From f65f3a8a6a990680fde09fb78d5079bae3908b67 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Pialasse <jpp@koozali.org>
Date: Fri, 5 Apr 2024 00:38:53 -0400
Subject: [PATCH] * Thu Apr 04 2024 Jean-Philippe Pialasse <jpp@koozali.org>
 11.0.0-6.sme - fix migrate fragment error  [SME: 12548] - add support for
 quota-fs [SME: 11733] - fix ssl and config issues [SME: 12571] - use external
 dh parameter [SME: 10935]

---
 createlinks                                         |  1 -
 root/etc/e-smith/db/configuration/migrate/dovecot   | 10 ++++++++--
 .../templates/etc/dovecot/dovecot.conf/35ssl        | 13 ++++---------
 .../dovecot.service.d/50koozali.conf/80install      |  2 --
 root/sbin/e-smith/systemd/dovecot-control           |  4 ++++
 .../system/dovecot.service.d/50koozali.conf}        |  8 ++++++++
 smeserver-dovecot.spec                              |  8 +++++++-
 7 files changed, 31 insertions(+), 15 deletions(-)
 delete mode 100644 root/etc/e-smith/templates/usr/lib/systemd/system/dovecot.service.d/50koozali.conf/80install
 create mode 100644 root/sbin/e-smith/systemd/dovecot-control
 rename root/{etc/e-smith/templates/usr/lib/systemd/system/dovecot.service.d/50koozali.conf/40service => usr/lib/systemd/system/dovecot.service.d/50koozali.conf} (59%)

diff --git a/createlinks b/createlinks
index 35e727e..cbef5ca 100644
--- a/createlinks
+++ b/createlinks
@@ -20,7 +20,6 @@ event_link("adjust-dovecot", "smeserver-dovecot-update", "02");
 event_link("systemd-reload", "smeserver-dovecot-update", "89");
 event_link("systemd-default", "smeserver-dovecot-update", "88");
 templates2events("/etc/rsyslog.conf","smeserver-dovecot-update");
-templates2events("/usr/lib/systemd/system/dovecot.service.d/50koozali.conf", qw(bootstrap-console-save console-save post-install post-upgrade smeserver-dovecot-update ));
 
 # in case the ip change
 safe_symlink("sigusr2", "root/etc/e-smith/events/ip-change/services2adjust/dovecot");
diff --git a/root/etc/e-smith/db/configuration/migrate/dovecot b/root/etc/e-smith/db/configuration/migrate/dovecot
index f05e689..41ada24 100644
--- a/root/etc/e-smith/db/configuration/migrate/dovecot
+++ b/root/etc/e-smith/db/configuration/migrate/dovecot
@@ -1,5 +1,11 @@
 {
- foreach my $sservice qw(imap imaps pop3 pop3s) {
-  $DB->set_prop($sservice, "type", "configuration") if  $DB->${$sservice}->{type} eq "service";
+ foreach my $sservice (qw(imap imaps pop3 pop3s)) {
+  $DB->set_prop($sservice, "type", "configuration") if  ${$sservice}{type} eq "service";
  }
+ # drop dovecot SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 and move to ssl_min_protocol
+ # drop dovecot dh
+ foreach my $prope (qw( SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 dh )) {
+  $DB->get_prop_and_delete('dovecot', $prope) if (exists $dovecot{$prope});
+ }
+
 }
diff --git a/root/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl b/root/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
index aa46a56..2d88165 100644
--- a/root/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
+++ b/root/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
@@ -3,16 +3,11 @@ ssl_cert = </etc/dovecot/ssl/imapd.pem
 ssl_key = </etc/dovecot/ssl/imapd.pem
 {
 
-my $proto = '';
-$proto .= ' !SSLv2' unless ($dovecot{'SSLv2'} || 'disabled') eq 'enabled';
-$proto .= ' !SSLv3' unless ($dovecot{'SSLv3'} || 'disabled') eq 'enabled';
-$proto .= ' !TLSv1' unless ($dovecot{'TLSv1'} || 'disabled') eq 'enabled';
-$proto .= ' !TLSv1.1' unless ($dovecot{'TLSv1.1'} || 'disabled') eq 'enabled';
-$proto .= ' !TLSv1.2' unless ($dovecot{'TLSv1.2'} || 'enabled') eq 'enabled';
+my %protos={SLv3=>1,TLSv1=>1, TLSv1.1=>1, TLSv1.2=>1,TLSv1.3=>1};
+my $proto = ( (exists $dovecot{'ssl_min_protocol'} ) && (exists $protos{$dovecot{'ssl_min_protocol'}} ) ) ? $dovecot{'ssl_min_protocol'} : 'TLSv1.2';
 
