Commit ed2e5d14 authored by Lee Starnes's avatar Lee Starnes Committed by A. Wilcox

user/dovecot: review fixes

- move default SSL key and cert stuff to a patch
- use auth-system.conf instead of auth-passwdfile.conf because we have PAM
- explain manual removal of *.la
- other Adelification fixes
parent 7d6a83db
# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Contributor: Lukasz Jendrysik <scadu@yandex.com>
# Contributor: Michael Mason <ms13sp@gmail.com>
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Lee Starnes <lee@canned-death.us>
pkgname=dovecot
pkgver=2.3.10
_pkgvermajor=${pkgver%.*}
pkgrel=0
_pigeonholever=0.5.9
_pigeonholevermajor=${_pigeonholever%.*}
pkgdesc="IMAP and POP3 server"
url="https://www.dovecot.org/"
arch="all"
options="libtool"
license="LGPL-2.0+"
depends="openssl"
pkgusers="dovecot dovenull"
pkggroups="dovecot dovenull"
makedepends="
autoconf
automake
bzip2-dev
clucene-dev
expat-dev
krb5-dev
libcap-dev
openssl-dev
libtool
linux-headers
linux-pam-dev
mariadb-dev
openldap-dev
postgresql-dev
sqlite-dev
zlib-dev
libsodium-dev
"
install="$pkgname.pre-install $pkgname.post-install $pkgname.post-upgrade"
subpackages="
$pkgname-doc
$pkgname-dev
$pkgname-openrc
$pkgname-lmtpd
$pkgname-pop3d
$pkgname-submissiond
$pkgname-pigeonhole-plugin-ldap:_sieve_ldap
$pkgname-pigeonhole-plugin:_sieve
$pkgname-sql
$pkgname-pgsql
$pkgname-mysql
$pkgname-sqlite
$pkgname-gssapi
$pkgname-ldap
$pkgname-fts-solr:_fts_solr
$pkgname-fts-lucene:_fts_lucene
"
source="https://www.dovecot.org/releases/$_pkgvermajor/dovecot-$pkgver.tar.gz
https://pigeonhole.dovecot.org/releases/$_pkgvermajor/$pkgname-$_pkgvermajor-pigeonhole-$_pigeonholever.tar.gz
skip-iconv-check.patch
split-protocols.patch
default-config.patch
ssl-paths.patch
dovecot.logrotate
dovecot.initd
"
_builddir_pigeonhole="$srcdir/$pkgname-$_pkgvermajor-pigeonhole-$_pigeonholever"
_configure() {
./configure \
--build=$CBUILD \
--host=$CHOST \
--prefix=/usr \
--localstatedir=/var \
--sysconfdir=/etc \
--mandir=/usr/share/man \
--infodir=/usr/share/info \
--disable-static \
"$@"
}
build() {
_configure \
--with-gssapi=plugin \
--with-ldap=plugin \
--with-sql=plugin \
--with-pam \
--with-mysql \
--with-sqlite \
--with-pgsql \
--with-solr \
--with-lucene \
--with-ssl=openssl \
--with-ssldir=/etc/ssl/dovecot \
--with-rundir=/run/dovecot
make
# Build pigeonhole plugin
cd "$_builddir_pigeonhole"
_configure \
--with-dovecot="$builddir" \
--with-ldap=plugin
make
}
check() {
make check
}
package() {
make DESTDIR="$pkgdir" install
cd "$pkgdir"
install -d ./etc/ssl/dovecot
install -D -m 755 "$srcdir"/dovecot.initd ./etc/init.d/dovecot
install -D -m 644 "$srcdir"/dovecot.logrotate ./etc/logrotate.d/dovecot
# default config
rm ./etc/dovecot/*
rm ./usr/share/doc/dovecot/mkcert.sh
mv ./usr/share/doc/dovecot/dovecot-openssl.cnf ./etc/dovecot/
mv ./usr/share/doc/dovecot/example-config/dovecot* \
./usr/share/doc/dovecot/example-config/conf.d \
./etc/dovecot/
rm -fr ./usr/share/doc/dovecot/example-config
# Installing pigeonhole plugin.
cd "$_builddir_pigeonhole"
make install DESTDIR="$pkgdir"
