Closed jrse closed 6 years ago
Passwords in dovecot config files: AuthDatabase SQL: stores the pwd as plain text in configuration file
Dovecot encryption: There are dovecot encryption functions: in pasword-scheme.h which are used in the auth module and doveadm pw plugin.
encrypt: doveadm pw -s CRYPT
decrypt: passsword-scheme.h (passwd_decode)
List of all librdkafka configuration options: https://docs.confluent.io/2.0.0/clients/librdkafka/CONFIGURATION_8md.html
all configuration values now have kafka.notification prefix.
configuration settings as described in (https://docs.confluent.io/2.0.0/clients/librdkafka/CONFIGURATION_8md.html) can be passed directory to librdkafka. To pass the setting directly the prefix kafka.notification.settings is mandatory.
The following is an example to configure tls in 90-plugin.conf:
kafka.notification.kafka_brokers=
(To generate a test ca and certificates you can follow the howto at : https://github.com/edenhill/librdkafka/wiki/Using-SSL-with-librdkafka)
Dovecot test configuration, to test notification plugin with imaptest and imap clients.
./dovecot/conf.d/20-imap.conf: mail_plugins = $mail_plugins notify push_notification_kafka push_notification imap_acl ./dovecot/conf.d/20-lmtp.conf: mail_plugins = $mail_plugins notify push_notification_kafka push_notification ./dovecot/conf.d/90-plugin.conf: kafka.notification.kafka_brokers=jrse-box.fritz.box:9093 ./dovecot/conf.d/90-plugin.conf: kafka.notification.debug=all ./dovecot/conf.d/90-plugin.conf: kafka.notification.settings.security.protocol=ssl ./dovecot/conf.d/90-plugin.conf: kafka.notification.settings.ssl.key.location=clientclient.key ./dovecot/conf.d/90-plugin.conf: kafka.notification.settings.ssl.key.password=adcdefgh ./dovecot/conf.d/90-plugin.conf: kafka.notification.settings.ssl.certificate.location=clientclient.pem ./dovecot/conf.d/90-plugin.conf: kafka.notification.settings.ssl.ca.location=ca-cert ./dovecot/conf.d/90-plugin.conf: push_notification_driver=kafka
Librdkafka does have SSL support (https://github.com/edenhill/librdkafka/wiki/Using-SSL-with-librdkafka)
Out of security considerations, it is always a good idea to use tls for network communication if available.
The notification plugin should have a configuration option to use ssl with the push-notification-kafka-plugin.
<prefix>.<settingname>=<value>
b. use "separate" configuration file (referenced in 90-plugin.conf)The librdkafka library already supports a configuration object. (see. rdkafka_conf.c for all possible options)
Solution a:
To pass all the librdkafka configuration to the plugin, a prefix for each possible setting should be used. e.g.
kafka.<settingname>=<value>
The plugin should be modified in the way that it reads all
kafka.<settingname>
properties from 90-plugin.conf and sets the<settingname>=<value>
property of the rd_kafka_property struct , before setting up a kafka connection.Solution b: