Use tls with librdbkafka

[jrse]

Librdkafka does have SSL support (https://github.com/edenhill/librdkafka/wiki/Using-SSL-with-librdkafka)

Out of security considerations, it is always a good idea to use tls for network communication if available.

The notification plugin should have a configuration option to use ssl with the push-notification-kafka-plugin.

1. There are two possible solutions to push the configuration to the plugin. a. use 90-plugin.conf with: <prefix>.<settingname>=<value> b. use "separate" configuration file (referenced in 90-plugin.conf)

The librdkafka library already supports a configuration object. (see. rdkafka_conf.c for all possible options)

Solution a:

• To pass all the librdkafka configuration to the plugin, a prefix for each possible setting should be used. e.g. kafka.<settingname>=<value>

• The plugin should be modified in the way that it reads all kafka.<settingname> properties from 90-plugin.conf and sets the<settingname>=<value> property of the rd_kafka_property struct , before setting up a kafka connection.

Solution b:

• Add a librdbkafka_conf property to 90-plugin.conf.
• Read config property and set properties to rd_kafka_property struct before setting up kafka connection.

[jrse]

Passwords in dovecot config files: AuthDatabase SQL: stores the pwd as plain text in configuration file

• https://wiki2.dovecot.org/AuthDatabase/SQL#preview

Dovecot encryption: There are dovecot encryption functions: in pasword-scheme.h which are used in the auth module and doveadm pw plugin.

encrypt: doveadm pw -s CRYPT

decrypt: passsword-scheme.h (passwd_decode)

[jrse]

List of all librdkafka configuration options: https://docs.confluent.io/2.0.0/clients/librdkafka/CONFIGURATION_8md.html

[jrse]

all configuration values now have kafka.notification prefix.

configuration settings as described in (https://docs.confluent.io/2.0.0/clients/librdkafka/CONFIGURATION_8md.html) can be passed directory to librdkafka. To pass the setting directly the prefix kafka.notification.settings is mandatory.

The following is an example to configure tls in 90-plugin.conf:

kafka.notification.kafka_brokers=:9093 kafka.notification.debug=all kafka.notification.settings.security.protocol=ssl kafka.notification.settings.ssl.key.location=client_host.key kafka.notification.settings.ssl.key.password=PLAINTEXT pwd kafka.notification.settings.ssl.certificate.location=client_host.pem kafka.notification.settings.ssl.ca.location=ca-cert

(To generate a test ca and certificates you can follow the howto at : https://github.com/edenhill/librdkafka/wiki/Using-SSL-with-librdkafka)

[jrse]

Dovecot test configuration, to test notification plugin with imaptest and imap clients.

./dovecot/conf.d/20-imap.conf: mail_plugins = $mail_plugins notify push_notification_kafka push_notification imap_acl ./dovecot/conf.d/20-lmtp.conf: mail_plugins = $mail_plugins notify push_notification_kafka push_notification ./dovecot/conf.d/90-plugin.conf: kafka.notification.kafka_brokers=jrse-box.fritz.box:9093 ./dovecot/conf.d/90-plugin.conf: kafka.notification.debug=all ./dovecot/conf.d/90-plugin.conf: kafka.notification.settings.security.protocol=ssl ./dovecot/conf.d/90-plugin.conf: kafka.notification.settings.ssl.key.location=clientclient.key ./dovecot/conf.d/90-plugin.conf: kafka.notification.settings.ssl.key.password=adcdefgh ./dovecot/conf.d/90-plugin.conf: kafka.notification.settings.ssl.certificate.location=clientclient.pem ./dovecot/conf.d/90-plugin.conf: kafka.notification.settings.ssl.ca.location=ca-cert ./dovecot/conf.d/90-plugin.conf: push_notification_driver=kafka