# Moving config in the correct place
mv "$pkgdir"/usr/share/doc/dovecot/example-config/conf.d/* \
"$pkgdir"/etc/dovecot/conf.d
# Remove libtool archives. abuild doesn't remove them automatically even without options=libtool.
find "$pkgdir" -name '*.la' | xargs rm -f
}
dev() {
default_dev
mkdir -p "$subpkgdir"/usr/lib/dovecot
mv "$pkgdir"/usr/lib/dovecot/dovecot-config \
"$subpkgdir"/usr/lib/dovecot/
}
lmtpd() {
pkgdesc="$pkgdesc (LMTP server)"
_protocol lmtp
}
pop3d() {
pkgdesc="$pkgdesc (POP3 daemon)"
_protocol pop3
}
submissiond() {
pkgdesc="$pkgdesc (mail submission agent)"
_protocol submission
}
_protocol() {
depends="$pkgname=$pkgver-r$pkgrel"
_name="$1"
_protocolsd="$subpkgdir/usr/share/dovecot/protocols.d"
cd "$pkgdir"
_submv usr/libexec/dovecot/$_name*
_submv etc/dovecot/conf.d/*-$_name.conf
mkdir -p "$_protocolsd"
echo "protocols = \$protocols $_name" \
> "$_protocolsd"/${subpkgname#$pkgname-}.conf
}
_sieve() {
pkgdesc="Sieve and managesieve plugin for Dovecot"
depends="$pkgname=$pkgver-r$pkgrel"
cd "$pkgdir"
_submv $(find usr/ -name '*sieve_extprograms*')
_submv $(find usr/ -name '*sieve_imapsieve*')
_submv $(find usr/ -name '*sieve*')
_submv $(find usr/ -name '*pigeonhole*')
_submv $(find etc/dovecot/ -name '*sieve*')
}
_sieve_ldap() {
pkgdesc="Sieve and managesieve plugin for Dovecot (LDAP support)"
depends="$pkgname-pigeonhole-plugin=$pkgver-r$pkgrel $pkgname-ldap=$pkgver-r$pkgrel"
cd "$pkgdir"
_submv $(find usr/ -name '*_sieve_storage_ldap_*')
}
pgsql() {
pkgdesc="PostgreSQL driver for Dovecot"
depends="$pkgname-sql=$pkgver-r$pkgrel"
cd "$pkgdir"
_submv $(find usr/ -name '*_pgsql*')
}
mysql() {
pkgdesc="MySQL driver for Dovecot"
depends="$pkgname-sql=$pkgver-r$pkgrel"
cd "$pkgdir"
_submv $(find usr/ -name '*_mysql*')
}
sqlite() {
pkgdesc="SQLite driver for Dovecot"
depends="$pkgname-sql=$pkgver-r$pkgrel"
cd "$pkgdir"
_submv $(find usr/ -name '*_sqlite*')
}
gssapi() {
pkgdesc="GSSAPI auth plugin for Dovecot"
depends="$pkgname=$pkgver-r$pkgrel"
cd "$pkgdir"
_submv $(find usr/ -name '*_gssapi*')
}
ldap() {
pkgdesc="LDAP auth plugin for Dovecot"
depends="$pkgname=$pkgver-r$pkgrel"
cd "$pkgdir"
_submv $(find usr/ -name '*[_-]ldap*')
_submv $(find etc/dovecot/ -name '*-ldap.conf*')
}
sql() {
pkgdesc="SQL plugin for dovecot"
depends="$pkgname=$pkgver-r$pkgrel"
cd "$pkgdir"
_submv $(find usr/ -name '*-sql.*')
_submv $(find etc/dovecot/ -name '*-sql.conf*')
}
_fts_solr() {
pkgdesc="FTS-Solr plugin for dovecot"
depends="$pkgname=$pkgver-r$pkgrel"
cd "$pkgdir"
_submv $(find usr/ -name '*fts*solr*')
}
_fts_lucene() {
pkgdesc="FTS-Lucene plugin for dovecot"
depends="$pkgname=$pkgver-r$pkgrel"
cd "$pkgdir"
_submv $(find usr/ -name '*fts*lucene*')
}
_submv() {
while [ $# -gt 0 ]; do
_dir=${1%/*}
mkdir -p "$subpkgdir"/$_dir
mv "$pkgdir/$1" "$subpkgdir/$_dir/"
[ "$(ls -A $pkgdir/$_dir)" ] || rmdir "$pkgdir"/$_dir
shift
done
}
sha512sums="73e10d7d1e616d6599eb53f2d2d1ac0f0f2e6e84019faac5cd525e833da44839a7e483635b61d432e3254a9e5f6f90915bec8940c584210341085241949dffa2 dovecot-2.3.10.tar.gz
1b8d2ac8d3985dde035fc45df519788a924ba971f3e39717f5196ea56a982d4156226586d0a964473525d086967883ea52f2e624e81f7035cb0952b76f2414d8 dovecot-2.3-pigeonhole-0.5.9.tar.gz
