* Tue Mar 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-17.sme

- handle dhparam via template [SME: 12965]

.gitignore

@@ -2,3 +2,4 @@
 *.log
 *spec-20*
 *.tar.xz
+*.bak

README.md

@@ -7,7 +7,14 @@ SMEServer Koozali developed git repo for smeserver-dovecot smeserver
 <br />https://wiki.koozali.org/Smeserver-dovecot-extras
 
 ## Bugzilla
-Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=smeserver-dovecot&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
+Show list of outstanding bugs:
+[All](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=UNCONFIRMED&bug_status=CONFIRMED&bug_status=NEEDINFO&bug_status=IN_PROGRESS&bug_status=RESOLVED&bug_status=VERIFIED&cf_package=smeserver-dovecot&classification=SME+Server&list_id=105756&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Confirmed](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=CONFIRMED&cf_package=smeserver-dovecot&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Unconfirmed](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=UNCONFIRMED&cf_package=smeserver-dovecot&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Need info](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=NEEDINFO&cf_package=smeserver-dovecot&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[In progress](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=IN_PROGRESS&cf_package=smeserver-dovecot&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Resolved](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=RESOLVED&cf_package=smeserver-dovecot&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Verified](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=VERIFIED&cf_package=smeserver-dovecot&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)
 
 ## Description
 

contriborbase

@@ -1 +0,0 @@
-sme10

createlinks

@@ -21,6 +21,7 @@ event_link("adjust-dovecot", $event, "02");
 event_link("systemd-reload", $event, "89");
 event_link("systemd-default", $event, "88");
 templates2events("/etc/rsyslog.conf", $event);
+templates2events("/etc/dovecot/ssl/dhparam.pem", $event);
 
 # in case the ip change
 safe_symlink("sigusr2", "root/etc/e-smith/events/ip-change/services2adjust/dovecot");
@@ -37,3 +38,12 @@ safe_touch("root/home/e-smith/db/dovecot/sharedmailbox.db");
 
 templates2events("/home/e-smith/files/public/dovecot-acl", "email-update");
 
+
+$event = "dhparam-update";
+templates2events("/etc/dovecot/ssl/dhparam.pem", $event);
+safe_symlink("try-restart", "root/etc/e-smith/events/$event/services2adjust/dovecot");
+
+$event = "smeserver-base-update";
+templates2events("/etc/dovecot/ssl/dhparam.pem", $event);
+safe_symlink("try-restart", "root/etc/e-smith/events/$event/services2adjust/dovecot");
+

root/etc/e-smith/db/configuration/defaults/sieve/access

@@ -1 +1 @@
-private
+localhost

root/etc/e-smith/db/configuration/defaults/sieve/type

@@ -1 +1 @@
-service
+configuration

root/etc/e-smith/db/configuration/defaults/sieves/TCPPort

@@ -0,0 +1 @@
+5190

root/etc/e-smith/db/configuration/defaults/sieves/access

@@ -0,0 +1 @@
+private

root/etc/e-smith/db/configuration/defaults/sieves/sieve/TCPPort

@@ -0,0 +1 @@
+4190

root/etc/e-smith/db/configuration/defaults/sieves/sieve/access

@@ -0,0 +1 @@
+private

root/etc/e-smith/db/configuration/defaults/sieves/sieve/status

@@ -0,0 +1 @@
+enabled

root/etc/e-smith/db/configuration/defaults/sieves/sieve/type

@@ -0,0 +1 @@
+configuration

root/etc/e-smith/db/configuration/defaults/sieves/status

@@ -0,0 +1 @@
+enabled

root/etc/e-smith/db/configuration/defaults/sieves/type

@@ -0,0 +1 @@
+service

root/etc/e-smith/db/configuration/migrate/dovecot

@@ -7,5 +7,9 @@
  foreach my $prope (qw( SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 dh )) {
   $DB->get_prop_and_delete('dovecot', $prope) if (exists $dovecot{$prope});
  }
+ # drop SSLv2 from ssl_min_protocol
+  foreach my $prope (qw( SSLv2 )) {
+  $DB->get_prop_and_delete('dovecot', 'ssl_min_protocol') if (exists $dovecot{'ssl_min_protocol'} && $dovecot{'ssl_min_protocol'} eq $prope);
+ }
 
