blob: 9ac2dc64be80416eef36ccefa5ed73c6dea4ccef [file] [log] [blame]
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +01001#!/bin/bash
2set -e
3
4# Wait for MySQL to warm-up
5while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
6 echo "Waiting for database to come up..."
7 sleep 2
8done
9
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +020010until dig +short mailcow.email > /dev/null; do
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +010011 echo "Waiting for DNS..."
12 sleep 1
13done
14
15# Do not attempt to write to slave
16if [[ ! -z ${REDIS_SLAVEOF_IP} ]]; then
17 REDIS_CMDLINE="redis-cli -h ${REDIS_SLAVEOF_IP} -p ${REDIS_SLAVEOF_PORT}"
18else
19 REDIS_CMDLINE="redis-cli -h redis -p 6379"
20fi
21
22until [[ $(${REDIS_CMDLINE} PING) == "PONG" ]]; do
23 echo "Waiting for Redis..."
24 sleep 2
25done
26
27${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
28
29# Create missing directories
30[[ ! -d /etc/dovecot/sql/ ]] && mkdir -p /etc/dovecot/sql/
31[[ ! -d /etc/dovecot/lua/ ]] && mkdir -p /etc/dovecot/lua/
32[[ ! -d /var/vmail/_garbage ]] && mkdir -p /var/vmail/_garbage
33[[ ! -d /var/vmail/sieve ]] && mkdir -p /var/vmail/sieve
34[[ ! -d /etc/sogo ]] && mkdir -p /etc/sogo
35[[ ! -d /var/volatile ]] && mkdir -p /var/volatile
36
37# Set Dovecot sql config parameters, escape " in db password
38DBPASS=$(echo ${DBPASS} | sed 's/"/\\"/g')
39
40# Create quota dict for Dovecot
41if [[ "${MASTER}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
42 QUOTA_TABLE=quota2
43else
44 QUOTA_TABLE=quota2replica
45fi
46cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-quota.conf
47# Autogenerated by mailcow
48connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
49map {
50 pattern = priv/quota/storage
51 table = ${QUOTA_TABLE}
52 username_field = username
53 value_field = bytes
54}
55map {
56 pattern = priv/quota/messages
57 table = ${QUOTA_TABLE}
58 username_field = username
59 value_field = messages
60}
61EOF
62
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +010063# Create dict used for sieve pre and postfilters
64cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_before.conf
65# Autogenerated by mailcow
66connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
67map {
68 pattern = priv/sieve/name/\$script_name
69 table = sieve_before
70 username_field = username
71 value_field = id
72 fields {
73 script_name = \$script_name
74 }
75}
76map {
77 pattern = priv/sieve/data/\$id
78 table = sieve_before
79 username_field = username
80 value_field = script_data
81 fields {
82 id = \$id
83 }
84}
85EOF
86
87cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-sieve_after.conf
88# Autogenerated by mailcow
89connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
90map {
91 pattern = priv/sieve/name/\$script_name
92 table = sieve_after
93 username_field = username
94 value_field = id
95 fields {
96 script_name = \$script_name
97 }
98}
99map {
100 pattern = priv/sieve/data/\$id
101 table = sieve_after
102 username_field = username
103 value_field = script_data
104 fields {
105 id = \$id
106 }
107}
108EOF
109
110echo -n ${ACL_ANYONE} > /etc/dovecot/acl_anyone
111
112if [[ "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200113echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify listescape replication' > /etc/dovecot/mail_plugins
114echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify listescape replication mail_log' > /etc/dovecot/mail_plugins_imap
115echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100116else
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200117echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify fts fts_solr listescape replication' > /etc/dovecot/mail_plugins
118echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify mail_log fts fts_solr listescape replication' > /etc/dovecot/mail_plugins_imap
119echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl fts fts_solr notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100120fi
121chmod 644 /etc/dovecot/mail_plugins /etc/dovecot/mail_plugins_imap /etc/dovecot/mail_plugins_lmtp /templates/quarantine.tpl
122
123cat <<EOF > /etc/dovecot/sql/dovecot-dict-sql-userdb.conf
124# Autogenerated by mailcow
125driver = mysql
126connect = "host=/var/run/mysqld/mysqld.sock dbname=${DBNAME} user=${DBUSER} password=${DBPASS}"
127user_query = SELECT CONCAT(JSON_UNQUOTE(JSON_VALUE(attributes, '$.mailbox_format')), mailbox_path_prefix, '%d/%n/${MAILDIR_SUB}:VOLATILEDIR=/var/volatile/%u:INDEX=/var/vmail_index/%u') AS mail, '%s' AS protocol, 5000 AS uid, 5000 AS gid, concat('*:bytes=', quota) AS quota_rule FROM mailbox WHERE username = '%u' AND (active = '1' OR active = '2')
128iterate_query = SELECT username FROM mailbox WHERE active = '1' OR active = '2';
129EOF
130
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200131cat <<EOF > /etc/dovecot/lua/passwd-verify.lua
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100132function auth_password_verify(req, pass)
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200133
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100134 if req.domain == nil then
135 return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
136 end
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200137
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100138 if cur == nil then
139 script_init()
140 end
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200141
