From ed2e5d142804bd69d296c39c6b861b8401718469 Mon Sep 17 00:00:00 2001 From: Lee Starnes Date: Wed, 6 May 2020 00:53:22 +0000 Subject: user/dovecot: review fixes - move default SSL key and cert stuff to a patch - use auth-system.conf instead of auth-passwdfile.conf because we have PAM - explain manual removal of *.la - other Adelification fixes --- user/dovecot/default-config.patch | 46 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 user/dovecot/default-config.patch (limited to 'user/dovecot/default-config.patch') diff --git a/user/dovecot/default-config.patch b/user/dovecot/default-config.patch new file mode 100644 index 000000000..0f8a7385a --- /dev/null +++ b/user/dovecot/default-config.patch @@ -0,0 +1,46 @@ +--- a/doc/example-config/conf.d/10-mail.conf ++++ b/doc/example-config/conf.d/10-mail.conf +@@ -208,10 +208,10 @@ + + # UNIX socket path to master authentication server to find users. + # This is used by imap (for shared users) and lda. +-#auth_socket_path = /var/run/dovecot/auth-userdb ++#auth_socket_path = /run/dovecot/auth-userdb + + # Directory where to look up mail plugins. +-#mail_plugin_dir = /usr/lib/dovecot ++#mail_plugin_dir = /usr/lib/dovecot/modules + + # Space separated list of plugins to load for all services. Plugins specific to + # IMAP, LDA, etc. are added to this list in their own .conf files. +@@ -322,6 +322,7 @@ protocol !indexer-worker { + # them simultaneously. + #mbox_read_locks = fcntl + #mbox_write_locks = dotlock fcntl ++mbox_write_locks = fcntl + + # Maximum time to wait for lock (all of them) before aborting. + #mbox_lock_timeout = 5 mins +--- a/doc/example-config/conf.d/10-ssl.conf ++++ b/doc/example-config/conf.d/10-ssl.conf +@@ -3,7 +3,10 @@ + ## + + # SSL/TLS support: yes, no, required. +-#ssl = yes ++# Disable plain (unencrypted) POP3 and IMAP, allowed are only POP3+TLS, ++# POP3S, IMAP+TLS and IMAPS. ++# Plain IMAP and POP3 are still allowed for local connections. ++ssl = required + + # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before + # dropping root privileges, so keep the key file unreadable by anyone but +@@ -67,7 +67,7 @@ + #ssl_curve_list = + + # Prefer the server's order of ciphers over client's. +-#ssl_prefer_server_ciphers = no ++ssl_prefer_server_ciphers = yes + + # SSL crypto device to use, for valid values run "openssl engine" + #ssl_crypto_device = -- cgit v1.2.3-60-g2f50