- "LDAP_BIND_PW=abC1+[de[-2)_f@g3HIJ4][kL"
no one of the three variants worked so far
the problem is that i even can't quick-fix this by providing config override files bc they are processed the same way -.-
so for now i ended up manually editing the password in the currently 5 wrong substituted files. Then everything works fine until the container restarts.
Any idea on how to test this regex and if the regex is really the problem?
Here is the log from the startup of the server (changed the password ofc):
docker-mailserver | Config'O'mat. Version 0.0.0
docker-mailserver | -------------------
docker-mailserver | Got the ENV_PREFIX: DOVECOT_
docker-mailserver | Got the CONF_FILE: /etc/dovecot/dovecot-ldap.conf.ext
docker-mailserver | -------------------
docker-mailserver |
docker-mailserver | Starting to do overrides:
docker-mailserver | >> /etc/dovecot/dovecot-ldap.conf.ext: dnpass = abC1+[de[-2)_f@g3HIJ4][kL
docker-mailserver | >> /etc/dovecot/dovecot-ldap.conf.ext: pass_attrs = mail=user,userPassword=password
docker-mailserver | >> /etc/dovecot/dovecot-ldap.conf.ext: base = dc=ldap,dc=domain,dc=de
docker-mailserver | >> /etc/dovecot/dovecot-ldap.conf.ext: dn = cn=admin,dc=ldap,dc=domain,dc=de
docker-mailserver | >> /etc/dovecot/dovecot-ldap.conf.ext: tls = no
docker-mailserver | >> /etc/dovecot/dovecot-ldap.conf.ext: user_filter = (&(objectClass=PostfixBookMailAccount)(mail=%u))
docker-mailserver | >> /etc/dovecot/dovecot-ldap.conf.ext: hosts = openldap
docker-mailserver | >> /etc/dovecot/dovecot-ldap.conf.ext: pass_filter = (&(objectClass=PostfixBookMailAccount)(mail=%u))
which shows the correct value of the provided var for processing (stays the same with every of the 3 variants). But after processing by configomat the value which is written into the file has this additional [] inside the password
wernerfred
on 30 Sep 2020
If I understood that correctly the password should look like this:
abC1+\[de\[-2)_f@g3HIJ4\]\[kL
after it was edited by sed.
What happens:
sed -r 's/([\=\&\|\$\.\*\/\[\\^])/\\\1/g'
escapes the following: = & | $ . * / [ and \
Since] would break the regex, there is the second call to sed.
sed 's/[]]/\[]]/g'
If we look closely the regex consists of the list containing only] and replaces this with []] .
What it should probably do is to escape] .
This could be achieved by:
sed 's/[]]/\\]/g'
In total:
config_overrides[$key]="$((echo ${config_overrides[$key]}|sed -r 's/([\=\&\|\$\.\*\/\[\\^])/\\\1/g'|sed 's/[]]/\\]/g')>&1)"
englbery
on 30 Sep 2020
Thanks! So i will open an Issue inside the configomat repository. Hopefully the maintainer responds in time otherwise we might have to find another solutions for docker-mailserver to be in an operable state.
Any further thoughts on this?
wernerfred
on 1 Oct 2020
@wernerfred That's a very good idea. I would like to close this issue in the meantime. If there is no solution on the mentioned repository, I'd re-open this here.
aendeavor
on 1 Oct 2020
I think it's better to leave it open.
- If the other repository provides a solution we need to update docker-mailserver to use the updated reference
- If no solution is provided we should change the mechanism or fork the project and update it ourself
But as long as no one of the two options is clarified it is still an issue within the project. Do you agree?
Both options would be solved with a PR which can reference and close the issue then. This way we can make clear it's only closed when the problem is solved
wernerfred
on 1 Oct 2020
I fully agree. We'll leave this open.
aendeavor
on 1 Oct 2020
Closed by 94c2a68bd5ceddfab6651f806248a0a11926c2c3.
aendeavor
on 11 Oct 2020
Related issues
domdorn
路
4Comments
nicklayb
路
4Comments
capi
路
4Comments
dragonito
路
5Comments
H4R0
路
3Comments
Most helpful comment
If I understood that correctly the password should look like this:
abC1+\[de\[-2)_f@g3HIJ4\]\[kLafter it was edited by sed.
What happens:
sed -r 's/([\=\&\|\$\.\*\/\[\\^])/\\\1/g'escapes the following:= & | $ . * / [ and \Since
]would break the regex, there is the second call to sed.sed 's/[]]/\[]]/g'If we look closely the regex consists of the list containing only]and replaces this with[]].What it should probably do is to escape
].This could be achieved by:
sed 's/[]]/\\]/g'In total:
config_overrides[$key]="$((echo ${config_overrides[$key]}|sed -r 's/([\=\&\|\$\.\*\/\[\\^])/\\\1/g'|sed 's/[]]/\\]/g')>&1)"