142 if req.user == nil then
143 req.user = ''
144 end
145
146 respbody = {}
147
148 -- check against mailbox passwds
149 local cur,errorString = con:execute(string.format([[SELECT password FROM mailbox
150 WHERE username = '%s'
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100151 AND active = '1'
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200152 AND domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')
153 AND IFNULL(JSON_UNQUOTE(JSON_VALUE(mailbox.attributes, '$.force_pw_update')), 0) != '1'
154 AND IFNULL(JSON_UNQUOTE(JSON_VALUE(attributes, '$.%s_access')), 1) = '1']], con:escape(req.user), con:escape(req.domain), con:escape(req.service)))
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100155 local row = cur:fetch ({}, "a")
156 while row do
157 if req.password_verify(req, row.password, pass) == 1 then
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200158 con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
159 VALUES ("%s", 0, "%s", "%s")]], con:escape(req.service), con:escape(req.user), con:escape(req.real_rip)))
Matthias Andreas Benkard12a57352021-12-28 18:02:04 +0100160 cur:close()
161 con:close()
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100162 return dovecot.auth.PASSDB_RESULT_OK, "password=" .. pass
163 end
164 row = cur:fetch (row, "a")
165 end
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200166
Matthias Andreas Benkard12a57352021-12-28 18:02:04 +0100167 -- check against app passwds for imap and smtp
168 -- app passwords are only available for imap, smtp, sieve and pop3 when using sasl
169 if req.service == "smtp" or req.service == "imap" or req.service == "sieve" or req.service == "pop3" then
170 local cur,errorString = con:execute(string.format([[SELECT app_passwd.id, %s_access AS has_prot_access, app_passwd.password FROM app_passwd
171 INNER JOIN mailbox ON mailbox.username = app_passwd.mailbox
172 WHERE mailbox = '%s'
173 AND app_passwd.active = '1'
174 AND mailbox.active = '1'
175 AND app_passwd.domain IN (SELECT domain FROM domain WHERE domain='%s' AND active='1')]], con:escape(req.service), con:escape(req.user), con:escape(req.domain)))
176 local row = cur:fetch ({}, "a")
177 while row do
178 if req.password_verify(req, row.password, pass) == 1 then
179 -- if password is valid and protocol access is 1 OR real_rip matches SOGo, proceed
180 if tostring(req.real_rip) == "__IPV4_SOGO__" then
181 cur:close()
182 con:close()
183 return dovecot.auth.PASSDB_RESULT_OK, "password=" .. pass
184 elseif row.has_prot_access == "1" then
185 con:execute(string.format([[REPLACE INTO sasl_log (service, app_password, username, real_rip)
186 VALUES ("%s", %d, "%s", "%s")]], con:escape(req.service), row.id, con:escape(req.user), con:escape(req.real_rip)))
187 cur:close()
188 con:close()
189 return dovecot.auth.PASSDB_RESULT_OK, "password=" .. pass
190 end
191 end
192 row = cur:fetch (row, "a")
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200193 end
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200194 end
195
Matthias Andreas Benkard12a57352021-12-28 18:02:04 +0100196 cur:close()
197 con:close()
198
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200199 return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, "Failed to authenticate"
200
201 -- PoC
202 -- local reqbody = string.format([[{
203 -- "success":0,
204 -- "service":"%s",
205 -- "app_password":false,
206 -- "username":"%s",
207 -- "real_rip":"%s"
208 -- }]], con:escape(req.service), con:escape(req.user), con:escape(req.real_rip))
209 -- http.request {
210 -- method = "POST",
211 -- url = "http://nginx:8081/sasl_log.php",
212 -- source = ltn12.source.string(reqbody),
213 -- headers = {
214 -- ["content-type"] = "application/json",
215 -- ["content-length"] = tostring(#reqbody)
216 -- },
217 -- sink = ltn12.sink.table(respbody)
218 -- }
219
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100220end
221
222function auth_passdb_lookup(req)
223 return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
224end
225
226function script_init()
227 mysql = require "luasql.mysql"
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200228 http = require "socket.http"
229 http.TIMEOUT = 5
230 ltn12 = require "ltn12"
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100231 env = mysql.mysql()
232 con = env:connect("__DBNAME__","__DBUSER__","__DBPASS__","localhost")
233 return 0
234end
235
236function script_deinit()
237 con:close()
238 env:close()
239end
240EOF
241
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200242# Replace patterns in app-passdb.lua
243sed -i "s/__DBUSER__/${DBUSER}/g" /etc/dovecot/lua/passwd-verify.lua
244sed -i "s/__DBPASS__/${DBPASS}/g" /etc/dovecot/lua/passwd-verify.lua
245sed -i "s/__DBNAME__/${DBNAME}/g" /etc/dovecot/lua/passwd-verify.lua
Matthias Andreas Benkard12a57352021-12-28 18:02:04 +0100246sed -i "s/__IPV4_SOGO__/${IPV4_NETWORK}.248/g" /etc/dovecot/lua/passwd-verify.lua
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200247
248
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100249# Migrate old sieve_after file
250[[ -f /etc/dovecot/sieve_after ]] && mv /etc/dovecot/sieve_after /etc/dovecot/global_sieve_after
251# Create global sieve scripts
252cat /etc/dovecot/global_sieve_after > /var/vmail/sieve/global_sieve_after.sieve
253cat /etc/dovecot/global_sieve_before > /var/vmail/sieve/global_sieve_before.sieve
254
255# Check permissions of vmail/index/garbage directories.
