This repository contains the configuration for EMF's Freescout setup, which runs in Docker containers, and makes use of Nginx as a reverse proxy, and UFFD for authentication.
Our protection is now upstream of our Freescout deployment, so isn't contained
here, and makes use of
uffd-nginxauth in a separate Nginx
instance, which communicates the authenticated user in the REMOTE-USER
header. The Nginx deployment inside this repo will read this header and pass
the logged in user's username in the X_AUTH_USER FastCGI variable to
Freescout.
Freescout regularly queries the UFFD LDAP directory and creates user accounts for anyone with access, setting access to appropriate mailboxes based on group memberships.
There's also an IMAP & SMTP server somewhere which provides Freescout with access to the actual emails that are being handled. That's provided by [waves arms vaguely] something. We'll work that bit out if we get that far.
Here's a pretty picture of how all that fits together (now outdated):
- Update the values in
.env(or set environment variables via some other method) to match your actual setup. docker compose upto start the necessary services.- You'll need a separate proxy instance set up to provide the
REMOTE-USERHTTP header, or provide it yourself for development purposes. - You should now be able to access the Freescout instance. Use the default
username and password from
.envto log in. - Follow the steps in Freescout Setup below.
TODO: this is currently broken since vouch was ripped out.
docker compose -f docker-compose.yml -f docker-compose.dev.yml up will bring
up a stack consisting of the Freescout setup, plus UFFD configured with some
test users. testadmin / adminpassword will log you in as an administrator,
testuser / userpassword as a standard user.
Then create a service and OAuth client, with redirect URI http://localhost:8136/
and logout URI GET http://localhost:8136/vouch/logout. The client ID and secret should
match your .env file, or you can leave them empty and afterwards update .env and restart.
Also add an LDAP service and API client with username and password matching UFFD_LDAP_USER
and UFFD_LDAP_PASSWORD. Give it access to users and checkpassword.
This all assumes you're running with the default settings from .env.example. Change them
if you're not.
- Log in as [email protected] with the password
freescout. - Activate the LDAP module.
- Go to LDAP settings
- LDAP Host:
uffd-ldap - Port:
389 - Bind DN:
ou=system,dc=example,dc=org - Bind Username:
service - Bind Password:
$UFFD_LDAP_BIND_PASSWORDfrom the .env file - Set the filter to
ou=users,dc=example,dc=org(objectclass=person). - Save the settings, or the following step will fail.
- Click "Connect & Fetch Attributes"
- Map
mailto Email,cnto First Name, andsnto everything else (this is a nasty hack taking advantage of UFFD not setting a surname field to allow optional fields to be ignored). - Toggle Automatic Import on
- Toggle Automatic Permission Sync on
- Toggle LDAP Authentication on
- Set $_SERVER key to
X_AUTH_USER - Set Locate users by to
mail
- LDAP Host:
- Go to Manage -> Users, and grant your own user the Administrator role.
If you delete all your cookies and log back in you should now be dropped straight in as your authenticated user.
Mailbox access can either be manually configured by an admin (not a good idea)
or automatically synchronised via LDAP. To configure via LDAP you need to feed
Freescout a query to find all the relevant users, which will typically look
something like (&(memberOf=cn=group-name,ou=groups,dc=example,dc=org)).
Any LDAP query that returns a list of users will work.
- Nginx is configured to redirect Freescout's logout page to Vouch, so that your OAuth token is revoked. This works in most cases, but if you then log in again as a different user the cookie left behind by Freescout will still think your the user you initially logged in as. Delete all your cookies if you need to change users.