fe4fbeaedb377d809f105d9dbaf7c1b961aa99f246b77189a73b491dc1ae0aa9c68678dde90420ec53ec877c08f735b42d23edb13117d7268420e001aa30967a skip-iconv-check.patch
794875dbf0ded1e82c5c3823660cf6996a7920079149cd8eed54231a53580d931b966dfb17185ab65e565e108545ecf6591bae82f935ab1b6ff65bb8ee93d7d5 split-protocols.patch
0d8f89c7ba6f884719b5f9fc89e8b2efbdc3e181de308abf9b1c1b0e42282f4df72c7bf62f574686967c10a8677356560c965713b9d146e2770aab17e95bcc07 default-config.patch
5e68a0042a7c11b3d8c411fc157f5960e2e3305dac11f4b6b880441e2b4105769ddf6c56f67a995af6e1a58f3bfa2c199ea51318a3a0e37c7ef0ae6c4109b13f ssl-paths.patch
9f19698ab45969f1f94dc4bddf6de59317daee93c9421c81f2dbf8a7efe6acf89689f1d30f60f536737bb9526c315215d2bce694db27e7b8d7896036a59c31f0 dovecot.logrotate
d91951b81150d7a3ef6a674c0dc7b012f538164dac4b9d27a6801d31da6813b764995a438f69b6a680463e1b60a3b4f2959654f68e565fe116ea60312d5e5e70 dovecot.initd"
--- a/doc/example-config/conf.d/10-mail.conf
+++ b/doc/example-config/conf.d/10-mail.conf
@@ -208,10 +208,10 @@
# UNIX socket path to master authentication server to find users.
# This is used by imap (for shared users) and lda.
-#auth_socket_path = /var/run/dovecot/auth-userdb
+#auth_socket_path = /run/dovecot/auth-userdb
# Directory where to look up mail plugins.
-#mail_plugin_dir = /usr/lib/dovecot
+#mail_plugin_dir = /usr/lib/dovecot/modules
# Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
@@ -322,6 +322,7 @@ protocol !indexer-worker {
# them simultaneously.
#mbox_read_locks = fcntl
#mbox_write_locks = dotlock fcntl
+mbox_write_locks = fcntl
# Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins
--- a/doc/example-config/conf.d/10-ssl.conf
+++ b/doc/example-config/conf.d/10-ssl.conf
@@ -3,7 +3,10 @@
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
-#ssl = yes
+# Disable plain (unencrypted) POP3 and IMAP, allowed are only POP3+TLS,
+# POP3S, IMAP+TLS and IMAPS.
+# Plain IMAP and POP3 are still allowed for local connections.
+ssl = required
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
@@ -67,7 +67,7 @@
#ssl_curve_list =
# Prefer the server's order of ciphers over client's.
-#ssl_prefer_server_ciphers = no
+ssl_prefer_server_ciphers = yes
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
#!/sbin/openrc-run
[ "$RC_SVCNAME" != "${RC_SVCNAME##*.}" ] && instance=${RC_SVCNAME##*.}
description="Secure POP3/IMAP server"
cfgfile=/etc/dovecot/dovecot${instance:+.$instance}.conf
pidfile=$(doveconf -c $cfgfile -h base_dir 2>/dev/null)/master.pid
command=/usr/sbin/dovecot
command_args=${instance:+-c $cfgfile}
required_files="$cfgfile"
extra_started_commands="reload reopen"
description_reload="Reload configuration"
description_reopen="Reopen log files"
depend() {
need localmount net
before mta
after bootmisc firewall ldap mysql ntp-client ntpd postgresql saslauthd slapd
use logger
}
start_pre() {
ebegin
doveconf -c $cfgfile -x >/dev/null 2>&1 && \
checkpath --directory ${pidfile%/*}
eend $?
}
reload() {
ebegin "Reloading $RC_SVCNAME configs and restarting auth/login processes"
start_pre && start-stop-daemon --signal HUP --pidfile $pidfile
eend $?
