From ed2e5d142804bd69d296c39c6b861b8401718469 Mon Sep 17 00:00:00 2001
From: Lee Starnes <lee@canned-death.us>
Date: Wed, 6 May 2020 00:53:22 +0000
Subject: user/dovecot: review fixes
- move default SSL key and cert stuff to a patch
- use auth-system.conf instead of auth-passwdfile.conf because we have PAM
- explain manual removal of *.la
- other Adelification fixes
---
user/dovecot/APKBUILD | 280 ++++++++++++++++++++++++++++++++++++
user/dovecot/default-config.patch | 46 ++++++
user/dovecot/dovecot.initd | 40 ++++++
user/dovecot/dovecot.logrotate | 12 ++
user/dovecot/dovecot.post-install | 45 ++++++
user/dovecot/dovecot.post-upgrade | 7 +
user/dovecot/dovecot.pre-install | 8 ++
user/dovecot/skip-iconv-check.patch | 11 ++
user/dovecot/split-protocols.patch | 30 ++++
user/dovecot/ssl-paths.patch | 13 ++
10 files changed, 492 insertions(+)
create mode 100644 user/dovecot/APKBUILD
create mode 100644 user/dovecot/default-config.patch
create mode 100644 user/dovecot/dovecot.initd
create mode 100644 user/dovecot/dovecot.logrotate
create mode 100644 user/dovecot/dovecot.post-install
create mode 100644 user/dovecot/dovecot.post-upgrade
create mode 100644 user/dovecot/dovecot.pre-install
create mode 100644 user/dovecot/skip-iconv-check.patch
create mode 100644 user/dovecot/split-protocols.patch
create mode 100644 user/dovecot/ssl-paths.patch
(limited to 'user')
diff --git a/user/dovecot/APKBUILD b/user/dovecot/APKBUILD
new file mode 100644
index 000000000..f78987820
--- /dev/null
+++ b/user/dovecot/APKBUILD
@@ -0,0 +1,280 @@
+# Contributor: Valery Kartel <valery.kartel@gmail.com>
+# Contributor: Lukasz Jendrysik <scadu@yandex.com>
+# Contributor: Michael Mason <ms13sp@gmail.com>
+# Contributor: Jakub Jirutka <jakub@jirutka.cz>
+# Contributor: Natanael Copa <ncopa@alpinelinux.org>
+# Maintainer: Lee Starnes <lee@canned-death.us>
+pkgname=dovecot
+pkgver=2.3.10
+_pkgvermajor=${pkgver%.*}
+pkgrel=0
+_pigeonholever=0.5.9
+_pigeonholevermajor=${_pigeonholever%.*}
+pkgdesc="IMAP and POP3 server"
+url="https://www.dovecot.org/"
+arch="all"
+options="libtool"
+license="LGPL-2.0+"
+depends="openssl"
+pkgusers="dovecot dovenull"
+pkggroups="dovecot dovenull"
+makedepends="
+ autoconf
+ automake
+ bzip2-dev
+ clucene-dev
+ expat-dev
+ krb5-dev
+ libcap-dev
+ openssl-dev
+ libtool
+ linux-headers
+ linux-pam-dev
+ mariadb-dev
+ openldap-dev
+ postgresql-dev
+ sqlite-dev
+ zlib-dev
+ libsodium-dev
+ "
+install="$pkgname.pre-install $pkgname.post-install $pkgname.post-upgrade"
+subpackages="
+ $pkgname-doc
+ $pkgname-dev
+ $pkgname-openrc
+ $pkgname-lmtpd
+ $pkgname-pop3d
+ $pkgname-submissiond
+ $pkgname-pigeonhole-plugin-ldap:_sieve_ldap
+ $pkgname-pigeonhole-plugin:_sieve
+ $pkgname-sql
+ $pkgname-pgsql
+ $pkgname-mysql
+ $pkgname-sqlite
+ $pkgname-gssapi
+ $pkgname-ldap
+ $pkgname-fts-solr:_fts_solr
+ $pkgname-fts-lucene:_fts_lucene
+ "
+source="https://www.dovecot.org/releases/$_pkgvermajor/dovecot-$pkgver.tar.gz
