Changing ssh keys is possible by documentation of self service password. I also enabled it in the config.inc.php in the volume, but it does not seem to have worked.. How do I properly enable it?

Should be

 update_config background_image ${BACKGROUND_IMAGE} 

Hi,

I've configured a container and mapped /assets/custom/ with local directory which contains an 'images' folder. That folder contains two images. I'm trying to set one as logo and the other as background via environment variables and via custom config.inc.php but no one works. The config.inc.php file (mapped in /assets/custom/conf) already contains a several custom configs and all works well.

# config.inc.php

# Logo
$logo = "images/my-logo.png";

# Background image
$background_image = "images/my_background.jpg";

Entering in the container, the config file (/www/ssp/conf/config.inc.php) presents the two image variables with your default values. The environment variables are correct with same value as defined in config but are ignored. Editing the config file manually with same values works. However I think that this behavior isn't desired.

Hi,
Just in the README.md file, you say the env variable is "BACKGROUND" but it's currently "BACKGROUND_IMAGE" as in template
Thank you for your image :)

Summary

I was looking into how to set LDAP Tool Box Self Service Password's $pwd_complexity ("how many different class of characters (lower, upper, digit, special) are needed in the password") and found that this file contains environmental variable PASSWORD_COMPLEXITY. This variable is not documented in the README, but I expected it to work nonetheless. However, setting it to value 3 did not enforce the use of three different classes of characters.

Steps to reproduce

1. Set PASSWORD_COMPLEXITY environment variable to a value larger than 1.
2. Try setting a password which does not adhere to that restriction. Example: Use value 3 and try password "hello-world" (which has only two classes of characters).
3. The password is accepted even though it does not fulfill the policy.

What is the expected correct behavior?

I would expect the new password to be rejected if it does not fulfill the policy.

Relevant logs and/or screenshots

-

Environment

• Image version / tag: latest
• Host OS: Ubuntu 20.04.4

version: "3"
services:

  ssp:
    image: tiredofit/self-service-password:latest
    networks:
      - traefik
    volumes:
      - ./data/ssp-logs:/www/logs
    environment:
      ## LDAP
      - LDAP_SERVER=ldap://openldap
      - LDAP_STARTTLS=false
      - LDAP_BINDDN=${LDAP_ADMIN_USER}
      - LDAP_BINDPASS=${LDAP_ADMIN_PASS}
      - LDAP_BASE_SEARCH=${LDAP_SEARCH_BASEDN}
      - LDAP_LOGIN_ATTRIBUTE=${LDAP_USERNAME_FIELD}
      - LDAP_FULLNAME_ATTRIBUTE=${LDAP_NAME_FIELD}
      - PASSWORD_HASH=CRYPT
      - PASSWORD_MIN_LENGTH=8
      - PASSWORD_COMPLEXITY=3
      - PASSWORD_NO_REUSE=true
      - PASSWORD_SHOW_POLICY=always
      - PASSWORD_SHOW_POLICY_POSITION=below
      - WHO_CAN_CHANGE_PASSWORD=user
      - QUESTIONS_ENABLED=false
      - IS_BEHIND_PROXY=true
      - SHOW_HELP=true
      - LANG=en
      - SECRETEKEY=${SSP_SECRETEKEY}
      - USE_RECAPTCHA=false
      - DEFAULT_ACTION=change
      - USE_TOKENS=true
      - MAIL_USE_LDAP=true
      - LDAP_MAIL_ATTRIBUTE=mail
      - MAIL_FROM=${SMTP_FROM}
      - NOTIFY_ON_CHANGE=true
      - SMTP_HOST=${SMTP_HOST}
      - SMTP_AUTH_ON=true
      - SMTP_USER=${SMTP_USER}
      - SMTP_PASS=${SMTP_PASS}
      - SMTP_PORT=${SMTP_PORT}
      - SMTP_SECURE_TYPE=${SMTP_TYPE}
    labels:
      - traefik.enable=true
      - traefik.http.routers.ssp.rule=Host(`ssp.${DOMAIN}`)
    restart: unless-stopped

networks:
  traefik:
    external:
      name: traefik_webgateway

Possible fixes

Maybe the variable has to be added to this file as well?