 }

root/etc/e-smith/templates.metadata/etc/dovecot/ssl/dhparam.pem

@@ -0,0 +1,6 @@
+TEMPLATE_PATH="/home/e-smith/dh.pem"
+OUTPUT_FILENAME="/etc/dovecot/ssl/dhparam.pem"
+UID="root"
+GID="root"
+PERMS=0644
+

root/etc/e-smith/templates/etc/dovecot/dovecot.conf/30listener11sieve

@@ -1,17 +1,64 @@
 {
-if (($sieve{'status'} || 'enabled') eq 'enabled'){
-    my $port = $sieve{'TCPPort'} || '4190';
-    my $address = $sieve{'Listen'} || '127.0.0.1';
-    $OUT .=<<"HERE";
+my $sieveStatus = $sieve{'status'} || 'enabled';
+my $sievesStatus = $sieves{'status'} || 'enabled';
+my $port = $sieve{'TCPPort'} || '4190';
+# should we only allow localhost ?
+my $sieveAccess = $sieve{'access'} || 'localhost';
+my $sieveListen = $sieve{'Listen'} || '';
+my $sieveAddress = "";
+if ($sieveAccess eq 'localhost') {
+        $sieveAddress = '127.0.0.1';
+    } elsif ($sieveAccess eq 'private') {
+        $sieveAddress = "127.0.0.1 $LOCALIP";
+    } elsif ($sieveAccess eq 'public') {
+        $sieveAddress = "127.0.0.1 $LOCALIP $EXTERNALIP";
+    }
+$sieveAddress .= " $sieveListen";
 
+my $ports = $sieves{'TCPPort'} || '5190';
+my $sievesAccess = $sieves{'access'} || 'localhost';
+my $sievesListen = $sieves{'Listen'} || '';
+my $sievesAddress = "";
+if ($sievesAccess eq 'localhost') {
+        $sievesAddress = '127.0.0.1';
+    } elsif ($sievesAccess eq 'private') {
+        $sievesAddress = "127.0.0.1 $LOCALIP";
+    } elsif ($sievesAccess eq 'public') {
+        $sievesAddress = "127.0.0.1 $LOCALIP $EXTERNALIP";
+    }
+$sievesAddress .= " $sievesListen";
+
+
+if ( $sieveStatus eq 'enabled' || $sievesStatus eq 'enabled') {
+    $OUT .=<<"HERE";
 service managesieve-login {
+
+HERE
+
+    if ( $sieveStatus eq 'enabled' ) {
+    $OUT .=<<"HERE";
   inet_listener sieve {
     port = $port
-    address = $address
+    address = $sieveaddress
   }
+HERE
+}
+
+    if ( $sievesStatus eq 'enabled' ) {
+    $OUT .=<<"HERE";
+  inet_listener sieves {
+    port = $ports
+    ssl = yes
+    address = $sievesaddress
+  }
+HERE
+}
+
+    $OUT .=<<"HERE";
 }
 
 HERE
+
 }
 else {
     $OUT .= "# Sieve is disabled";

root/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl

@@ -2,13 +2,11 @@ ssl = {$OUT .= ( (($imaps{'status'} || 'enabled') eq 'enabled') || (($pops{'stat
 ssl_cert = </etc/dovecot/ssl/imapd.pem
 ssl_key = </etc/dovecot/ssl/imapd.pem
 {
-
-my %protos={SLv3=>1,TLSv1=>1, TLSv1.1=>1, TLSv1.2=>1,TLSv1.3=>1};
-my $proto = ( (exists $dovecot{'ssl_min_protocol'} ) && (exists $protos{$dovecot{'ssl_min_protocol'}} ) ) ? $dovecot{'ssl_min_protocol'} : 'TLSv1.2';
+use esmith::ssl;
+my $proto = ( (exists $dovecot{'ssl_min_protocol'} ) && (exists $existingSSLprotos{$dovecot{'ssl_min_protocol'}} ) ) ? $dovecot{'ssl_min_protocol'} : SSLprotoMin();
 
 $OUT .= "ssl_dh=</etc/dovecot/ssl/dhparam.pem\n";
 $OUT .= "ssl_min_protocol = $proto\n" if ($proto ne '');
 $OUT .= "ssl_prefer_server_ciphers = yes\n";
-$OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n";
-
+$OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || $smeCiphers ). "\n";
 }

root/etc/e-smith/templates/etc/dovecot/dovecot.conf/65pluginAcl

@@ -45,6 +45,19 @@ _EOF
 my $shared_mb = "\n# SharedMailbox is disabled\n";
 my $public_mb = "\n# PublicMailbox is disabled\n";
 if (($dovecot{'SharedMailbox'} || 'disabled') eq 'enabled'){
+  if (($dovecot{'PrivateIndex'} || 'disabled') eq 'enabled'){
+ $shared_mb =<<'_EOF';
+namespace {
+  type = shared
+  separator = /
+  prefix = shared/%%u/
+  location = maildir:%%h/Maildir:INDEXPVT=~/Maildir/shared/%%u
+  subscriptions = no
+  list = children
+}
+_EOF
+  }
+  if (($dovecot{'PrivateIndex'} || 'disabled') eq 'disabled'){
  $shared_mb =<<'_EOF';
 namespace {
   type = shared
@@ -55,6 +68,7 @@ namespace {
   list = children
 }
 _EOF
+  }
 }
 if (($dovecot{'PublicMailbox'} || 'disabled') eq 'enabled'){
   $public_mb =<<'_EOF';
@@ -87,3 +101,4 @@ _EOF
 push @conf, $common, $shared_mb, $public_mb, $acl;
 $OUT .= '';
 }
+