+ https://pigeonhole.dovecot.org/releases/$_pkgvermajor/$pkgname-$_pkgvermajor-pigeonhole-$_pigeonholever.tar.gz
+ skip-iconv-check.patch
+ split-protocols.patch
+ default-config.patch
+ ssl-paths.patch
+ dovecot.logrotate
+ dovecot.initd
+ "
+_builddir_pigeonhole="$srcdir/$pkgname-$_pkgvermajor-pigeonhole-$_pigeonholever"
+
+_configure() {
+ ./configure \
+ --build=$CBUILD \
+ --host=$CHOST \
+ --prefix=/usr \
+ --localstatedir=/var \
+ --sysconfdir=/etc \
+ --mandir=/usr/share/man \
+ --infodir=/usr/share/info \
+ --disable-static \
+ "$@"
+}
+
+build() {
+ _configure \
+ --with-gssapi=plugin \
+ --with-ldap=plugin \
+ --with-sql=plugin \
+ --with-pam \
+ --with-mysql \
+ --with-sqlite \
+ --with-pgsql \
+ --with-solr \
+ --with-lucene \
+ --with-ssl=openssl \
+ --with-ssldir=/etc/ssl/dovecot \
+ --with-rundir=/run/dovecot
+ make
+
+ # Build pigeonhole plugin
+ cd "$_builddir_pigeonhole"
+ _configure \
+ --with-dovecot="$builddir" \
+ --with-ldap=plugin
+ make
+}
+
+check() {
+ make check
+}
+
+package() {
+ make DESTDIR="$pkgdir" install
+
+ cd "$pkgdir"
+
+ install -d ./etc/ssl/dovecot
+ install -D -m 755 "$srcdir"/dovecot.initd ./etc/init.d/dovecot
+ install -D -m 644 "$srcdir"/dovecot.logrotate ./etc/logrotate.d/dovecot
+
+ # default config
+ rm ./etc/dovecot/*
+ rm ./usr/share/doc/dovecot/mkcert.sh
+ mv ./usr/share/doc/dovecot/dovecot-openssl.cnf ./etc/dovecot/
+ mv ./usr/share/doc/dovecot/example-config/dovecot* \
+ ./usr/share/doc/dovecot/example-config/conf.d \
+ ./etc/dovecot/
+ rm -fr ./usr/share/doc/dovecot/example-config
+
+ # Installing pigeonhole plugin.
+ cd "$_builddir_pigeonhole"
+ make install DESTDIR="$pkgdir"
+
+ # Moving config in the correct place
+ mv "$pkgdir"/usr/share/doc/dovecot/example-config/conf.d/* \
+ "$pkgdir"/etc/dovecot/conf.d
+
+ # Remove libtool archives. abuild doesn't remove them automatically even without options=libtool.
+ find "$pkgdir" -name '*.la' | xargs rm -f
+}
+
+dev() {
+ default_dev
+ mkdir -p "$subpkgdir"/usr/lib/dovecot
+ mv "$pkgdir"/usr/lib/dovecot/dovecot-config \
+ "$subpkgdir"/usr/lib/dovecot/
+}
+
+lmtpd() {
+ pkgdesc="$pkgdesc (LMTP server)"
+ _protocol lmtp
+}
+
+pop3d() {
+ pkgdesc="$pkgdesc (POP3 daemon)"
+ _protocol pop3
+}
+
+submissiond() {
+ pkgdesc="$pkgdesc (mail submission agent)"
+ _protocol submission
+}
+
+_protocol() {
+ depends="$pkgname=$pkgver-r$pkgrel"
+ _name="$1"
+ _protocolsd="$subpkgdir/usr/share/dovecot/protocols.d"
+
+ cd "$pkgdir"
+ _submv usr/libexec/dovecot/$_name*
+ _submv etc/dovecot/conf.d/*-$_name.conf
+
+ mkdir -p "$_protocolsd"
+ echo "protocols = \$protocols $_name" \
+ > "$_protocolsd"/${subpkgname#$pkgname-}.conf
+}
+
+_sieve() {
+ pkgdesc="Sieve and managesieve plugin for Dovecot"
+ depends="$pkgname=$pkgver-r$pkgrel"
+
+ cd "$pkgdir"
+ _submv $(find usr/ -name '*sieve_extprograms*')
+ _submv $(find usr/ -name '*sieve_imapsieve*')
+ _submv $(find usr/ -name '*sieve*')