Summary

After upgrading the Docker image from 5.2.1 to 5.2.2, it failed to start.

Steps to reproduce

Upgrade from 5.2.1 to 5.2.2.

What is the expected correct behavior?

Self Service Password should start up as normal.

Relevant logs and/or screenshots

2022-06-26.11:07:43 [STARTING] ** [nginx] [50] Starting nginx 1.23.0
nginx: [emerg] open() "/etc/nginx/nginx.conf.d/php-fpm.conf" failed (2: No such file or directory) in /etc/nginx/sites.available/ssp.conf:11
2022-06-26.11:07:44 [ERROR] ** [nginx] POTENTIAL RUNWAY DETECTECTED: Disabling 10-nginx service because it has tried restarting '50' times

Environment

From docker-compose.yml:

  passwordchange:
    container_name: passwordchange
    hostname: passwordchange
    domainname: xxx
#    image: tiredofit/self-service-password:latest
    image: tiredofit/self-service-password:5.2.1
    restart: unless-stopped
    expose:
      - 80
    volumes:
      - /containers/passwordchange:/www/ssp
    environment:
      - LDAP_SERVER=ldap
      - LDAP_STARTTLS=false
      - LDAP_BINDDN=cn=xxx
      - LDAP_BINDPASS=${LDAP_ADMIN_PASSWORD}
      - LDAP_BASE_SEARCH=xxx
      - LDAP_FILTER
      - LDAP_ANSWER_ATTRIBUTE=info
      - LDAP_LOGIN_ATTRIBUTE=uid
      - LDAP_FULLNAME_ATTRIBUTE=cn
      - LDAP_MAIL_ATTRIBUTE=mail
      - LDAP_SMS_ATTRIBUTE==nobile
      - LDAP_SSHKEY_ATTRIBUTE=sshPublicKey
      - AD_OPT_CHANGE_EXPIRED_PASSWORD=true
      - AD_OPT_FORCE_PWD_CHANGE=false
      - AD_OPT_FORCE_UNLOCK=false
      - ADMODE=false
      - PASSWORD_HASH=SSHA
      - QUESTIONS_ANSWER_OBJECTCLASS=extensibleObject
      - SAMBA_EXPIRE_DAYS=0
      - SAMBA_MAX_AGE=0
      - SAMBA_MIN_AGE=0
      - SAMBA_MODE=true
      - SHADOW_OPT_UPDATE_SHADOWEXPIRE=false
      - SHADOW_OPT_UPDATE_SHADOWLASTCHANGE=false
      - PASSWORD_DIFFERENT_LOGIN=true
      - PASSWORD_MAX_LENGTH=0
      - PASSWORD_MIN_DIGIT=1
      - PASSWORD_MIN_LENGTH=8
      - PASSWORD_MIN_LOWERCASE=1
      - PASSWORD_MIN_SPECIAL=1
      - PASSWORD_MIN_UPPERCASE=0
      - PASSWORD_NO_REUSE=false
      - PASSWORD_NO_SPECIAL_ENDS=false
      - PASSWORD_SHOW_POLICY_POSITION=above
      - PASSWORD_SHOW_POLICY=never
      - PASSWORD_SPECIAL_CHARACTERS=^a-zA-Z0-9
      - PASSWORD_USE_PWNED=false
      - WHO_CAN_CHANGE_PASSWORD=user
      - USE_QUESTIONS=false
      - NOTIFY_ON_CHANGE=false
      - NOTIFY_ON_SSHKEY_CHANGE=false
      - USE_TOKENS=false
      - USE_SMS=false
      - USE_RECAPTCHA=false
      - DEBUG_MODE=false
      - DEFAULT_ACTION=change
      - ENABLE_RESET_LOG=false
      - IS_BEHIND_PROXY=true
      - SITE_URL=https://xxx
      - LANG=en
      - SHOW_HELP=true
    depends_on:
      - ldap
    links: 
      - ldap
    networks:
      - nginxnet
      - ldapnet

Downgrading back to 5.2.1 fixed the issue.