}
reopen() {
ebegin "Reopening $RC_SVCNAME log files"
start-stop-daemon --signal USR1 --pidfile $pidfile
eend $?
}
/var/log/dovecot*.log {
daily
missingok
copytruncate
rotate 7
compress
notifempty
sharedscripts
postrotate
/etc/init.d/dovecot --quiet --ifstarted reopen
endscript
}
#!/bin/sh
# based on doc/mkcert.sh
# if ssl disabled then lets just exit
doveconf ssl 2>/dev/null | grep -Eq '(yes|required)' || exit 0
# Generates a self-signed certificate.
OPENSSL=${OPENSSL-openssl}
SSLDIR=${SSLDIR-/etc/ssl/dovecot}
OPENSSLCONFIG=${OPENSSLCONFIG-/etc/dovecot/dovecot-openssl.cnf}
CERTDIR=$SSLDIR
KEYDIR=$SSLDIR
# check if we have ssl_cert and/or key (for dovecot-2.0+)
# try expand the cert/key itself and if found, lets just keep it
[ -n "$(doveconf -x ssl_cert 2>/dev/null)" ] && exit 0
[ -n "$(doveconf -x ssl_key 2>/dev/null)" ] && exit 0
ssl_cert_file=$(doveconf ssl_cert | sed 's/.*= <//')
ssl_key_file=$(doveconf ssl_key | sed 's/.*= <//')
CERTFILE=${ssl_cert_file:-$CERTDIR/server.pem}
KEYFILE=${ssl_key_file:-$KEYDIR/server.key}
if [ -e "$CERTFILE" ]; then
echo "Keeping existing $CERTFILE"
exit 0
fi
if [ -e "$KEYFILE" ]; then
echo "Keeping existing $KEYFILE"
exit 0
fi
if [ ! -c /dev/urandom ] && [ ! -c /dev/random ]; then
echo "No /dev/urandom or /dev/random so ssl cert not created"
exit 1
fi
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
chmod 0600 $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2
#!/bin/sh
if ! grep ^"version_ignore=yes" /etc/dovecot/dovecot.conf; then
printf "dovecot restart required (version_ignore=yes not set)\n"
fi
exit $?
#!/bin/sh
groupadd -r dovecot 2>/dev/null
groupadd -r dovenull 2>/dev/null
useradd -r -u 90 -h /dev/null -s /sbin/nologin -g dovecot dovecot 2>/dev/null
useradd -r -u 91 -h /dev/null -s /sbin/nologin -g dovenull dovenull 2>/dev/null
exit 0
--- a/src/lib-charset/test-charset.c
+++ b/src/lib-charset/test-charset.c
@@ -159,7 +159,7 @@
static void (*const test_functions[])(void) = {
test_charset_is_utf8,
test_charset_utf8,
-#ifdef HAVE_ICONV
+#if 0 //def HAVE_ICONV
test_charset_iconv,
test_charset_iconv_crashes,
test_charset_iconv_utf7_state,
For each protocol $prot, which is moved into subpackage $subname,
is installed file /usr/share/dovecot/protocols.d/$subname.conf with:
protocols = $protocols $prot
--- a/doc/example-config/dovecot.conf
+++ b/doc/example-config/dovecot.conf
@@ -20,8 +20,9 @@
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var
-# Protocols we want to be serving.
-#protocols = imap pop3 lmtp submission
+# Enable installed protocols.
+#protocols = imap
+!include_try /usr/share/dovecot/protocols.d/*.conf
# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
--- a/src/master/master-settings.c.orig
+++ b/src/master/master-settings.c
@@ -206,7 +206,7 @@
.state_dir = PKG_STATEDIR,
.libexec_dir = PKG_LIBEXECDIR,
.instance_name = PACKAGE,
- .protocols = "imap pop3 lmtp",
+ .protocols = "imap",
.listen = "*, ::",
.ssl = "yes:no:required",
.default_internal_user = "dovecot",
--- dovecot-2.3.10/doc/example-config/conf.d/10-ssl.conf 2020-03-05 14:35:53.000000000 +0000
+++ dovecot-2.3.10.new/doc/example-config/conf.d/10-ssl.conf 2020-04-26 06:49:45.860000000 +0000
@@ -9,8 +9,8 @@
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/ssl/certs/dovecot.pem
-ssl_key = </etc/ssl/private/dovecot.pem
+ssl_cert = </etc/ssl/dovecot/server.pem
+ssl_key = </etc/ssl/dovecot/server.key
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment