diff --git a/security/ejabberd-dovecot-auth/Makefile b/security/ejabberd-dovecot-auth/Makefile new file mode 100644 index 00000000000..16e77104388 --- /dev/null +++ b/security/ejabberd-dovecot-auth/Makefile @@ -0,0 +1,49 @@ +COMMENT = authenticate ejabberd against dovecot + +V = 0.20120116 +DISTNAME = ejabberd-dovecot-auth-${V} + +CATEGORIES = security net + +HOMEPAGE = https://www.ejabberd.im/check_dovecot_perl/index.html + +MAINTAINER = Kirill A. Korinsky + +# GPLv2+ +# +# This script is based on check_mysql.pl +# https://www.ejabberd.im/files/efiles/check_mysql.pl.txt +# which is based on check_pass_null.pl, a part of ejabberd: +# https://github.com/processone/ejabberd/blob/23.04/examples/extauth/check_pass_null.pl +# +# Since ejabberd has always been distributed under GPLv2+, this script +# inherits the same license. +PERMIT_PACKAGE = Yes + +SITES = https://www.ejabberd.im/files/contributions/ + +DISTFILES = ${DISTNAME}.pl{check_dovecot.pl.txt} + +EXTRACT_ONLY = +EXTRACT_SUFX = + +RUN_DEPENDS = mail/dovecot \ + net/ejabberd \ + security/p5-Authen-SASL-Authd \ + sysutils/p5-Unix-Syslog + +NO_BUILD = Yes +NO_TEST = Yes + +do-extract: + mkdir -p ${WRKSRC} + cp ${FULLDISTDIR}/${DISTNAME}.pl ${WRKSRC}/check-dovecot + +do-install: + ${INSTALL_DATA_DIR} ${PREFIX}/share/ejabberd-dovecot-auth + ${INSTALL_DATA} ${FILESDIR}/dovecot-ejabberd-auth.conf \ + ${PREFIX}/share/ejabberd-dovecot-auth + ${INSTALL_SCRIPT} ${WRKSRC}/check-dovecot \ + ${PREFIX}/share/ejabberd-dovecot-auth + +.include diff --git a/security/ejabberd-dovecot-auth/distinfo b/security/ejabberd-dovecot-auth/distinfo new file mode 100644 index 00000000000..700367a80ae --- /dev/null +++ b/security/ejabberd-dovecot-auth/distinfo @@ -0,0 +1,2 @@ +SHA256 (ejabberd-dovecot-auth-0.20120116.pl) = B2u51A+Nj2WMB2Iq247uHm/B5aeeSZ2reMhtF6WGCJo= +SIZE (ejabberd-dovecot-auth-0.20120116.pl) = 3572 diff --git a/security/ejabberd-dovecot-auth/files/dovecot-ejabberd-auth.conf b/security/ejabberd-dovecot-auth/files/dovecot-ejabberd-auth.conf new file mode 100644 index 00000000000..4c026f11c11 --- /dev/null +++ b/security/ejabberd-dovecot-auth/files/dovecot-ejabberd-auth.conf @@ -0,0 +1,13 @@ +service auth { + unix_listener ejabberd-userdb { + mode = 0660 + user = _ejabberd + group = _ejabberd + } + + unix_listener ejabberd-client { + mode = 0660 + user = _ejabberd + group = _ejabberd + } +} diff --git a/security/ejabberd-dovecot-auth/patches/patch-check-dovecot b/security/ejabberd-dovecot-auth/patches/patch-check-dovecot new file mode 100644 index 00000000000..3548364da8c --- /dev/null +++ b/security/ejabberd-dovecot-auth/patches/patch-check-dovecot @@ -0,0 +1,65 @@ +Update path to dovecot sockets, lift restrictions on password, use +services name, improve loging + +Index: check-dovecot +--- check-dovecot.orig ++++ check-dovecot +@@ -61,32 +61,22 @@ use Authen::SASL::Authd qw(auth_dovecot user_dovecot); + + while(1) { + my $buf = ""; +- syslog LOG_INFO,"ejabberd-dovecot-auth: waiting for packet"; ++ syslog LOG_DEBUG,"ejabberd-dovecot-auth: waiting for packet"; + my $nread = sysread STDIN,$buf,2; +- do { syslog LOG_INFO,"ejabberd-dovecot-auth: port closed"; exit; } unless $nread == 2; ++ do { syslog LOG_DEBUG,"ejabberd-dovecot-auth: port closed"; exit; } unless $nread == 2; + my $len = unpack "n",$buf; + my $nread = sysread STDIN,$buf,$len; + +- my ($op,$user,$domain,$password) = split /:/,$buf; +- +- # Filter dangerous characters +- $user =~ s/[."