Mailserver in Docker mit FreeIPA und Roundcube einrichten

Ich versuche, meinen eigenen Mailserver mit Authentifizierung gegen LDAP (FreeIPA) einzurichten. Alle müssen in einem Docker-Container ausgeführt werden. Ich weiß nicht, was ich falsch mache. Vielleicht liegt es an meiner LDAP-Konfiguration.

version: '3.9'

services:
  freeipa:
    image: freeipa/freeipa-server:centos-9-stream-4.10.0
    container_name: ipa
    restart: unless-stopped
    tty: true
    stdin_open: true
    hostname: ipa
    domainname: ipa.example.local
    #read_only: true
    networks:
      priv_network:
        ipv4_address: 172.16.1.10
    extra_hosts:
      - "ipa.example.local:172.16.1.10"
    environment:
      - IPA_SERVER_HOSTNAME=ipa.example.local
      - IPA_SERVER_IP=172.16.1.10
      - TZ=Europe/Berlin
    command:
      - --realm=example.local
      - --domain=example.local
      - --ds-password=secret123
      - --admin-password=secret123
      - --no-host-dns
      - --setup-dns
      - --auto-forwarders
      - --allow-zone-overlap
      - --no-dnssec-validation
      - --unattended
      - --skip-mem-check
      - --auto-forwarders
      - --auto-reverse
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.lo.disable_ipv6=0
    volumes:
      - ./vol/freeipa/data:/data
      - ./vol/freeipa/logs:/var/logs
      - ./vol/freeipa/config:/root/pw-portal/config
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    tmpfs:
      - /run
      - /var/cache
      - /tmp
    cap_add:
      - SYS_TIME
      - NET_ADMIN
    ports:
      - 443:443
      - 389:389

  roundcubemail:
    image: roundcube/roundcubemail:latest
    container_name: roundcubemail
    volumes:
      - ./vol/roundcube/www:/var/www/html
      - ./vol/roundcube/db/sqlite:/var/roundcube/db
    ports:
      - 9002:80
    environment:
      - ROUNDCUBEMAIL_DB_TYPE=sqlite
      - ROUNDCUBEMAIL_SKIN=elastic
      - ROUNDCUBEMAIL_DEFAULT_HOST=tls://172.16.1.11
      - ROUNDCUBEMAIL_SMTP_SERVER=tls://172.16.1.11
    networks:
      priv_network:

  mailserver:
    image: docker.io/mailserver/docker-mailserver:latest
    container_name: mailserver
    hostname: mail
    domainname: mail.example.local
    restart: unless-stopped
    volumes:
      - ./vol/mailserver/data/:/var/mail/
      - ./vol/mailserver/state/:/var/mail-state/
      - ./vol/mailserver/logs/:/var/log/mail/
      - ./vol/mailserver/config/:/tmp/docker-mailserver/
      - /etc/localtime:/etc/localtime:ro

    environment:
      - ENABLE_SPAMASSASSIN=0
      - ENABLE_CLAMAV=0
      - ENABLE_FAIL2BAN=0
      - ENABLE_POSTGREY=0
      - ACCOUNT_PROVISIONER=LDAP
      - LDAP_SERVER_HOST=ldap://ipa
      - LDAP_BIND_DN=uid=admin,cn=users,cn=accounts,dc=example,dc=local
      - LDAP_BIND_PW=secret123
      - LDAP_SEARCH_BASE=cn=users,cn=accounts,dc=example,dc=local
      - LDAP_QUERY_FILTER_DOMAIN=(mail=*@%s)
      - LDAP_QUERY_FILTER_USER=(mail=%U@%s)
      - LDAP_QUERY_FILTER_ALIAS=(|) # doesn't match anything
      - LDAP_QUERY_FILTER_GROUP=(|) # doesn't match anything
      - LDAP_QUERY_FILTER_SENDERS=(mail=%s)      
      - SPOOF_PROTECTION=1
      - ENABLE_SASLAUTHD=1
      - SASLAUTHD_MECHANISMS=ldap
      - SASLAUTHD_LDAP_FILTER=(&(mail=%[email protected])(objectClass=inetOrgPerson))
      - ONE_DIR=1
      - PERMIT_DOCKER=host
      - DOVECOT_USER_FILTER=(&(objectClass=inetOrgPerson)(mail=%u))
      - DOVECOT_PASS_ATTRS==password=%{ldap:userPassword},=user=%{ldap:uid}
      - DOVECOT_USER_ATTRS==home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid
    cap_add:
      - NET_ADMIN
    networks:
      priv_network:
        ipv4_address: 172.16.1.11

networks:
  priv_network:
    name: ext_priv_network
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.16.1.0/24
          gateway: 172.16.1.1

Ich habe einen Benutzer erstellt und mich zum ersten Mal bei IPA angemeldet, um ein Passwort festzulegen. Wenn ich versuche, mich bei meinem Roundcube anzumelden, erhalte ich nur eine Anmeldefehlermeldung. Der Mailserver hat die folgende Meldung ausgegeben.

Dec 25 08:59:52 mail dovecot: auth: ldap(test.user,172.16.1.2,<m+/uPaPw4pasEAEC>): unknown user (SHA1 of given password: f2b14f)
Dec 25 08:59:54 mail dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<test.user>, method=PLAIN, rip=172.16.1.2, lip=172.16.1.11, session=<m+/uPaPw4pasEAEC>
Dec 25 09:00:39 mail postfix/pickup[1906]: 517F864B0E: uid=101 from=<root>
Dec 25 09:00:39 mail postfix/cleanup[1910]: 517F864B0E: message-id=<[email protected]>
Dec 25 09:00:39 mail postfix/cleanup[1910]: warning: dict_ldap_lookup: Search error 2: Protocol error 
Dec 25 09:00:39 mail postfix/cleanup[1910]: warning: ldap:/etc/postfix/ldap-aliases.cf lookup error for "[email protected]"
Dec 25 09:00:39 mail postfix/cleanup[1910]: warning: 517F864B0E: virtual_alias_maps map lookup problem for [email protected] -- message not accepted, try again later
Dec 25 09:00:39 mail postfix/pickup[1906]: 5228D64B0E: uid=0 from=<root>
Dec 25 09:00:39 mail postfix/cleanup[1923]: 5228D64B0E: message-id=<[email protected]>
Dec 25 09:00:39 mail postfix/cleanup[1923]: warning: dict_ldap_lookup: Search error 2: Protocol error 
Dec 25 09:00:39 mail postfix/cleanup[1923]: warning: ldap:/etc/postfix/ldap-aliases.cf lookup error for "[email protected]"

Was ist die korrekte LDAP-Syntax für Dovecot DOVECOT_USER_FILTER, DOVECOT_PASS_ATTRS und DOVECOT_USER_ATTRS?