256# Do not do this every start-up, it may take a very long time. So we use a stat check here.
257if [[ $(stat -c %U /var/vmail/) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail ; fi
258if [[ $(stat -c %U /var/vmail/_garbage) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail/_garbage ; fi
259if [[ $(stat -c %U /var/vmail_index) != "vmail" ]] ; then chown -R vmail:vmail /var/vmail_index ; fi
260
261# Cleanup random user maildirs
262rm -rf /var/vmail/mailcow.local/*
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200263# Cleanup PIDs
264[[ -f /tmp/quarantine_notify.pid ]] && rm /tmp/quarantine_notify.pid
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100265
266# create sni configuration
267echo "" > /etc/dovecot/sni.conf
268for cert_dir in /etc/ssl/mail/*/ ; do
269 if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
270 continue
271 fi
272 domains=($(cat ${cert_dir}domains))
273 for domain in ${domains[@]}; do
274 echo 'local_name '${domain}' {' >> /etc/dovecot/sni.conf;
275 echo ' ssl_cert = <'${cert_dir}'cert.pem' >> /etc/dovecot/sni.conf;
276 echo ' ssl_key = <'${cert_dir}'key.pem' >> /etc/dovecot/sni.conf;
277 echo '}' >> /etc/dovecot/sni.conf;
278 done
279done
280
281# Create random master for SOGo sieve features
282RAND_USER=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 16 | head -n 1)
283RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 24 | head -n 1)
284
285if [[ ! -z ${DOVECOT_MASTER_USER} ]] && [[ ! -z ${DOVECOT_MASTER_PASS} ]]; then
286 RAND_USER=${DOVECOT_MASTER_USER}
287 RAND_PASS=${DOVECOT_MASTER_PASS}
288fi
289echo ${RAND_USER}@mailcow.local:{SHA1}$(echo -n ${RAND_PASS} | sha1sum | awk '{print $1}'):::::: > /etc/dovecot/dovecot-master.passwd
290echo ${RAND_USER}@mailcow.local::5000:5000:::: > /etc/dovecot/dovecot-master.userdb
291echo ${RAND_USER}@mailcow.local:${RAND_PASS} > /etc/sogo/sieve.creds
292
293if [[ -z ${MAILDIR_SUB} ]]; then
294 MAILDIR_SUB_SHARED=
295else
296 MAILDIR_SUB_SHARED=/${MAILDIR_SUB}
297fi
298cat <<EOF > /etc/dovecot/shared_namespace.conf
299# Autogenerated by mailcow
300namespace {
301 type = shared
302 separator = /
303 prefix = Shared/%%u/
304 location = maildir:%%h${MAILDIR_SUB_SHARED}:INDEX=~${MAILDIR_SUB_SHARED}/Shared/%%u
305 subscriptions = no
306 list = children
307}
308EOF
309
310cat <<EOF > /etc/dovecot/sogo_trusted_ip.conf
311# Autogenerated by mailcow
312remote ${IPV4_NETWORK}.248 {
313 disable_plaintext_auth = no
314}
315EOF
316
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200317# Create random master Password for SOGo SSO
318RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
319echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass
320cat <<EOF > /etc/dovecot/sogo-sso.conf
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100321# Autogenerated by mailcow
322passdb {
323 driver = static
324 args = allow_real_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
325}
326EOF
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100327
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100328if [[ "${MASTER}" =~ ^([nN][oO]|[nN])+$ ]]; then
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200329 # Toggling MASTER will result in a rebuild of containers, so the quota script will be recreated
330 cat <<'EOF' > /usr/local/bin/quota_notify.py
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100331#!/usr/bin/python3
332import sys
333sys.exit()
334EOF
335fi
336
337# 401 is user dovecot
338if [[ ! -s /mail_crypt/ecprivkey.pem || ! -s /mail_crypt/ecpubkey.pem ]]; then
339 openssl ecparam -name prime256v1 -genkey | openssl pkey -out /mail_crypt/ecprivkey.pem
340 openssl pkey -in /mail_crypt/ecprivkey.pem -pubout -out /mail_crypt/ecpubkey.pem
