* Thu Apr 04 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-6.sme

- fix migrate fragment error  [SME: 12548]
- add support for quota-fs [SME: 11733]
- fix ssl and config issues [SME: 12571]
- use external dh parameter [SME: 10935]
This commit is contained in:
Jean-Philippe Pialasse 2024-04-05 00:38:53 -04:00
parent e833d6e71d
commit f65f3a8a6a
7 changed files with 31 additions and 15 deletions

View File

@ -20,7 +20,6 @@ event_link("adjust-dovecot", "smeserver-dovecot-update", "02");
event_link("systemd-reload", "smeserver-dovecot-update", "89"); event_link("systemd-reload", "smeserver-dovecot-update", "89");
event_link("systemd-default", "smeserver-dovecot-update", "88"); event_link("systemd-default", "smeserver-dovecot-update", "88");
templates2events("/etc/rsyslog.conf","smeserver-dovecot-update"); templates2events("/etc/rsyslog.conf","smeserver-dovecot-update");
templates2events("/usr/lib/systemd/system/dovecot.service.d/50koozali.conf", qw(bootstrap-console-save console-save post-install post-upgrade smeserver-dovecot-update ));
# in case the ip change # in case the ip change
safe_symlink("sigusr2", "root/etc/e-smith/events/ip-change/services2adjust/dovecot"); safe_symlink("sigusr2", "root/etc/e-smith/events/ip-change/services2adjust/dovecot");

View File

@ -1,5 +1,11 @@
{ {
foreach my $sservice qw(imap imaps pop3 pop3s) { foreach my $sservice (qw(imap imaps pop3 pop3s)) {
$DB->set_prop($sservice, "type", "configuration") if $DB->${$sservice}->{type} eq "service"; $DB->set_prop($sservice, "type", "configuration") if ${$sservice}{type} eq "service";
} }
# drop dovecot SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 and move to ssl_min_protocol
# drop dovecot dh
foreach my $prope (qw( SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 dh )) {
$DB->get_prop_and_delete('dovecot', $prope) if (exists $dovecot{$prope});
}
} }

View File

@ -3,16 +3,11 @@ ssl_cert = </etc/dovecot/ssl/imapd.pem
ssl_key = </etc/dovecot/ssl/imapd.pem ssl_key = </etc/dovecot/ssl/imapd.pem
{ {
my $proto = ''; my %protos={SLv3=>1,TLSv1=>1, TLSv1.1=>1, TLSv1.2=>1,TLSv1.3=>1};
$proto .= ' !SSLv2' unless ($dovecot{'SSLv2'} || 'disabled') eq 'enabled'; my $proto = ( (exists $dovecot{'ssl_min_protocol'} ) && (exists $protos{$dovecot{'ssl_min_protocol'}} ) ) ? $dovecot{'ssl_min_protocol'} : 'TLSv1.2';
$proto .= ' !SSLv3' unless ($dovecot{'SSLv3'} || 'disabled') eq 'enabled';
$proto .= ' !TLSv1' unless ($dovecot{'TLSv1'} || 'disabled') eq 'enabled';
$proto .= ' !TLSv1.1' unless ($dovecot{'TLSv1.1'} || 'disabled') eq 'enabled';
$proto .= ' !TLSv1.2' unless ($dovecot{'TLSv1.2'} || 'enabled') eq 'enabled';
my $dh = $dovecot{'dh'} || '4096'; $OUT .= "ssl_dh=</etc/dovecot/ssl/dhparam.pem\n";
$OUT .= "ssl_dh_parameters_length = $dh\n"; $OUT .= "ssl_min_protocol = $proto\n" if ($proto ne '');
$OUT .= "ssl_protocols = $proto\n" if ($proto ne '');
$OUT .= "ssl_prefer_server_ciphers = yes\n"; $OUT .= "ssl_prefer_server_ciphers = yes\n";
$OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n"; $OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n";

View File

@ -1,2 +0,0 @@
[Install]
WantedBy=sme-server.target

View File

@ -0,0 +1,4 @@
#!/bin/bash
# Create dhparam
[ -e /etc/dovecot/ssl/dhparam.pem ] || \
RANDFILE=/dev/null /usr/bin/openssl dhparam -out /etc/dovecot/ssl/dhparam.pem 2048

View File

@ -6,5 +6,13 @@ ExecStartPre=-/sbin/e-smith/service-status dovecot
ExecStartPre=-/sbin/e-smith/expand-template /etc/dovecot/dovecot.conf ExecStartPre=-/sbin/e-smith/expand-template /etc/dovecot/dovecot.conf
ExecStartPre=-/sbin/e-smith/expand-template /etc/dovecot/master.users ExecStartPre=-/sbin/e-smith/expand-template /etc/dovecot/master.users
ExecStartPre=-/sbin/e-smith/expand-template /etc/dovecot/ssl/imapd.pem ExecStartPre=-/sbin/e-smith/expand-template /etc/dovecot/ssl/imapd.pem
ExecStartPre=-/sbin/e-smith/systemd/dovecot-control
ExecStartPre=-/usr/sbin/portrelease dovecot ExecStartPre=-/usr/sbin/portrelease dovecot
Restart=always Restart=always
#SME:11733 needed for Dovecot quota-fs https://doc.dovecot.org/configuration_manual/quota/quota_fs/
PrivateDevices=off
#allow our expand-templates
PermissionsStartOnly=true
[Install]
WantedBy=sme-server.target

View File

@ -1,5 +1,5 @@
%define version 11.0.0 %define version 11.0.0
%define release 5 %define release 6
%define name smeserver-dovecot %define name smeserver-dovecot
@ -38,6 +38,12 @@ Configure the dovecot IMAP server with sieve scripts support,
quota, ACL, extended logging, master user quota, ACL, extended logging, master user
%changelog %changelog
* Thu Apr 04 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-6.sme
- fix migrate fragment error [SME: 12548]
- add support for quota-fs [SME: 11733]
- fix ssl and config issues [SME: 12571]
- use external dh parameter [SME: 10935]
* Thu Apr 04 2024 Brian Read <brianr@koozali.org> 11.0.0-5.sme * Thu Apr 04 2024 Brian Read <brianr@koozali.org> 11.0.0-5.sme
- Set license file to GPL2.0 [SME: 12577] - Set license file to GPL2.0 [SME: 12577]