+ _submv $(find usr/ -name '*pigeonhole*')
+ _submv $(find etc/dovecot/ -name '*sieve*')
+}
+
+_sieve_ldap() {
+ pkgdesc="Sieve and managesieve plugin for Dovecot (LDAP support)"
+ depends="$pkgname-pigeonhole-plugin=$pkgver-r$pkgrel $pkgname-ldap=$pkgver-r$pkgrel"
+
+ cd "$pkgdir"
+ _submv $(find usr/ -name '*_sieve_storage_ldap_*')
+}
+
+pgsql() {
+ pkgdesc="PostgreSQL driver for Dovecot"
+ depends="$pkgname-sql=$pkgver-r$pkgrel"
+
+ cd "$pkgdir"
+ _submv $(find usr/ -name '*_pgsql*')
+}
+
+mysql() {
+ pkgdesc="MySQL driver for Dovecot"
+ depends="$pkgname-sql=$pkgver-r$pkgrel"
+
+ cd "$pkgdir"
+ _submv $(find usr/ -name '*_mysql*')
+}
+
+sqlite() {
+ pkgdesc="SQLite driver for Dovecot"
+ depends="$pkgname-sql=$pkgver-r$pkgrel"
+
+ cd "$pkgdir"
+ _submv $(find usr/ -name '*_sqlite*')
+}
+
+gssapi() {
+ pkgdesc="GSSAPI auth plugin for Dovecot"
+ depends="$pkgname=$pkgver-r$pkgrel"
+
+ cd "$pkgdir"
+ _submv $(find usr/ -name '*_gssapi*')
+}
+
+ldap() {
+ pkgdesc="LDAP auth plugin for Dovecot"
+ depends="$pkgname=$pkgver-r$pkgrel"
+
+ cd "$pkgdir"
+ _submv $(find usr/ -name '*[_-]ldap*')
+ _submv $(find etc/dovecot/ -name '*-ldap.conf*')
+}
+
+sql() {
+ pkgdesc="SQL plugin for dovecot"
+ depends="$pkgname=$pkgver-r$pkgrel"
+
+ cd "$pkgdir"
+ _submv $(find usr/ -name '*-sql.*')
+ _submv $(find etc/dovecot/ -name '*-sql.conf*')
+}
+
+_fts_solr() {
+ pkgdesc="FTS-Solr plugin for dovecot"
+ depends="$pkgname=$pkgver-r$pkgrel"
+
+ cd "$pkgdir"
+ _submv $(find usr/ -name '*fts*solr*')
+}
+
+_fts_lucene() {
+ pkgdesc="FTS-Lucene plugin for dovecot"
+ depends="$pkgname=$pkgver-r$pkgrel"
+
+ cd "$pkgdir"
+ _submv $(find usr/ -name '*fts*lucene*')
+}
+
+_submv() {
+ while [ $# -gt 0 ]; do
+ _dir=${1%/*}
+ mkdir -p "$subpkgdir"/$_dir
+ mv "$pkgdir/$1" "$subpkgdir/$_dir/"
+ [ "$(ls -A $pkgdir/$_dir)" ] || rmdir "$pkgdir"/$_dir
+ shift
+ done
+}
+
+sha512sums="73e10d7d1e616d6599eb53f2d2d1ac0f0f2e6e84019faac5cd525e833da44839a7e483635b61d432e3254a9e5f6f90915bec8940c584210341085241949dffa2 dovecot-2.3.10.tar.gz
+1b8d2ac8d3985dde035fc45df519788a924ba971f3e39717f5196ea56a982d4156226586d0a964473525d086967883ea52f2e624e81f7035cb0952b76f2414d8 dovecot-2.3-pigeonhole-0.5.9.tar.gz
+fe4fbeaedb377d809f105d9dbaf7c1b961aa99f246b77189a73b491dc1ae0aa9c68678dde90420ec53ec877c08f735b42d23edb13117d7268420e001aa30967a skip-iconv-check.patch
+794875dbf0ded1e82c5c3823660cf6996a7920079149cd8eed54231a53580d931b966dfb17185ab65e565e108545ecf6591bae82f935ab1b6ff65bb8ee93d7d5 split-protocols.patch
+0d8f89c7ba6f884719b5f9fc89e8b2efbdc3e181de308abf9b1c1b0e42282f4df72c7bf62f574686967c10a8677356560c965713b9d146e2770aab17e95bcc07 default-config.patch
+5e68a0042a7c11b3d8c411fc157f5960e2e3305dac11f4b6b880441e2b4105769ddf6c56f67a995af6e1a58f3bfa2c199ea51318a3a0e37c7ef0ae6c4109b13f ssl-paths.patch
+9f19698ab45969f1f94dc4bddf6de59317daee93c9421c81f2dbf8a7efe6acf89689f1d30f60f536737bb9526c315215d2bce694db27e7b8d7896036a59c31f0 dovecot.logrotate
