From ed2e5d142804bd69d296c39c6b861b8401718469 Mon Sep 17 00:00:00 2001 From: Lee Starnes Date: Wed, 6 May 2020 00:53:22 +0000 Subject: user/dovecot: review fixes - move default SSL key and cert stuff to a patch - use auth-system.conf instead of auth-passwdfile.conf because we have PAM - explain manual removal of *.la - other Adelification fixes --- user/dovecot/APKBUILD | 280 ++++++++++++++++++++++++++++++++++++ user/dovecot/default-config.patch | 46 ++++++ user/dovecot/dovecot.initd | 40 ++++++ user/dovecot/dovecot.logrotate | 12 ++ user/dovecot/dovecot.post-install | 45 ++++++ user/dovecot/dovecot.post-upgrade | 7 + user/dovecot/dovecot.pre-install | 8 ++ user/dovecot/skip-iconv-check.patch | 11 ++ user/dovecot/split-protocols.patch | 30 ++++ user/dovecot/ssl-paths.patch | 13 ++ 10 files changed, 492 insertions(+) create mode 100644 user/dovecot/APKBUILD create mode 100644 user/dovecot/default-config.patch create mode 100644 user/dovecot/dovecot.initd create mode 100644 user/dovecot/dovecot.logrotate create mode 100644 user/dovecot/dovecot.post-install create mode 100644 user/dovecot/dovecot.post-upgrade create mode 100644 user/dovecot/dovecot.pre-install create mode 100644 user/dovecot/skip-iconv-check.patch create mode 100644 user/dovecot/split-protocols.patch create mode 100644 user/dovecot/ssl-paths.patch (limited to 'user') diff --git a/user/dovecot/APKBUILD b/user/dovecot/APKBUILD new file mode 100644 index 000000000..f78987820 --- /dev/null +++ b/user/dovecot/APKBUILD @@ -0,0 +1,280 @@ +# Contributor: Valery Kartel +# Contributor: Lukasz Jendrysik +# Contributor: Michael Mason +# Contributor: Jakub Jirutka +# Contributor: Natanael Copa +# Maintainer: Lee Starnes +pkgname=dovecot +pkgver=2.3.10 +_pkgvermajor=${pkgver%.*} +pkgrel=0 +_pigeonholever=0.5.9 +_pigeonholevermajor=${_pigeonholever%.*} +pkgdesc="IMAP and POP3 server" +url="https://www.dovecot.org/" +arch="all" +options="libtool" +license="LGPL-2.0+" +depends="openssl" +pkgusers="dovecot dovenull" +pkggroups="dovecot dovenull" +makedepends=" + autoconf + automake + bzip2-dev + clucene-dev + expat-dev + krb5-dev + libcap-dev + openssl-dev + libtool + linux-headers + linux-pam-dev + mariadb-dev + openldap-dev + postgresql-dev + sqlite-dev + zlib-dev + libsodium-dev + " +install="$pkgname.pre-install $pkgname.post-install $pkgname.post-upgrade" +subpackages=" + $pkgname-doc + $pkgname-dev + $pkgname-openrc + $pkgname-lmtpd + $pkgname-pop3d + $pkgname-submissiond + $pkgname-pigeonhole-plugin-ldap:_sieve_ldap + $pkgname-pigeonhole-plugin:_sieve + $pkgname-sql + $pkgname-pgsql + $pkgname-mysql + $pkgname-sqlite + $pkgname-gssapi + $pkgname-ldap + $pkgname-fts-solr:_fts_solr + $pkgname-fts-lucene:_fts_lucene + " +source="https://www.dovecot.org/releases/$_pkgvermajor/dovecot-$pkgver.tar.gz + https://pigeonhole.dovecot.org/releases/$_pkgvermajor/$pkgname-$_pkgvermajor-pigeonhole-$_pigeonholever.tar.gz + skip-iconv-check.patch + split-protocols.patch + default-config.patch + ssl-paths.patch + dovecot.logrotate + dovecot.initd + " +_builddir_pigeonhole="$srcdir/$pkgname-$_pkgvermajor-pigeonhole-$_pigeonholever" + +_configure() { + ./configure \ + --build=$CBUILD \ + --host=$CHOST \ + --prefix=/usr \ + --localstatedir=/var \ + --sysconfdir=/etc \ + --mandir=/usr/share/man \ + --infodir=/usr/share/info \ + --disable-static \ + "$@" +} + +build() { + _configure \ + --with-gssapi=plugin \ + --with-ldap=plugin \ + --with-sql=plugin \ + --with-pam \ + --with-mysql \ + --with-sqlite \ + --with-pgsql \ + --with-solr \ + --with-lucene \ + --with-ssl=openssl \ + --with-ssldir=/etc/ssl/dovecot \ + --with-rundir=/run/dovecot + make + + # Build pigeonhole plugin + cd "$_builddir_pigeonhole" + _configure \ + --with-dovecot="$builddir" \ + --with-ldap=plugin + make +} + +check() { + make check +} + +package() { + make DESTDIR="$pkgdir" install + + cd "$pkgdir" + + install -d ./etc/ssl/dovecot + install -D -m 755 "$srcdir"/dovecot.initd ./etc/init.d/dovecot + install -D -m 644 "$srcdir"/dovecot.logrotate ./etc/logrotate.d/dovecot + + # default config + rm ./etc/dovecot/* + rm ./usr/share/doc/dovecot/mkcert.sh + mv ./usr/share/doc/dovecot/dovecot-openssl.cnf ./etc/dovecot/ + mv ./usr/share/doc/dovecot/example-config/dovecot* \ + ./usr/share/doc/dovecot/example-config/conf.d \ + ./etc/dovecot/ + rm -fr ./usr/share/doc/dovecot/example-config + + # Installing pigeonhole plugin. + cd "$_builddir_pigeonhole" + make install DESTDIR="$pkgdir" + + # Moving config in the correct place + mv "$pkgdir"/usr/share/doc/dovecot/example-config/conf.d/* \ + "$pkgdir"/etc/dovecot/conf.d + + # Remove libtool archives. abuild doesn't remove them automatically even without options=libtool. + find "$pkgdir" -name '*.la' | xargs rm -f +} + +dev() { + default_dev + mkdir -p "$subpkgdir"/usr/lib/dovecot + mv "$pkgdir"/usr/lib/dovecot/dovecot-config \ + "$subpkgdir"/usr/lib/dovecot/ +} + +lmtpd() { + pkgdesc="$pkgdesc (LMTP server)" + _protocol lmtp +} + +pop3d() { + pkgdesc="$pkgdesc (POP3 daemon)" + _protocol pop3 +} + +submissiond() { + pkgdesc="$pkgdesc (mail submission agent)" + _protocol submission +} + +_protocol() { + depends="$pkgname=$pkgver-r$pkgrel" + _name="$1" + _protocolsd="$subpkgdir/usr/share/dovecot/protocols.d" + + cd "$pkgdir" + _submv usr/libexec/dovecot/$_name* + _submv etc/dovecot/conf.d/*-$_name.conf + + mkdir -p "$_protocolsd" + echo "protocols = \$protocols $_name" \ + > "$_protocolsd"/${subpkgname#$pkgname-}.conf +} + +_sieve() { + pkgdesc="Sieve and managesieve plugin for Dovecot" + depends="$pkgname=$pkgver-r$pkgrel" + + cd "$pkgdir" + _submv $(find usr/ -name '*sieve_extprograms*') + _submv $(find usr/ -name '*sieve_imapsieve*') + _submv $(find usr/ -name '*sieve*') + _submv $(find usr/ -name '*pigeonhole*') + _submv $(find etc/dovecot/ -name '*sieve*') +} + +_sieve_ldap() { + pkgdesc="Sieve and managesieve plugin for Dovecot (LDAP support)" + depends="$pkgname-pigeonhole-plugin=$pkgver-r$pkgrel $pkgname-ldap=$pkgver-r$pkgrel" + + cd "$pkgdir" + _submv $(find usr/ -name '*_sieve_storage_ldap_*') +} + +pgsql() { + pkgdesc="PostgreSQL driver for Dovecot" + depends="$pkgname-sql=$pkgver-r$pkgrel" + + cd "$pkgdir" + _submv $(find usr/ -name '*_pgsql*') +} + +mysql() { + pkgdesc="MySQL driver for Dovecot" + depends="$pkgname-sql=$pkgver-r$pkgrel" + + cd "$pkgdir" + _submv $(find usr/ -name '*_mysql*') +} + +sqlite() { + pkgdesc="SQLite driver for Dovecot" + depends="$pkgname-sql=$pkgver-r$pkgrel" + + cd "$pkgdir" + _submv $(find usr/ -name '*_sqlite*') +} + +gssapi() { + pkgdesc="GSSAPI auth plugin for Dovecot" + depends="$pkgname=$pkgver-r$pkgrel" + + cd "$pkgdir" + _submv $(find usr/ -name '*_gssapi*') +} + +ldap() { + pkgdesc="LDAP auth plugin for Dovecot" + depends="$pkgname=$pkgver-r$pkgrel" + + cd "$pkgdir" + _submv $(find usr/ -name '*[_-]ldap*') + _submv $(find etc/dovecot/ -name '*-ldap.conf*') +} + +sql() { + pkgdesc="SQL plugin for dovecot" + depends="$pkgname=$pkgver-r$pkgrel" + + cd "$pkgdir" + _submv $(find usr/ -name '*-sql.*') + _submv $(find etc/dovecot/ -name '*-sql.conf*') +} + +_fts_solr() { + pkgdesc="FTS-Solr plugin for dovecot" + depends="$pkgname=$pkgver-r$pkgrel" + + cd "$pkgdir" + _submv $(find usr/ -name '*fts*solr*') +} + +_fts_lucene() { + pkgdesc="FTS-Lucene plugin for dovecot" + depends="$pkgname=$pkgver-r$pkgrel" + + cd "$pkgdir" + _submv $(find usr/ -name '*fts*lucene*') +} + +_submv() { + while [ $# -gt 0 ]; do + _dir=${1%/*} + mkdir -p "$subpkgdir"/$_dir + mv "$pkgdir/$1" "$subpkgdir/$_dir/" + [ "$(ls -A $pkgdir/$_dir)" ] || rmdir "$pkgdir"/$_dir + shift + done +} + +sha512sums="73e10d7d1e616d6599eb53f2d2d1ac0f0f2e6e84019faac5cd525e833da44839a7e483635b61d432e3254a9e5f6f90915bec8940c584210341085241949dffa2 dovecot-2.3.10.tar.gz +1b8d2ac8d3985dde035fc45df519788a924ba971f3e39717f5196ea56a982d4156226586d0a964473525d086967883ea52f2e624e81f7035cb0952b76f2414d8 dovecot-2.3-pigeonhole-0.5.9.tar.gz +fe4fbeaedb377d809f105d9dbaf7c1b961aa99f246b77189a73b491dc1ae0aa9c68678dde90420ec53ec877c08f735b42d23edb13117d7268420e001aa30967a skip-iconv-check.patch +794875dbf0ded1e82c5c3823660cf6996a7920079149cd8eed54231a53580d931b966dfb17185ab65e565e108545ecf6591bae82f935ab1b6ff65bb8ee93d7d5 split-protocols.patch +0d8f89c7ba6f884719b5f9fc89e8b2efbdc3e181de308abf9b1c1b0e42282f4df72c7bf62f574686967c10a8677356560c965713b9d146e2770aab17e95bcc07 default-config.patch +5e68a0042a7c11b3d8c411fc157f5960e2e3305dac11f4b6b880441e2b4105769ddf6c56f67a995af6e1a58f3bfa2c199ea51318a3a0e37c7ef0ae6c4109b13f ssl-paths.patch +9f19698ab45969f1f94dc4bddf6de59317daee93c9421c81f2dbf8a7efe6acf89689f1d30f60f536737bb9526c315215d2bce694db27e7b8d7896036a59c31f0 dovecot.logrotate +d91951b81150d7a3ef6a674c0dc7b012f538164dac4b9d27a6801d31da6813b764995a438f69b6a680463e1b60a3b4f2959654f68e565fe116ea60312d5e5e70 dovecot.initd" diff --git a/user/dovecot/default-config.patch b/user/dovecot/default-config.patch new file mode 100644 index 000000000..0f8a7385a --- /dev/null +++ b/user/dovecot/default-config.patch @@ -0,0 +1,46 @@ +--- a/doc/example-config/conf.d/10-mail.conf ++++ b/doc/example-config/conf.d/10-mail.conf +@@ -208,10 +208,10 @@ + + # UNIX socket path to master authentication server to find users. + # This is used by imap (for shared users) and lda. +-#auth_socket_path = /var/run/dovecot/auth-userdb ++#auth_socket_path = /run/dovecot/auth-userdb + + # Directory where to look up mail plugins. +-#mail_plugin_dir = /usr/lib/dovecot ++#mail_plugin_dir = /usr/lib/dovecot/modules + + # Space separated list of plugins to load for all services. Plugins specific to + # IMAP, LDA, etc. are added to this list in their own .conf files. +@@ -322,6 +322,7 @@ protocol !indexer-worker { + # them simultaneously. + #mbox_read_locks = fcntl + #mbox_write_locks = dotlock fcntl ++mbox_write_locks = fcntl + + # Maximum time to wait for lock (all of them) before aborting. + #mbox_lock_timeout = 5 mins +--- a/doc/example-config/conf.d/10-ssl.conf ++++ b/doc/example-config/conf.d/10-ssl.conf +@@ -3,7 +3,10 @@ + ## + + # SSL/TLS support: yes, no, required. +-#ssl = yes ++# Disable plain (unencrypted) POP3 and IMAP, allowed are only POP3+TLS, ++# POP3S, IMAP+TLS and IMAPS. ++# Plain IMAP and POP3 are still allowed for local connections. ++ssl = required + + # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before + # dropping root privileges, so keep the key file unreadable by anyone but +@@ -67,7 +67,7 @@ + #ssl_curve_list = + + # Prefer the server's order of ciphers over client's. +-#ssl_prefer_server_ciphers = no ++ssl_prefer_server_ciphers = yes + + # SSL crypto device to use, for valid values run "openssl engine" + #ssl_crypto_device = diff --git a/user/dovecot/dovecot.initd b/user/dovecot/dovecot.initd new file mode 100644 index 000000000..721f131ad --- /dev/null +++ b/user/dovecot/dovecot.initd @@ -0,0 +1,40 @@ +#!/sbin/openrc-run + +[ "$RC_SVCNAME" != "${RC_SVCNAME##*.}" ] && instance=${RC_SVCNAME##*.} + +description="Secure POP3/IMAP server" + +cfgfile=/etc/dovecot/dovecot${instance:+.$instance}.conf +pidfile=$(doveconf -c $cfgfile -h base_dir 2>/dev/null)/master.pid +command=/usr/sbin/dovecot +command_args=${instance:+-c $cfgfile} +required_files="$cfgfile" +extra_started_commands="reload reopen" +description_reload="Reload configuration" +description_reopen="Reopen log files" + +depend() { + need localmount net + before mta + after bootmisc firewall ldap mysql ntp-client ntpd postgresql saslauthd slapd + use logger +} + +start_pre() { + ebegin + doveconf -c $cfgfile -x >/dev/null 2>&1 && \ + checkpath --directory ${pidfile%/*} + eend $? +} + +reload() { + ebegin "Reloading $RC_SVCNAME configs and restarting auth/login processes" + start_pre && start-stop-daemon --signal HUP --pidfile $pidfile + eend $? +} + +reopen() { + ebegin "Reopening $RC_SVCNAME log files" + start-stop-daemon --signal USR1 --pidfile $pidfile + eend $? +} diff --git a/user/dovecot/dovecot.logrotate b/user/dovecot/dovecot.logrotate new file mode 100644 index 000000000..b1a4087b4 --- /dev/null +++ b/user/dovecot/dovecot.logrotate @@ -0,0 +1,12 @@ +/var/log/dovecot*.log { + daily + missingok + copytruncate + rotate 7 + compress + notifempty + sharedscripts + postrotate + /etc/init.d/dovecot --quiet --ifstarted reopen + endscript +} diff --git a/user/dovecot/dovecot.post-install b/user/dovecot/dovecot.post-install new file mode 100644 index 000000000..eb70cdece --- /dev/null +++ b/user/dovecot/dovecot.post-install @@ -0,0 +1,45 @@ +#!