This repository contains the configuration for EMF's Freescout setup, which runs in Docker containers, and makes use of Nginx as a reverse proxy, and UFFD for authentication.
Our protection is now upstream of our Freescout deployment, so isn't contained
here, and makes use of
uffd-nginxauth in a separate Nginx
instance, which communicates the authenticated user in the REMOTE-USER
header. The Nginx deployment inside this repo will read this header and pass
the logged in user's username in the X_AUTH_USER FastCGI variable to
Freescout.
Freescout regularly queries the UFFD LDAP directory and creates user accounts for anyone with access, setting access to appropriate mailboxes based on group memberships.
There's also an IMAP & SMTP server somewhere which provides Freescout with access to the actual emails that are being handled. That's provided by [waves arms vaguely] something. We'll work that bit out if we get that far.
Here's a pretty picture of how all that fits together (now outdated):
- Update the values in
.env(or set environment variables via some other method) to match your actual setup. docker compose upto start the necessary services.- You'll need a separate proxy instance set up to provide the
REMOTE-USERHTTP header, or provide it yourself for development purposes. - You should now be able to access the Freescout instance. Use the default
username and password from
.envto log in. - Follow the steps in Freescout Setup below.
docker compose -f docker-compose.yml -f docker-compose.dev.yml up will bring
up a stack consisting of the Freescout setup, plus UFFD configured with some
test users. testadmin / adminpassword will log you in as an administrator,
testuser / userpassword as a standard user.
It will automatically create an OAuth2 client and API client, as long as you don't change
the settings from .env.example.
This all assumes you're running with the default settings from .env.example. Change them
if you're not.
- Log in as admin@example.org with the password
freescout. - Activate the LDAP module.
- Go to LDAP settings
- LDAP Host:
uffd-ldapd - Port:
389 - Bind DN:
ou=system,dc=example,dc=org - Bind Username:
service - Bind Password:
$UFFD_LDAP_BIND_PASSWORDfrom the .env file - Set the filter to
ou=users,dc=example,dc=org(objectclass=person). - Save the settings, or the following step will fail.
- Click "Connect & Fetch Attributes"
- Map
mailto Email,cnto First Name, andsnto everything else (this is a nasty hack taking advantage of UFFD not setting a surname field to allow optional fields to be ignored). - Toggle Automatic Import on
- Toggle LDAP Authentication on
- Set $_SERVER key to
X_AUTH_USER - Set Locate users by to
uid - Save the settings.
- Click
Import Nowand acknowledge. - Toggle Automatic Permission Sync on
- Save the settings.
- LDAP Host:
- Go to Manage -> Users, and grant your own user the Administrator role.
If you delete all your cookies and log back in you should now be dropped straight in as your authenticated user.
Mailbox access can either be manually configured by an admin (not a good idea)
or automatically synchronised via LDAP. To configure via LDAP you need to feed
Freescout a query to find all the relevant users, which will typically look
something like (&(memberOf=cn=group-name,ou=groups,dc=example,dc=org)).
Any LDAP query that returns a list of users will work.