-my $dh = $dovecot{'dh'} || '4096';
-$OUT .= "ssl_dh_parameters_length = $dh\n";
-$OUT .= "ssl_protocols = $proto\n" if ($proto ne '');
+$OUT .= "ssl_dh=</etc/dovecot/ssl/dhparam.pem\n";
+$OUT .= "ssl_min_protocol = $proto\n" if ($proto ne '');
 $OUT .= "ssl_prefer_server_ciphers = yes\n";
 $OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n";
 
diff --git a/root/etc/e-smith/templates/usr/lib/systemd/system/dovecot.service.d/50koozali.conf/80install b/root/etc/e-smith/templates/usr/lib/systemd/system/dovecot.service.d/50koozali.conf/80install
deleted file mode 100644
index aa4f147..0000000
--- a/root/etc/e-smith/templates/usr/lib/systemd/system/dovecot.service.d/50koozali.conf/80install
+++ /dev/null
@@ -1,2 +0,0 @@
-[Install]
-WantedBy=sme-server.target
diff --git a/root/sbin/e-smith/systemd/dovecot-control b/root/sbin/e-smith/systemd/dovecot-control
new file mode 100644
index 0000000..a9ec36c
--- /dev/null
+++ b/root/sbin/e-smith/systemd/dovecot-control
@@ -0,0 +1,4 @@
+#!/bin/bash
+# Create dhparam
+[ -e /etc/dovecot/ssl/dhparam.pem ] || \
+    RANDFILE=/dev/null /usr/bin/openssl dhparam -out /etc/dovecot/ssl/dhparam.pem 2048
diff --git a/root/etc/e-smith/templates/usr/lib/systemd/system/dovecot.service.d/50koozali.conf/40service b/root/usr/lib/systemd/system/dovecot.service.d/50koozali.conf
similarity index 59%
rename from root/etc/e-smith/templates/usr/lib/systemd/system/dovecot.service.d/50koozali.conf/40service
rename to root/usr/lib/systemd/system/dovecot.service.d/50koozali.conf
index c522d4c..49e2e45 100644
--- a/root/etc/e-smith/templates/usr/lib/systemd/system/dovecot.service.d/50koozali.conf/40service
+++ b/root/usr/lib/systemd/system/dovecot.service.d/50koozali.conf
@@ -6,5 +6,13 @@ ExecStartPre=-/sbin/e-smith/service-status dovecot
 ExecStartPre=-/sbin/e-smith/expand-template /etc/dovecot/dovecot.conf
 ExecStartPre=-/sbin/e-smith/expand-template /etc/dovecot/master.users
 ExecStartPre=-/sbin/e-smith/expand-template /etc/dovecot/ssl/imapd.pem
+ExecStartPre=-/sbin/e-smith/systemd/dovecot-control
 ExecStartPre=-/usr/sbin/portrelease dovecot
 Restart=always
+#SME:11733 needed for Dovecot quota-fs https://doc.dovecot.org/configuration_manual/quota/quota_fs/
+PrivateDevices=off
+#allow our expand-templates
+PermissionsStartOnly=true
+[Install]
+WantedBy=sme-server.target
+
diff --git a/smeserver-dovecot.spec b/smeserver-dovecot.spec
index 69a6227..78ab49e 100644
--- a/smeserver-dovecot.spec
+++ b/smeserver-dovecot.spec
@@ -1,5 +1,5 @@
 %define version 11.0.0
-%define release 5
+%define release 6
 %define name smeserver-dovecot
 
 
@@ -38,6 +38,12 @@ Configure the dovecot IMAP server with sieve scripts support,
 quota, ACL, extended logging, master user
 
 %changelog
+* Thu Apr 04 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-6.sme
+- fix migrate fragment error  [SME: 12548]
+- add support for quota-fs [SME: 11733]
+- fix ssl and config issues [SME: 12571]
+- use external dh parameter [SME: 10935]
+
 * Thu Apr 04 2024 Brian Read <brianr@koozali.org> 11.0.0-5.sme
 - Set license file to GPL2.0  [SME: 12577]