/bin/sh + +# based on doc/mkcert.sh + +# if ssl disabled then lets just exit +doveconf ssl 2>/dev/null | grep -Eq '(yes|required)' || exit 0 +# Generates a self-signed certificate. + +OPENSSL=${OPENSSL-openssl} +SSLDIR=${SSLDIR-/etc/ssl/dovecot} +OPENSSLCONFIG=${OPENSSLCONFIG-/etc/dovecot/dovecot-openssl.cnf} + +CERTDIR=$SSLDIR +KEYDIR=$SSLDIR + +# check if we have ssl_cert and/or key (for dovecot-2.0+) +# try expand the cert/key itself and if found, lets just keep it +[ -n "$(doveconf -x ssl_cert 2>/dev/null)" ] && exit 0 +[ -n "$(doveconf -x ssl_key 2>/dev/null)" ] && exit 0 + +ssl_cert_file=$(doveconf ssl_cert | sed 's/.*= /dev/null +groupadd -r dovenull 2>/dev/null +useradd -r -u 90 -h /dev/null -s /sbin/nologin -g dovecot dovecot 2>/dev/null +useradd -r -u 91 -h /dev/null -s /sbin/nologin -g dovenull dovenull 2>/dev/null + +exit 0 diff --git a/user/dovecot/skip-iconv-check.patch b/user/dovecot/skip-iconv-check.patch new file mode 100644 index 000000000..bb1002c84 --- /dev/null +++ b/user/dovecot/skip-iconv-check.patch @@ -0,0 +1,11 @@ +--- a/src/lib-charset/test-charset.c ++++ b/src/lib-charset/test-charset.c +@@ -159,7 +159,7 @@ + static void (*const test_functions[])(void) = { + test_charset_is_utf8, + test_charset_utf8, +-#ifdef HAVE_ICONV ++#if 0 //def HAVE_ICONV + test_charset_iconv, + test_charset_iconv_crashes, + test_charset_iconv_utf7_state, diff --git a/user/dovecot/split-protocols.patch b/user/dovecot/split-protocols.patch new file mode 100644 index 000000000..b4bed2ccb --- /dev/null +++ b/user/dovecot/split-protocols.patch @@ -0,0 +1,30 @@ +For each protocol $prot, which is moved into subpackage $subname, +is installed file /usr/share/dovecot/protocols.d/$subname.conf with: + + protocols = $protocols $prot + +--- a/doc/example-config/dovecot.conf ++++ b/doc/example-config/dovecot.conf +@@ -20,8 +20,9 @@ + # options. The paths listed here are for configure --prefix=/usr + # --sysconfdir=/etc --localstatedir=/var + +-# Protocols we want to be serving. +-#protocols = imap pop3 lmtp submission ++# Enable installed protocols. ++#protocols = imap ++!include_try /usr/share/dovecot/protocols.d/*.conf + + # A comma separated list of IPs or hosts where to listen in for connections. + # "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces. +--- a/src/master/master-settings.c.orig ++++ b/src/master/master-settings.c +@@ -206,7 +206,7 @@ + .state_dir = PKG_STATEDIR, + .libexec_dir = PKG_LIBEXECDIR, + .instance_name = PACKAGE, +- .protocols = "imap pop3 lmtp", ++ .protocols = "imap", + .listen = "*, ::", + .ssl = "yes:no:required", + .default_internal_user = "dovecot", diff --git a/user/dovecot/ssl-paths.patch b/user/dovecot/ssl-paths.patch new file mode 100644 index 000000000..b354b607e --- /dev/null +++ b/user/dovecot/ssl-paths.patch @@ -0,0 +1,13 @@ +--- dovecot-2.3.10/doc/example-config/conf.d/10-ssl.conf 2020-03-05 14:35:53.000000000 +0000 ++++ dovecot-2.3.10.new/doc/example-config/conf.d/10-ssl.conf 2020-04-26 06:49:45.860000000 +0000 +@@ -9,8 +9,8 @@ + # dropping root privileges, so keep the key file unreadable by anyone but + # root. Included doc/mkcert.sh can be used to easily generate self-signed + # certificate, just make sure to update the domains in dovecot-openssl.cnf +-ssl_cert =