Summary

If LDAP_BINDPASS contains a special character (like $ or #) , when an error at start "bad substitution...." , and SSP is not able to connect to ldap server beacause LDAP_BINDPASS is set to default value in file config.inc.php

Steps to reproduce

Start containers with an LDAP_BINDPASS containing special characters: P@s$word

What is the expected correct behavior?

Not error at start and SSP work

Possible fixes

it's due to sed command in install/assets/functions/30-self-service-password

Seems possibly related to the docker-nginx update two days ago as it was working fine before that:

nginx: [emerg] unknown log format "specialLog" in /etc/nginx/conf.d/default.conf:6

Dug around the code there a bit but couldn't readily find where specialLog was defined :(

How to upgrade ssp to v1.4.4 ?

Hello @tiredofit I see you merged really fast my PR #26 and released new version of docker image..

But sadly 5.0.3 dont contain that change.. you create it from last master that did not include that change..
So I assume you need to create 5.0.4

nginx: [emerg] unknown directive "fastcgi_buffer_suze" in /etc/nginx/nginx.conf:40

I'm trying to set up SITE_URL so that I can have the app serve the correct URLs behind a proxy. I'm on kubernetes, here's my environment:

    Environment:
      LDAP_SERVER:       <redacted>
      LDAP_BINDDN:       <set to the key 'BINDDN' in secret 'ldap-binduser'>  Optional: false
      LDAP_BINDPASS:     <set to the key 'BINDPW' in secret 'ldap-binduser'>  Optional: false
      LDAP_STARTTLS:     false
      LDAP_BASE_SEARCH:   <redacted>
      SETUP_TYPE:        AUTO
      IS_BEHIND_PROXY:   true
      SITE_URL:          https:// <redacted>/passwd

The URLs coming from the app are incorrect. Here's the relevant part of the log I think:

[WARN] ** [self-service-password] Self Service Password Not Found, Installing version 1.3
[NOTICE] ** [self-service-password] Installation Complete
[WARN] ** [self-service-password] Autoconfiguring Settings based on defaults and evnironment variables
sed: /assets/ssp/config.inc.php.template: No such file or directory
[cont-init.d] 30-self-service-password: exited 0.

When i ssh into the pod, there's no /assets/ssp directory, although this directory is referenced here

Am I missing some configuration somewhere?

Hi,

It seems with environment variables like LDAP_BINDDN. That even when escaped the value gets cut off at the first space. e.g

LDAP_BINDDN=CN=Service User,OW=Service,DC,Domain etc
will end up in config like
$ldap_binddn = "CN=Service"

How can this be used with LDAPS i can't see a way of adding the CA

I will fordward here as plain as possible some concerns of integrating your container:
zokradonh/kopano-docker#70 (comment)

I assume that fetching a specific release from should be easily modified by changing this line:

Nevertheless, the second part, the mounting of the service itself in a persistent storage is more difficult in my eyes. We could surely omit the persistent story if this service is stateless and all configuration is passed by the docker env vars. If the service is not stateless, we have to keep the config and should provide update mechanisms when a new ssp version drops in via container update. Do you know about this detail, or should we invite directly https://github.com/ltb-project/self-service-password developers to the discussion?

best,
Christian

I see this php noticies at web browser:

Notice: Undefined index: HTTP_X_FORWARDED_PROTO in /www/ssp/conf/config.inc.php on line 244

Notice: Undefined index: HTTP_X_FORWARDED_HOST in /www/ssp/conf/config.inc.php on line 244

Something seems to be strange in the latest version?

I am getting a lot of these when starting the image:

  password    | + update_config ldap_url ldap
  password    | /var/run/s6/etc/cont-init.d/30-self-service-password: line 26: update_config: command not found

This are my ENV-Variables:

  DEBUG_MODE: "true"
  SETUP_TYPE: "AUTO"

  ...
  LDAP_* Settings
  ...
  PASSWORD_HASH: "SSHA"

  SAMBA_MODE: "true"
  USE_TOKENS: "false"
  TOKEN_CRYPT: "false"

Does anybody has an idea whats going wrong here? Thank you!

Summary

In a dual-stack Kubernetes environment the health checks default to probing via IPv6. The container nginx only listens on IPv4 by default.