341 chown 401 /mail_crypt/ecprivkey.pem /mail_crypt/ecpubkey.pem
342else
343 chown 401 /mail_crypt/ecprivkey.pem /mail_crypt/ecpubkey.pem
344fi
345
346# Compile sieve scripts
347sievec /var/vmail/sieve/global_sieve_before.sieve
348sievec /var/vmail/sieve/global_sieve_after.sieve
349sievec /usr/lib/dovecot/sieve/report-spam.sieve
350sievec /usr/lib/dovecot/sieve/report-ham.sieve
351
352# Fix permissions
353chown root:root /etc/dovecot/sql/*.conf
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200354chown root:dovecot /etc/dovecot/sql/dovecot-dict-sql-sieve* /etc/dovecot/sql/dovecot-dict-sql-quota* /etc/dovecot/lua/passwd-verify.lua
355chmod 640 /etc/dovecot/sql/*.conf /etc/dovecot/lua/passwd-verify.lua
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100356chown -R vmail:vmail /var/vmail/sieve
357chown -R vmail:vmail /var/volatile
358chown -R vmail:vmail /var/vmail_index
359adduser vmail tty
360chmod g+rw /dev/console
361chown root:tty /dev/console
362chmod +x /usr/lib/dovecot/sieve/rspamd-pipe-ham \
363 /usr/lib/dovecot/sieve/rspamd-pipe-spam \
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200364 /usr/local/bin/imapsync_runner.pl \
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100365 /usr/local/bin/imapsync \
366 /usr/local/bin/trim_logs.sh \
367 /usr/local/bin/sa-rules.sh \
368 /usr/local/bin/clean_q_aged.sh \
369 /usr/local/bin/maildir_gc.sh \
370 /usr/local/sbin/stop-supervisor.sh \
371 /usr/local/bin/quota_notify.py \
372 /usr/local/bin/repl_health.sh
373
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100374# Prepare environment file for cronjobs
375printenv | sed 's/^\(.*\)$/export \1/g' > /source_env.sh
376
377# Clean old PID if any
378[[ -f /var/run/dovecot/master.pid ]] && rm /var/run/dovecot/master.pid
379
380# Clean stopped imapsync jobs
381rm -f /tmp/imapsync_busy.lock
382IMAPSYNC_TABLE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'imapsync'" -Bs)
383[[ ! -z ${IMAPSYNC_TABLE} ]] && mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "UPDATE imapsync SET is_running='0'"
384
385# Envsubst maildir_gc
386echo "$(envsubst < /usr/local/bin/maildir_gc.sh)" > /usr/local/bin/maildir_gc.sh
387
388# GUID generation
389while [[ ${VERSIONS_OK} != 'OK' ]]; do
390 if [[ ! -z $(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -B -e "SELECT 'OK' FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = \"${DBNAME}\" AND TABLE_NAME = 'versions'") ]]; then
391 VERSIONS_OK=OK
392 else
393 echo "Waiting for versions table to be created..."
394 sleep 3
395 fi
396done
397PUBKEY_MCRYPT=$(doveconf -P 2> /dev/null | grep -i mail_crypt_global_public_key | cut -d '<' -f2)
398if [ -f ${PUBKEY_MCRYPT} ]; then
399 GUID=$(cat <(echo ${MAILCOW_HOSTNAME}) /mail_crypt/ecpubkey.pem | sha256sum | cut -d ' ' -f1 | tr -cd "[a-fA-F0-9.:/] ")
400 if [ ${#GUID} -eq 64 ]; then
401 mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
402REPLACE INTO versions (application, version) VALUES ("GUID", "${GUID}");
403EOF
404 else
405 mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} << EOF
406REPLACE INTO versions (application, version) VALUES ("GUID", "INVALID");
407EOF
408 fi
409fi
410
411# Collect SA rules once now
412/usr/local/bin/sa-rules.sh
413
414# Run hooks
415for file in /hooks/*; do
416 if [ -x "${file}" ]; then
417 echo "Running hook ${file}"
418 "${file}"
419 fi
420done
421
422# For some strange, unknown and stupid reason, Dovecot may run into a race condition, when this file is not touched before it is read by dovecot/auth
423# May be related to something inside Docker, I seriously don't know
Matthias Andreas Benkard7b2a3a12021-08-16 10:57:25 +0200424touch /etc/dovecot/lua/passwd-verify.lua
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +0100425
426exec "$@"