Integration with UCS/Mail

From Univention Wiki

Jump to: navigation, search


Use an existing UCS mailstack in Apps

If the App relies on an existing mail infrastructure (IMAP, SMTP), best practice is to set a dependency RequiredAppsInDomain=mailserver in the Apps ini file. This way the UCS mailstack has to be installed (anywhere in the UCS domain) before the installation of the App is allowed.

Next step is to configure the App to use the UCS IMAP/SMTP server. This should be done in the Apps join script.

...
eval "$(univention-config-registry shell)"
...
# use the first IMAP server as smtp and imap server
mailserver="$(univention-ldapsearch -LLL univentionService=IMAP cn | grep "^cn: " | sed s/"^cn: "// | head -n1)"
if [ -n "$mailserver" ]; then
        mailserver="$mailserver.$domainname"

        # non-Docker
        my-app-setup --config imap="$mailserver"
        my-app-setup --config smtp="$mailserver"
        my-app-setup --config sieve="$mailserver"

        # for Docker Apps the helper script joinscript_run_in_container
        # can be used to run commands in the container
        . /usr/share/univention-appcenter/joinscripthelper.sh
        joinscript_run_in_container my-app-setup --config imap="$mailserver"
        joinscript_run_in_container my-app-setup --config smtp="$mailserver"
        joinscript_run_in_container my-app-setup --config sieve="$mailserver"
fi
...

This snippet searches the UCS LDAP for a host with the service IMAP and sets the FQDN of this host as IMAP, SMTP and SIEVE server for the App. This may not be the correct server for every setup but it is at least a good default.

Best practice IMAP settings:

  • TLS
  • Port 143
  • Authentication is possible for domain users with a mailPrimaryAddress
  • Uid or mailPrimaryAddress are both valid for authentication

Best practice SMTP settings:

  • TLS
  • Port 587 (submission) for authentication
  • Auth login or Auth Plain

Provide SMTP/IMAP in Docker Apps

To provide SMTP and/or IMAP services in a Docker App, these services have to be stopped on the Docker host. This can be done in the App's preinst Docker script.

#!/bin/bash

# stop imap/smtp on docker host
test -e /etc/init.d/postfix && service postfix stop
test -e /etc/init.d/dovecot && service dovecot stop
ucr set postfix/autostart='no'
ucr set dovecot/autostart='no'

To map SMTP and/or IMAP ports from the container to the host to be able to use the Docker host as IMAP/SMTP server the parameter PortsExclusive can be set in the App's ini file to the relevant ports (here: 110, 143, 993, 995, 587, 25, 465, 4190 for pop3(s), imap(s), smtp(s), submission and sieve).

Firewall exceptions for these ports are create automatically.

Best practice is to at least map the imap data store to the Docker host to provide a separation of data and container (important for migration to Docker and Docker image updates). These Docker volumes can be configured in the App's ini file (here: /var/spool/dovecot).

SSL/TLS certificates

To provide SSL/TLS IMAP and SMTP in the Docker container, it is possible to map the Docker hosts (UCS) certificate into the container by adding HostCertificateAccess=true to the App's ini file.

IMAP (e.g. dovecot) and SMTP (e.g. postfix) services can now be configured to use the Docker hosts certificate in /etc/univention/ssl/FQDN_OF_DOCKER_HOST/cert.pem (/etc/univention/ssl/FQDN_OF_DOCKER_HOST/private.key).

Local mail on the Docker host

With a stopped postfix on the docker host, mail can no longer be delivered locally. If that is a problem, the following setup can help.

Install the "extremely simple MTA" ssmtp and configure this MTA to use the localhost (our Docker container is listening on localhost:25).

univention-install --yes ssmtp
# add mailhub=localhost:25 in to /etc/ssmtp/ssmtp.conf

Now configure postfix in the Docker container to deliver mails from the Docker host locally by adding the FQDN of the Docker host to mydestination:

ucr set mail/postfix/mydestination="\$myhostname, localhost.\$mydomain, localhost, $DOCKER_HOST_NAME"
Personal tools