+d91951b81150d7a3ef6a674c0dc7b012f538164dac4b9d27a6801d31da6813b764995a438f69b6a680463e1b60a3b4f2959654f68e565fe116ea60312d5e5e70 dovecot.initd"
diff --git a/user/dovecot/default-config.patch b/user/dovecot/default-config.patch
new file mode 100644
index 000000000..0f8a7385a
--- /dev/null
+++ b/user/dovecot/default-config.patch
@@ -0,0 +1,46 @@
+--- a/doc/example-config/conf.d/10-mail.conf
++++ b/doc/example-config/conf.d/10-mail.conf
+@@ -208,10 +208,10 @@
+
+ # UNIX socket path to master authentication server to find users.
+ # This is used by imap (for shared users) and lda.
+-#auth_socket_path = /var/run/dovecot/auth-userdb
++#auth_socket_path = /run/dovecot/auth-userdb
+
+ # Directory where to look up mail plugins.
+-#mail_plugin_dir = /usr/lib/dovecot
++#mail_plugin_dir = /usr/lib/dovecot/modules
+
+ # Space separated list of plugins to load for all services. Plugins specific to
+ # IMAP, LDA, etc. are added to this list in their own .conf files.
+@@ -322,6 +322,7 @@ protocol !indexer-worker {
+ # them simultaneously.
+ #mbox_read_locks = fcntl
+ #mbox_write_locks = dotlock fcntl
++mbox_write_locks = fcntl
+
+ # Maximum time to wait for lock (all of them) before aborting.
+ #mbox_lock_timeout = 5 mins
+--- a/doc/example-config/conf.d/10-ssl.conf
++++ b/doc/example-config/conf.d/10-ssl.conf
+@@ -3,7 +3,10 @@
+ ##
+
+ # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+-#ssl = yes
++# Disable plain (unencrypted) POP3 and IMAP, allowed are only POP3+TLS,
++# POP3S, IMAP+TLS and IMAPS.
++# Plain IMAP and POP3 are still allowed for local connections.
++ssl = required
+
+ # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+ # dropping root privileges, so keep the key file unreadable by anyone but
+@@ -67,7 +67,7 @@
+ #ssl_curve_list =
+
+ # Prefer the server's order of ciphers over client's.
+-#ssl_prefer_server_ciphers = no
++ssl_prefer_server_ciphers = yes
+
+ # SSL crypto device to use, for valid values run "openssl engine"
+ #ssl_crypto_device =
diff --git a/user/dovecot/dovecot.initd b/user/dovecot/dovecot.initd
new file mode 100644
index 000000000..721f131ad
--- /dev/null
+++ b/user/dovecot/dovecot.initd
@@ -0,0 +1,40 @@
+#!/sbin/openrc-run
+
+[ "$RC_SVCNAME" != "${RC_SVCNAME##*.}" ] && instance=${RC_SVCNAME##*.}
+
+description="Secure POP3/IMAP server"
+
+cfgfile=/etc/dovecot/dovecot${instance:+.$instance}.conf
+pidfile=$(doveconf -c $cfgfile -h base_dir 2>/dev/null)/master.pid
+command=/usr/sbin/dovecot
+command_args=${instance:+-c $cfgfile}
+required_files="$cfgfile"
+extra_started_commands="reload reopen"
+description_reload="Reload configuration"
+description_reopen="Reopen log files"
+
+depend() {
+ need localmount net
+ before mta
+ after bootmisc firewall ldap mysql ntp-client ntpd postgresql saslauthd slapd
+ use logger
+}
+
+start_pre() {
+ ebegin
+ doveconf -c $cfgfile -x >/dev/null 2>&1 && \
+ checkpath --directory ${pidfile%/*}
+ eend $?
+}
+
+reload() {
+ ebegin "Reloading $RC_SVCNAME configs and restarting auth/login processes"
+ start_pre && start-stop-daemon --signal HUP --pidfile $pidfile
+ eend $?
+}
+
+reopen() {
+ ebegin "Reopening $RC_SVCNAME log files"
+ start-stop-daemon --signal USR1 --pidfile $pidfile
+ eend $?
+}
diff --git a/user/dovecot/dovecot.logrotate b/user/dovecot/dovecot.logrotate
new file mode 100644
index 000000000..b1a4087b4
--- /dev/null
+++ b/user/dovecot/dovecot.logrotate
@@ -0,0 +1,12 @@
+/var/log/dovecot*.log {
+ daily
+ missingok
+ copytruncate
+ rotate 7
+ compress
+ notifempty
+ sharedscripts
+ postrotate
+ /etc/init.d/dovecot --quiet --ifstarted reopen
+ endscript
+}
diff --git a/user/dovecot/dovecot.post-install b/user/dovecot/dovecot.post-install
new file mode 100644
index 000000000..eb70cdece
--- /dev/null
+++ b/user/dovecot/dovecot.post-install
@@ -0,0 +1,45 @@
+#!/bin/sh
+
+# based on doc/mkcert.sh
+
+# if ssl disabled then lets just exit
+doveconf ssl 2>/dev/null | grep -Eq '(yes|required)' || exit 0
+# Generates a self-signed certificate.
+
+OPENSSL=${OPENSSL-openssl}
+SSLDIR=${SSLDIR-/etc/ssl/dovecot}
+OPENSSLCONFIG=${OPENSSLCONFIG-/etc/dovecot/dovecot-openssl.cnf}
+
+CERTDIR=$SSLDIR
+KEYDIR=$SSLDIR
+
+# check if we have ssl_cert and/or key (for dovecot-2.0+)
+# try expand the cert/key itself and if found, lets just keep it
+[ -n "$(doveconf -x ssl_cert 2>/dev/null)" ] && exit 0
+[ -n "$(doveconf -x ssl_key 2>/dev/null)" ] && exit 0
+
+ssl_cert_file=$(doveconf ssl_cert | sed 's/.*= <//')
+ssl_key_file=$(doveconf ssl_key | sed 's/.*= <//')
+
+CERTFILE=${ssl_cert_file:-$CERTDIR/server.pem}
+KEYFILE=${ssl_key_file:-$KEYDIR/server.key}
+
+if [ -e "$CERTFILE" ]; then
+ echo "Keeping existing $CERTFILE"
+ exit 0
+fi
+
+if [ -e "$KEYFILE" ]; then
+ echo "Keeping existing $KEYFILE"
+ exit 0
+fi
+
+if [ ! -c /dev/urandom ] && [ ! -c /dev/random ]; then
+ echo "No /dev/urandom or /dev/random so ssl cert not created"
+ exit 1
+fi
+
+$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
+chmod 0600 $KEYFILE
+echo
+$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2
diff --git a/user/dovecot/dovecot.post-upgrade b/user/dovecot/dovecot.post-upgrade
new file mode 100644
index 000000000..69f4366ed
--- /dev/null
+++ b/user/dovecot/dovecot.post-upgrade
@@ -0,0 +1,7 @@
+#!/bin/sh
+if ! grep ^"version_ignore=yes" /etc/dovecot/dovecot.conf; then
+ printf "dovecot restart required (version_ignore=yes not set)\n"
+fi
+
+exit $?
+
diff --git a/user/dovecot/dovecot.pre-install b/user/dovecot/dovecot.pre-install
new file mode 100644
index 000000000..73a0aa3e3
--- /dev/null
+++ b/user/dovecot/dovecot.pre-install
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+groupadd -r dovecot 2>/dev/null
+groupadd -r dovenull 2>/dev/null
+useradd -r -u 90 -h /dev/null -s /sbin/nologin -g dovecot dovecot 2>/dev/null
+useradd -r -u 91 -h /dev/null -s /sbin/nologin -g dovenull dovenull 2>/dev/null
+
+exit 0
diff --git a/user/dovecot/skip-iconv-check.patch b/user/dovecot/skip-iconv-check.patch
new file mode 100644
index 000000000..bb1002c84
--- /dev/null
+++ b/user/dovecot/skip-iconv-check.patch
@@ -0,0 +1,11 @@
+--- a/src/lib-charset/test-charset.c
++++ b/src/lib-charset/test-charset.c
+@@ -159,7 +159,7 @@
+ static void (*const test_functions[])(void) = {
+ test_charset_is_utf8,
+ test_charset_utf8,
+-#ifdef HAVE_ICONV
++#if 0 //def HAVE_ICONV
+ test_charset_iconv,
+ test_charset_iconv_crashes,
+ test_charset_iconv_utf7_state,
diff --git a/user/dovecot/split-protocols.patch b/user/dovecot/split-protocols.patch
new file mode 100644
index 000000000..b4bed2ccb
--- /dev/null
+++ b/user/dovecot/split-protocols.patch
@@ -0,0 +1,30 @@
+For each protocol $prot, which is moved into subpackage $subname,
+is installed file /usr/share/dovecot/protocols.d/$subname.conf with:
+
+ protocols = $protocols $prot
+
+--- a/doc/example-config/dovecot.conf
++++ b/doc/example-config/dovecot.conf
+@@ -20,8 +20,9 @@
+ # options. The paths listed here are for configure --prefix=/usr
+ # --sysconfdir=/etc --localstatedir=/var
+
+-# Protocols we want to be serving.
+-#protocols = imap pop3 lmtp submission
++# Enable installed protocols.
++#protocols = imap
++!include_try /usr/share/dovecot/protocols.d/*.conf
+
+ # A comma separated list of IPs or hosts where to listen in for connections.
+ # "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
+--- a/src/master/master-settings.c.orig
++++ b/src/master/master-settings.c
+@@ -206,7 +206,7 @@
+ .state_dir = PKG_STATEDIR,
+ .libexec_dir = PKG_LIBEXECDIR,
+ .instance_name = PACKAGE,
+- .protocols = "imap pop3 lmtp",
++ .protocols = "imap",
+ .listen = "*, ::",
+ .ssl = "yes:no:required",
+ .default_internal_user = "dovecot",
diff --git a/user/dovecot/ssl-paths.patch b/user/dovecot/ssl-paths.patch
new file mode 100644
index 000000000..b354b607e
--- /dev/null
+++ b/user/dovecot/ssl-paths.patch
@@ -0,0 +1,13 @@
+--- dovecot-2.3.10/doc/example-config/conf.d/10-ssl.conf 2020-03-05 14:35:53.000000000 +0000
++++ dovecot-2.3.10.new/doc/example-config/conf.d/10-ssl.conf 2020-04-26 06:49:45.860000000 +0000
+@@ -9,8 +9,8 @@
+ # dropping root privileges, so keep the key file unreadable by anyone but
+ # root. Included doc/mkcert.sh can be used to easily generate self-signed
+ # certificate, just make sure to update the domains in dovecot-openssl.cnf
+-ssl_cert = </etc/ssl/certs/dovecot.pem
+-ssl_key = </etc/ssl/private/dovecot.pem
++ssl_cert = </etc/ssl/dovecot/server.pem
++ssl_key = </etc/ssl/dovecot/server.key
+
+ # If key file is password protected, give the password here. Alternatively
+ # give it when starting dovecot with -p parameter. Since this file is often
--
cgit v1.2.3-70-g09d2