[tiredofit/self-service-password 12:30:57 /] $ netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:9000            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:73              0.0.0.0:*               LISTEN      3139/nginx: master 
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      3139/nginx: master 
tcp        0      0 :::8050                 :::*                    LISTEN      -
tcp        0      0 :::10050                :::*                    LISTEN      -

Steps to reproduce

From inside the container:

bash-5.1# curl http://[::1]:80/
curl: (7) Failed to connect to ::1 port 80 after 0 ms: Couldn't connect to server

What is the expected correct behavior?

Returns 200 OK.

Relevant logs and/or screenshots

Environment

Dual-Stack Kubernetes (k3s) using a helm chart:

https://github.com/jp-gouin/helm-openldap

• Image version / tag:
• Host OS: Debian

Possible fixes

Not sure if it's the correct solution, but adding listen [::]:80 ipv6only=off; to the nginx server config.

Hi,

The ENV LDAP_BINDPASS is not working, in config file there is still "secret" und with LDAP_BINDPW there is then this "".

Hi all,

There should be a BASE_PATH parameter when using ingress controller/kubernetes. Now i specify ingress on path /ssp and only the index.php is shown. Links to css and images are broken. There is an option IS_BEHIND_PROXY and SITE_URL but that does not work for the ingress(reverse proxy)

I configured ingress for multiple apps like phpmyadmin/phpldapadmin/bookstack etc and there it works fine after specifying the base_path. This settings however is missing from SSP, or i haven't found it.

Summary

Making change to config.inc.php when mapping /www/ssp/conf may lost after container recreate.

Steps to reproduce

1. Map /www/ssp/conf to host.
2. Edit config.inc.php
3. Delete container, and start new container with same image.
4. Changes in config.inc.php lost and content had reset to default.

What is the expected correct behavior?

The changes in configuration file should not reset.

Relevant logs and/or screenshots

Environment

docker

• Image version / tag: latest
• Host OS:

Possible fixes

Seems should map /www/ssp for workaround. On install stage, should check the config.inc.php exists before extract configuration file.

I'm getting the following error most of the times when I try to start this up:

ssp    | [cont-init.d] 99-container: executing...
ssp    | **********************************************************************************************************************                                                         
ssp    | **********************************************************************************************************************                                                         
ssp    | ****                                                                                                              ****                                                         
ssp    | ****       ERROR - All scripts have not initialized properly - All services are now halted                        ****                                                         
ssp    | ****             - Please enter the container find out why the missing *-init state file hasn't been written      ****                                                         
ssp    | ****                                                                                                              ****                                                         
ssp    | **********************************************************************************************************************                                                         
ssp    | **********************************************************************************************************************                                                          

But when this error does not come up, SSP works fine.

Here's my docker-compose file:

version: "3"
services:
  ssp:
    image: tiredofit/self-service-password:latest
    container_name: ssp
    labels:
      - traefik.enable=true
      - traefik.frontend.rule=Host:ssp.${DOMAIN}
    volumes:
      - ./data/ssp-data:/www/ssp
      - ./data/ssp-logs:/www/logs
    environment:
      ## LDAP
      - LDAP_SERVER=ldap://openldap
      - LDAP_STARTTLS=false
      - LDAP_BINDDN=${LDAP_ADMIN_USER}
      - LDAP_BINDPASS=${LDAP_ADMIN_PASS}
      - LDAP_BASE_SEARCH=${LDAP_SEARCH_BASEDN}
      - LDAP_LOGIN_ATTRIBUTE=${LDAP_USERNAME_FIELD}
      - LDAP_FULLNAME_ATTRIBUTE=${LDAP_NAME_FIELD}
      ## SSP Password Settings
      - PASSWORD_HASH=CRYPT
      - PASSWORD_MIN_LENGTH=12
      - PASSWORD_NO_REUSE=true
      - PASSWORD_SHOW_POLICY=always
      - PASSWORD_SHOW_POLICY_POSITION=below
      ## SSP Other Settings
      - WHO_CAN_CHANGE_PASSWORD=user
      - QUESTIONS_ENABLED=false
      - IS_BEHIND_PROXY=true
      - SHOW_HELP=true
      - LANG=en
      - DEBUG_MODE=false
      - SECRETEKEY=${SSP_SECRETEKEY}
      - USE_RECAPTCHA=false
      - DEFAULT_ACTION=change
      - USE_TOKENS=false
    networks:
      - traefik
    restart: always
networks:
  traefik:
    external:
      name: traefik_webgateway

Can anyone help? I'd like to follow the hint "Please enter the container find out why the missing *-init state file hasn't been written" but I don't know where in the container to look. I've tried to look at log files but couldn't find anything.

Thanks!

reCaptcha Version 2 fails to evaluate. I am getting the following error in the fpm log:

NOTICE: PHP message: reCAPTCHA error: invalid-json

I am using the latest version of the docker-self-service-password container.

A first google search brought me to this article:
[https://stackoverflow.com/questions/30106668/nocaptcha-returning-error-invalid-json]

allow_url_fopen boolean

This option enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files using the ftp or http protocol, some extensions like zlib may register additional wrappers.

But that is just a guess.

Bye
Anganthier

Always sets with provided client's browser's locale.

Summary

Change the password by email. Click the link to enter, and the token is invalid.
Observe all sending links. There are two lengths of tokens. The short length access will prompt invalid, and the long one is normal.

Normally：http://10.254.254.62:2389/index.php?action=resetbytoken&token=3vUCAPDFRYL7qzoetcJxIQvStduXO2lAPKIqM%2BjwLEVz2QvfNsBkDFsor%2BLBSiNTb1D4NYB%2FEM9uB%2BevPX0F0ShLEP73vHitVidIZTKBNcJGYJI6DDvbfTb8VQw01dIBEEl48lrZu6yRcr8MV7fnbFY2s%2BA%3D
Abnormal：http://10.254.254.62:2389/index.php?action=resetbytoken&token=3vUCAKoVlsd1ygZCfdSKQiSlO3m5amHFd0nOTvDca18KQcWOrn1MUp%2BhhvLCL3yqo8KTsuaeZL0lnpNwdJZb1UdZrMBEpbSlEExmaagubaydYnvb

Steps to reproduce

The current situation is UTC-8 time zone. The links sent from 7:51 a.m. to 8:41 a.m. are invalid, while those sent after 8:41 a.m. are normal.

Environment

Centos7

• Image version / tag:
• tiredofit/self-service-password:5.1.2

Description of the feature
Current docker image does not support LDAPS with self signed certificates.
And Windows 2016 does not allow changing passwords via unencrypted LDAP (and I would not recommend it either...)

Benftits of feature
Broader usage

Additional context
See my PR #43 for the code change.

BR,
Bjarne.

2021/05/31 09:28:35 [error] 1928#1928: *1 FastCGI sent in stderr: "PHP message: Send reset URL https://ssp:8089/index.php?action=resetbytoken&token=3vUCAG8MEQmsO5ExZQaXvCLZA1ccdar4h8bZvPIoI%2Fsggg7Z%2BgQfEi1drcAuBlGEn8D0VfLqWJj%2BMjbwynades5yG2hObRpHVcErjkM7bSFZi3sQ3rE5Y9yiKTpofMOjvV0UWbIrLCO4e8mwSOGC%2B%2Fo%3DPHP message: send_mail: SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/TroubleshootingPHP message: Error while sending token to [email protected] (user linmuqin)" while reading response header from upstream, client: 119.139.198.161, server: , request: "POST /?action=sendtoken HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "ssp:8089", referrer: "http://ssp:8089/?action=sendtoken"

configure:

      - IS_BEHIND_PROXY=false
      - SITE_URL=http://ssp.ops.kkaaa.com

logfile php-fpm.log

[12-Jun-2020 07:54:41] ERROR: unable to bind listening socket for address '0.0.0.0:9000': Address in use (98)
[12-Jun-2020 07:54:41] ERROR: FPM initialization failed

repeating endless.

after looking around, see your base image exposes port 9000. Maybe this conflicts with the upper image tiredofit/docker-nginx-php-fpm.

Is there a way to solve this problem. Software itself runs - so i dont see any effects of php-fpm for self-service-password stack.

Thank You

Prodblem:

Notice: Undefined variable: use_pwnedpasswords in /www/ssp/index.php on line 35

which env need to set ?

I love your up to date and lightweight container. Nevertheless, there is one configuration option which i am not able to get working.