root/etc/e-smith/templates/etc/dovecot/dovecot.conf/70pluginImapSieve

@@ -10,7 +10,8 @@ plugin {
   sieve_plugins = sieve_imapsieve sieve_extprograms
   sieve_execute_bin_dir = /usr/libexec/dovecot
   sieve_pipe_bin_dir = /usr/libexec/dovecot
-  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute
+  sieve_implicit_extensions = +vnd.dovecot.report
+  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.execute  +vnd.dovecot.environment
 
 _EOF
 

root/sbin/e-smith/systemd/dovecot-control

@@ -1,4 +0,0 @@
-#!/bin/bash
-# Create dhparam
-[ -e /etc/dovecot/ssl/dhparam.pem ] || \
-    RANDFILE=/dev/null /usr/bin/openssl dhparam -out /etc/dovecot/ssl/dhparam.pem 2048

root/usr/lib/systemd/system/dovecot.service.d/50koozali.conf

@@ -6,7 +6,7 @@ ExecStartPre=-/sbin/e-smith/service-status dovecot
 ExecStartPre=-/sbin/e-smith/expand-template /etc/dovecot/dovecot.conf
 ExecStartPre=-/sbin/e-smith/expand-template /etc/dovecot/master.users
 ExecStartPre=-/sbin/e-smith/expand-template /etc/dovecot/ssl/imapd.pem
-ExecStartPre=-/sbin/e-smith/systemd/dovecot-control
+ExecStartPre=-/sbin/e-smith/expand-template /etc/dovecot/ssl/dhparam.pem
 ExecStartPre=-/usr/sbin/portrelease dovecot
 Restart=always
 #SME:11733 needed for Dovecot quota-fs https://doc.dovecot.org/configuration_manual/quota/quota_fs/

root/usr/libexec/dovecot/learn-ham.sh

@@ -1 +1 @@
-exec /usr/bin/spamc -L ham
+exec /usr/bin/spamc -u spamd --max-size=5283920 -L ham

root/usr/libexec/dovecot/learn-spam.sh

@@ -1 +1 @@
-exec /usr/bin/spamc -L spam
+exec /usr/bin/spamc -u spamd --max-size=5283920 -L spam

smeserver-dovecot.spec

@@ -1,5 +1,5 @@
 %define version 11.0.0
-%define release 8
+%define release 17
 %define name smeserver-dovecot
 
 
@@ -18,6 +18,7 @@ BuildRequires: smeserver-devtools
 
 Requires: smeserver-base >= 5.2.0
 Requires: dovecot >= 2.3.16
+Requires: dovecot-pigeonhole
 Requires: portreserve
 
 Provides: smeserver-imap
@@ -40,8 +41,32 @@ Configure the dovecot IMAP server with sieve scripts support,
 quota, ACL, extended logging, master user
 
 %changelog
-* Wed Sep 11 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-8.sme
+* Tue Mar 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-17.sme
+- handle dhparam via template [SME: 12965]
+
+* Sun Jan 19 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-15.sme
+- use spamd user for spams/ham learning [SME: 12265]
+  max size to learn hardocded to 5MB. 
+  per user spamassassin config is not supported
+
+* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-14.sme
+- use esmith::ssl to set ciphers and protocol [SME: 12821]
+  improve cipher order to get strongers first
+  drop SSLv2
+
+* Mon Oct 21 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 11.0.0-13.sme
+- use INDEXPVT instead of INDEX for shared mailboxes [SME: 12150]
+
+* Wed Sep 25 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme
+- fix missing sharedmailbox group [SME: 12735]
+
+* Tue Sep 24 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-11.sme
+- add missing /home/e-smith/files/public/ folder [SME: 12735]
+
+* Wed Sep 11 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-10.sme
 - merge dovecot-extra [SME: 12735]
+- add sieves support over ssl and improve template
+- requires dovecot-pigeonhole
 
 * Fri Apr 05 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-7.sme
 - add missing requirement for portreserve [SME: 12589]
@@ -265,6 +290,9 @@ if [ $1 -gt 1 ] ; then
   fi
 
 fi
+
+/usr/sbin/groupadd -g 439 sharedmailbox 2> /dev/null || :
+
 %post
 
 %preun