yunohost
yunohost copied to clipboard
YunoHost
WIP: Allow system users to auth on the mail stack and send emails
The problem
c.f. https://github.com/YunoHost/issues/issues/947
This is not easy to configure an app to send emails. While packaging an app (transpay), it explicitly required to be able to auth on the mail server. I started creating a system user ... but realized it could not authenticated (because only LDAP accounts are able to with the current conf).
Solution
Thanks to the help of @taziden I was able to configure dovecot to accept system users to authenticate. But postfix also needs to be tweak to allow foobar to send emails with From equal to [email protected]. For this, I added a new file /etc/postfix/sender_login_maps to the smtpd_sender_login_maps. It needs to be filled with :
[email protected] foobar
and then you gotta run postmap /etc/postfix/sender_login_maps ... (and possibly reload postfix ?)
This PR is not yet done, as we need to find some mechanism to manage this file automatically. I think we'd like to have some helper like
user_password=$(openssl rand -hex 16)
ynh_create_system_user foobar --password ${user_password} --allow-email [email protected]
- the password stuff is necessary to configure the app
-
--allow-emailwould add the appropriate stuff in/etc/postfix/sender_login_mapsand run postmap ... the removal of the user shall also be tweaked to remove the corresponding line from the file... and the tricky part is to handle the domain change duringchange_url(I mean that's doable but meh can't we find something more clever)
PR Status
Kind of tested ... need to work on the app helpers at some point
How to test
Zblerg, you can use a small python script with smtplib that auth and sends an email with a custom system user
Validation
- [ ] Principle agreement 0/2 :
- [ ] Quick review 0/1 :
- [ ] Simple test 0/1 :
- [ ] Deep review 0/1 :
Hello,
The other solution would be to create a "special" user in LDAP for the app in, by example, ou=apps,dc=yunohost,dc=org. The idea is to create a helper which create this specific user. The other adventage is that we also solve the issue said by @yalh76, about the authentication of some apps to LDAP with a specific user and password.
The other adventage is that we also solve the issue said by @yalh76, about the authentication of some apps to LDAP with a specific user and password.
Uh can you elaborate on this ?
So, @yalh76 said at one meeting that some apps (like mastodon) need a user and password to access to LDAP, even if the access is free. So one solution was to create a yunohost user and use this user to be able to authenticate to LDAP. But this solution is not really clean because an app is not really a user. So my purpose to solve this is (and I think @yalh76 said the same thing) to create a user but in a other place in LDAP, so the real user is separated to the "app" user. So to the solution is by example to put the real user in LDAP in ou=users,dc=yunohost,dc=org and the user for the apps in ou=apps,dc=yunohost,dc=org. The other advantage of that is that you can also use this user for email by example, so by this you can have more flexibility.
If I would implement this (I've written this in my todo list but I have just no many things, so it might be never done...), I would create a function in the core based on the function for the user, but maybe with just some customization more adapted on to the apps.
So what's the status? is this PR needed ? Or https://github.com/YunoHost/yunohost/pull/977 is enough to fix the issue ?
up @zamentur @alexAubin see https://github.com/YunoHost-Apps/synapse_ynh/issues/362
Discussed today :
- we need a mechanism (maybe an app setting ?) to be able to override the user part
- same for the domain part