I am running an instance of tomav/docker-mailserver with self-signed certificates. This seems to be problematic, because sending mails to this instance (here called mail) break on verifying the certificate. Alternatively i want to send the mail directly to port 25 without ssl, because this network is in a DMZ. But i am not able to disable ssl in your cotnainer for smtp.

An outdated alternative container to yours is able to do it:
https://github.com/dtwardow/docker-ldap-self-service-password/blob/master/assets/config/msmtp/msmtprc.auth

But i was not able to adapt this configuration in your container build. So my question is, is there any way to disable ssl for smtp? How can we patch it in? I do not want to run the out-dated version of ssp only to get this config option.

best,
Christian

here is the log of the failure of the certificate verification problem.

Connection: opening to mail:25, timeout=30, options=array ()
Connection: opened
SMTP -> get_lines(): $data is ""
SMTP -> get_lines(): $str is "220 mail.kopano.demo ESMTP Postfix (Debian)"
SERVER -> CLIENT: 220 mail.kopano.demo ESMTP Postfix (Debian)
CLIENT -> SERVER: EHLO kopano.demo
SMTP -> get_lines(): $data is ""
SMTP -> get_lines(): $str is "250-mail.kopano.demo"
SMTP -> get_lines(): $data is "250-mail.kopano.demo"
SMTP -> get_lines(): $str is "250-PIPELINING"
SMTP -> get_lines(): $data is "250-mail.kopano.demo250-PIPELINING"
SMTP -> get_lines(): $str is "250-SIZE 10240000"
SMTP -> get_lines(): $data is "250-mail.kopano.demo250-PIPELINING250-SIZE 10240000"
SMTP -> get_lines(): $str is "250-ETRN"
SMTP -> get_lines(): $data is "250-mail.kopano.demo250-PIPELINING250-SIZE 10240000250-ETRN"
SMTP -> get_lines(): $str is "250-STARTTLS"
SMTP -> get_lines(): $data is "250-mail.kopano.demo250-PIPELINING250-SIZE 10240000250-ETRN250-STARTTLS"
SMTP -> get_lines(): $str is "250-AUTH PLAIN LOGIN"
SMTP -> get_lines(): $data is "250-mail.kopano.demo250-PIPELINING250-SIZE 10240000250-ETRN250-STARTTLS250-AUTH PLAIN LOGIN"
SMTP -> get_lines(): $str is "250-AUTH=PLAIN LOGIN"
SMTP -> get_lines(): $data is "250-mail.kopano.demo250-PIPELINING250-SIZE 10240000250-ETRN250-STARTTLS250-AUTH PLAIN LOGIN250-AUTH=PLAIN LOGIN"
SMTP -> get_lines(): $str is "250-ENHANCEDSTATUSCODES"
SMTP -> get_lines(): $data is "250-mail.kopano.demo250-PIPELINING250-SIZE 10240000250-ETRN250-STARTTLS250-AUTH PLAIN LOGIN250-AUTH=PLAIN LOGIN250-ENHANCEDSTATUSCODES"
SMTP -> get_lines(): $str is "250-8BITMIME"
SMTP -> get_lines(): $data is "250-mail.kopano.demo250-PIPELINING250-SIZE 10240000250-ETRN250-STARTTLS250-AUTH PLAIN LOGIN250-AUTH=PLAIN LOGIN250-ENHANCEDSTATUSCODES250-8BITMIME"
SMTP -> get_lines(): $str is "250-DSN"
SMTP -> get_lines(): $data is "250-mail.kopano.demo250-PIPELINING250-SIZE 10240000250-ETRN250-STARTTLS250-AUTH PLAIN LOGIN250-AUTH=PLAIN LOGIN250-ENHANCEDSTATUSCODES250-8BITMIME250-DSN"
SMTP -> get_lines(): $str is "250 SMTPUTF8"
SERVER -> CLIENT: 250-mail.kopano.demo250-PIPELINING250-SIZE 10240000250-ETRN250-STARTTLS250-AUTH PLAIN LOGIN250-AUTH=PLAIN LOGIN250-ENHANCEDSTATUSCODES250-8BITMIME250-DSN250 SMTPUTF8
CLIENT -> SERVER: STARTTLS
SMTP -> get_lines(): $data is ""
SMTP -> get_lines(): $str is "220 2.0.0 Ready to start TLS"
SERVER -> CLIENT: 220 2.0.0 Ready to start TLS
Connection failed. Error #2: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [/www/ssp/lib/vendor/PHPMailer/class.smtp.php line 369]
SMTP Error: Could not connect to SMTP host.
CLIENT -> SERVER: QUIT
SMTP -> get_lines(): $data is ""