\n\r'\$`]//g; +- $password =~ s/[."\n\r'\$`]//g; +- +- #$user =~ s/\./\//og; ++ my ($op,$user,$domain,$password) = split /:/,$buf,4; ++ + my $result; + +- syslog(LOG_INFO,"ejabberd-dovecot-auth: request ($op, \"$user\@$domain\", '****')"); +- #print "ejabberd-dovecot-auth: request ($op, \"$user\@$domain\", $password)"; +- + SWITCH: { + $op eq 'auth' and do { +- if (auth_dovecot("$user\@$domain", $password, timeout => 3, socket => '/var/run/dovecot/ejabberd')) { ++ if (auth_dovecot("$user\@$domain", $password, timeout => 3, socket => '/var/dovecot/ejabberd-client', service_name => 'ejabberd')) { + $result = true; +- syslog(LOG_INFO,"ejabberd-dovecot-auth: -> +OK"); + } else { + $result = false; +- syslog(LOG_INFO,"ejabberd-dovecot-auth: -> -ERR"); + } + },last SWITCH; + +@@ -95,15 +85,17 @@ while(1) { + },last SWITCH; + + $op eq 'isuser' and do { +- if (user_dovecot("$user\@$domain", timeout => 3, socket => '/var/run/dovecot/ejabberd')) { ++ if (user_dovecot("$user\@$domain", timeout => 3, socket => '/var/dovecot/ejabberd-userdb', service_name => 'ejabberd')) { + $result = true; +- syslog(LOG_INFO,"ejabberd-dovecot-auth: -> +OK"); + } else { + $result = false; +- syslog(LOG_INFO,"ejabberd-dovecot-auth: -> -ERR"); + } + },last SWITCH; + }; ++ ++ syslog(LOG_INFO, "ejabberd-dovecot-auth: request ($op, \"$user\@$domain\") -> " ++ . ($result ? "+OK" : "-ERR")); ++ + my $out = pack "nn",2,$result ? 1 : 0; + syswrite STDOUT,$out; + } diff --git a/security/ejabberd-dovecot-auth/pkg/DESCR b/security/ejabberd-dovecot-auth/pkg/DESCR new file mode 100644 index 00000000000..295d4be1808 --- /dev/null +++ b/security/ejabberd-dovecot-auth/pkg/DESCR @@ -0,0 +1,3 @@ +Script to authenticate ejabberd against dovecot + +Features: auth and isUser work, but setPass doesn't. diff --git a/security/ejabberd-dovecot-auth/pkg/PLIST b/security/ejabberd-dovecot-auth/pkg/PLIST new file mode 100644 index 00000000000..b1567d0b369 --- /dev/null +++ b/security/ejabberd-dovecot-auth/pkg/PLIST @@ -0,0 +1,5 @@ +share/doc/pkg-readmes/${PKGSTEM} +share/ejabberd-dovecot-auth/ +share/ejabberd-dovecot-auth/check-dovecot +share/ejabberd-dovecot-auth/dovecot-ejabberd-auth.conf +@sample ${SYSCONFDIR}/dovecot/conf.d/90-ejabberd-auth.conf diff --git a/security/ejabberd-dovecot-auth/pkg/README b/security/ejabberd-dovecot-auth/pkg/README new file mode 100644 index 00000000000..9320193439e --- /dev/null +++ b/security/ejabberd-dovecot-auth/pkg/README @@ -0,0 +1,11 @@ ++------------------------------------------------------------------------------- +| Running ${PKGSTEM} on OpenBSD ++------------------------------------------------------------------------------- + +To use dovecot as authentication method you must enable it inside +ejabeerd. Following code might be added globally to switch all vhosts to +dovecot based authentication, or per required vhost. + + auth_method: [external] + extauth_program: ${TRUEPREFIX}/share/ejabberd-dovecot-auth/check-dovecot +