The option PASSWORD_HASH=auto stores the password in clear text if no password is set before, because there is no Hash mechanism used if no password exists.
I think it would be a better way to use a standard Hash mechanism like SHA instead of using clear text. So the password is hashed, even if no password exists before.

Description of the feature

I see you have a github action to trigger a build and publish to docker hub. I would like to see this action triggered by a cron ( maybe once a week or so ) - the last publish seems to have been ~ 3 months ago. this would make it easier for the end user to use images and dont have to patch them on their own.

Benftits of feature

overall reduce attack surface for users by regularly patching issues.

Additional context

https://gist.github.com/loeken/5a6568b7507818629700273377eab9ed <- current trivy report for your image

The token, which is send via email looks as follows:

http:///index.php?action=resetbytoken&token=3vUCAGq...

As you can see, the FQDN is missing. I am running the service behind an ssl-terminating reverse proxy with the following config:
https://github.com/zokradonh/kopano-docker/blob/a630007059cf4c0ec52dc1d713bd8d52f172bde2/docker-compose.yml-example#L53-L88

even when i add

IS_BEHIND_PROXY="https://${FQDN}/password-reset/"

No the crafted link inside the email does not contain any domain. I already have checked, that FQDN is properly set.

What do i missing here?

I have been trying to set the "MAIL_FROM_NAME" variable for a bit now, however I can't for the life of me work around the sed's replacements. With the signature, where I wanted new lines, I used a block and escaped the backslashes once for the sed and that is that. Docker compose snippet:

environment:
  MAIL_USE_LDAP: 'true'
  MAIL_FROM_NAME: >-
    Password Service
  MAIL_SIGNATURE: >-
    \\n\\n--\\n\\n
  NOTIFY_ON_CHANGE: 'true'

The end result is always similar to $mail_from_name = "Password";.
I have tried using Password\ Service, however that leads to no change. With Password\\ Service I get $mail_from_name = "Password\";. Adding further slashes just increases the amount of slashes on the output every other slash, it doesn't actually escape the space character.

Any help would be appreciated, I'd prefer to configure the entire thing through the environment variables instead of manually as it makes it easier to also configure sensitive variables like the email password.

Hi @tiredofit,

I was trying out your container and I noticed that you use sed to substitute the environment variables into the SSP config template file. I just wanted to let you know about an awesome tool called Gomplate that could make that process a whole lot cleaner and more elegant IMHO.

You can use the Go template format for your config template then substitute the values straight from the container environment variables with a single command, using Gomplate ( a 4.51MB binary ). It is very nice. I just used it in my own SSP container:

config.inc.local.php.template:

...
# LDAP
$ldap_url = "{{.Env.LDAP_URL}}";
$ldap_starttls = {{.Env.LDAP_STARTTLS}};
$ldap_binddn = "{{.Env.LDAP_BINDDN}}";
$ldap_bindpw = "{{.Env.LDAP_BINDPW}}";
$ldap_base = "{{.Env.LDAP_BASE}}";
$ldap_login_attribute = "{{.Env.LDAP_LOGIN_ATTRIBUTE}}";
$ldap_fullname_attribute = "{{.Env.LDAP_FULLNAME_ATTRIBUTE}}";
{{if not .Env.LDAP_FILTER}}
$ldap_filter = "(&(objectClass={{.Env.LDAP_OBJECT_CLASS}})($ldap_login_attribute={login}}))";
{{else}}
$ldap_filter = "{{.Env.LDAP_FILTER}}";
{{end}}
...

Having if statements and other functions lets you add logic like I did with the LDAP_FILTER variable. Very cool.

Anyway, that's just my tip from one Docker geek to another. Hope you enjoy. 😃