From 2dc5e3945a4246838dfee35b541a9833b844b161 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Thu, 14 May 2020 22:12:11 +0000 Subject: [PATCH] import cyrus-imapd-3.0.7-19.el8 --- .cyrus-imapd.metadata | 5 + .gitignore | 5 + SOURCES/cassandane.ini | 56 ++ SOURCES/cyrus-imapd-CVE-2019-18928.patch | 30 + SOURCES/cyrus-imapd-CVE-2019-19783.patch | 13 + ...cyrus-imapd-close_backup_fd_on_error.patch | 23 + .../cyrus-imapd-close_backup_on_failure.patch | 38 + SOURCES/cyrus-imapd-cve_2019_11356.patch | 26 + SOURCES/cyrus-imapd-init.service | 12 + SOURCES/cyrus-imapd-master_rename.patch | 66 ++ .../cyrus-imapd-memory_leak_on_cleanup.patch | 73 ++ ...cyrus-imapd-memory_leak_on_cleanup_2.patch | 102 ++ SOURCES/cyrus-imapd.cron-daily | 36 + SOURCES/cyrus-imapd.cvt_cyrusdb_all | 409 ++++++++ SOURCES/cyrus-imapd.logrotate | 7 + SOURCES/cyrus-imapd.magic | 9 + SOURCES/cyrus-imapd.pam-config | 5 + SOURCES/cyrus-imapd.service | 21 + SOURCES/cyrus-imapd.sysconfig | 5 + SOURCES/cyrus-imapd.tmpfiles.conf | 5 + SOURCES/patch-cassandane-fix-annotator | 14 + SOURCES/patch-cassandane-no-syslog | 21 + SOURCES/patch-cyrus-default-configs | 114 +++ SOURCES/patch-cyrus-managesieve-linking | 13 + SOURCES/patch-cyrus-testsuite-timeout | 13 + SOURCES/patch-vzic-proper-cflags | 25 + SPECS/cyrus-imapd.spec | 931 ++++++++++++++++++ 27 files changed, 2077 insertions(+) create mode 100644 .cyrus-imapd.metadata create mode 100644 .gitignore create mode 100644 SOURCES/cassandane.ini create mode 100644 SOURCES/cyrus-imapd-CVE-2019-18928.patch create mode 100644 SOURCES/cyrus-imapd-CVE-2019-19783.patch create mode 100644 SOURCES/cyrus-imapd-close_backup_fd_on_error.patch create mode 100644 SOURCES/cyrus-imapd-close_backup_on_failure.patch create mode 100644 SOURCES/cyrus-imapd-cve_2019_11356.patch create mode 100644 SOURCES/cyrus-imapd-init.service create mode 100644 SOURCES/cyrus-imapd-master_rename.patch create mode 100644 SOURCES/cyrus-imapd-memory_leak_on_cleanup.patch create mode 100644 SOURCES/cyrus-imapd-memory_leak_on_cleanup_2.patch create mode 100644 SOURCES/cyrus-imapd.cron-daily create mode 100644 SOURCES/cyrus-imapd.cvt_cyrusdb_all create mode 100644 SOURCES/cyrus-imapd.logrotate create mode 100644 SOURCES/cyrus-imapd.magic create mode 100644 SOURCES/cyrus-imapd.pam-config create mode 100644 SOURCES/cyrus-imapd.service create mode 100644 SOURCES/cyrus-imapd.sysconfig create mode 100644 SOURCES/cyrus-imapd.tmpfiles.conf create mode 100644 SOURCES/patch-cassandane-fix-annotator create mode 100644 SOURCES/patch-cassandane-no-syslog create mode 100644 SOURCES/patch-cyrus-default-configs create mode 100644 SOURCES/patch-cyrus-managesieve-linking create mode 100644 SOURCES/patch-cyrus-testsuite-timeout create mode 100644 SOURCES/patch-vzic-proper-cflags create mode 100644 SPECS/cyrus-imapd.spec diff --git a/.cyrus-imapd.metadata b/.cyrus-imapd.metadata new file mode 100644 index 0000000..38fde1b --- /dev/null +++ b/.cyrus-imapd.metadata @@ -0,0 +1,5 @@ +b537ecfca22df8a41f53d07d88d9547a1cb63d7d SOURCES/CHANGES.rpm +e39754f688d98ac0040df85e8850a2e330c6235d SOURCES/README.rpm +b3157c127c9cc404ecb2672e0eb4f18cac2a2a73 SOURCES/cassandane-00bfe01.tar.gz +fdbc28a259af65792e23ce8da16faf323039139c SOURCES/cassandane-testdata-20170523.tar.gz +49e3f8bbecd391513b81e3ccf49ea2df84be522f SOURCES/cyrus-imapd-3.0.7.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4354db9 --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +SOURCES/CHANGES.rpm +SOURCES/README.rpm +SOURCES/cassandane-00bfe01.tar.gz +SOURCES/cassandane-testdata-20170523.tar.gz +SOURCES/cyrus-imapd-3.0.7.tar.gz diff --git a/SOURCES/cassandane.ini b/SOURCES/cassandane.ini new file mode 100644 index 0000000..bbdb10c --- /dev/null +++ b/SOURCES/cassandane.ini @@ -0,0 +1,56 @@ +# A basic cassandane.ini file for running cassandane as part of the Fedora +# package build process. + +# The idea here is to run tests on the just-compiled version of cyrus-imapd. +# However, many of the build locations are just random temporary directories, and +# so this requires some finesse. + +[cassandane] +rootdir = CASSDIR/work +pwcheck = alwaystrue # This is enabled in Fedora builds +cleanup = no +maxworkers = 1 +base_port = 19100 + +#[valgrind] +#enabled = no + +# The installed copy +[cyrus default] +prefix = /usr +destdir = BUILDROOT +quota = cyr_quota + +# Replication testing disabled +# [cyrus replica] +# [cyrus murder] + +# Don't enable any of the gdb options but leave them here in case someone ever +# needs to do so +#[gdb] +# imapd = yes +# sync_server = yes +# lntpd = yes +# timsieved = yes +# backupd = yes + +[config] +altnamespace = no +unixhierarchysep = no +client_timeout = 60 + +#[caldavtalk] +#basedir = CASSDIR/cassandane/testdata + +[imaptest] +# Cassandane wants this to not be installed. Don't know why. To use it we +# have to make a directory and link things into it. +basedir = imaptest + +# [jmaptester] +# basedir = JMAP-Tester +# The JMAP modules end up needing JSON-Typist (which I could bundle) and CryptX (which is a bit too much to bundle) + +# [caldavtester] +# XXX Would need to include the source in the cyrus package just as cassandane is, and get it built before running tests +# basedir = ... diff --git a/SOURCES/cyrus-imapd-CVE-2019-18928.patch b/SOURCES/cyrus-imapd-CVE-2019-18928.patch new file mode 100644 index 0000000..b5f2cb0 --- /dev/null +++ b/SOURCES/cyrus-imapd-CVE-2019-18928.patch @@ -0,0 +1,30 @@ +diff --git a/imap/httpd.c b/imap/httpd.c +index 5dcf38dc4..d2fdeb945 100644 +--- a/imap/httpd.c ++++ b/imap/httpd.c +@@ -1729,6 +1729,25 @@ static int examine_request(struct transaction_t *txn) + txn->auth_chal.scheme = NULL; + } + ++ /* Drop auth credentials, if not a backend in a Murder */ ++ else if (!config_mupdate_server || !config_getstring(IMAPOPT_PROXYSERVERS)) { ++ syslog(LOG_DEBUG, "drop auth creds"); ++ ++ free(httpd_userid); ++ httpd_userid = NULL; ++ ++ free(httpd_extrafolder); ++ httpd_extrafolder = NULL; ++ ++ free(httpd_extradomain); ++ httpd_extradomain = NULL; ++ ++ if (httpd_authstate) { ++ auth_freestate(httpd_authstate); ++ httpd_authstate = NULL; ++ } ++ } ++ + /* Perform proxy authorization, if necessary */ + else if (saslprops.authid && + (hdr = spool_getheader(txn->req_hdrs, "Authorize-As")) && diff --git a/SOURCES/cyrus-imapd-CVE-2019-19783.patch b/SOURCES/cyrus-imapd-CVE-2019-19783.patch new file mode 100644 index 0000000..ff8a626 --- /dev/null +++ b/SOURCES/cyrus-imapd-CVE-2019-19783.patch @@ -0,0 +1,13 @@ +diff --git a/imap/lmtp_sieve.c b/imap/lmtp_sieve.c +index 4c3bbc3..d0abdd3 100644 +--- a/imap/lmtp_sieve.c ++++ b/imap/lmtp_sieve.c +@@ -999,7 +999,7 @@ static int autosieve_createfolder(const char *userid, const struct auth_state *a + if (createsievefolder) { + /* Folder is already in internal namespace format */ + r = mboxlist_createmailbox(internalname, 0, NULL, +- 1, userid, auth_state, 0, 0, 0, 1, NULL); ++ 0, userid, auth_state, 0, 0, 0, 1, NULL); + if (!r) { + mboxlist_changesub(internalname, userid, auth_state, 1, 1, 1); + syslog(LOG_DEBUG, "autosievefolder: User %s, folder %s creation succeeded", diff --git a/SOURCES/cyrus-imapd-close_backup_fd_on_error.patch b/SOURCES/cyrus-imapd-close_backup_fd_on_error.patch new file mode 100644 index 0000000..7169d51 --- /dev/null +++ b/SOURCES/cyrus-imapd-close_backup_fd_on_error.patch @@ -0,0 +1,23 @@ +From 725e1efbd923c6d15ba639e17bfd0baabc619daa Mon Sep 17 00:00:00 2001 +From: Pavel Zhukov +Date: Mon, 1 Oct 2018 15:55:35 +0200 +Subject: [PATCH] Close file descriptior in case of error + +Make static code analizers happy. +If stat() failed for some reason it may lead backup fd unclosed. +--- + backup/lcb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/backup/lcb.c b/backup/lcb.c +index 8c4a0e31a..9a04b08f2 100644 +--- a/backup/lcb.c ++++ b/backup/lcb.c +@@ -182,6 +182,7 @@ HIDDEN int backup_real_open(struct backup **backupp, + if (r) { + syslog(LOG_ERR, "IOERROR: (f)stat %s: %m", backup->data_fname); + r = IMAP_IOERROR; ++ close(fd); + goto error; + } + diff --git a/SOURCES/cyrus-imapd-close_backup_on_failure.patch b/SOURCES/cyrus-imapd-close_backup_on_failure.patch new file mode 100644 index 0000000..1639396 --- /dev/null +++ b/SOURCES/cyrus-imapd-close_backup_on_failure.patch @@ -0,0 +1,38 @@ +From 5d00f649b4d2a599905d1b9290c91a769909741d Mon Sep 17 00:00:00 2001 +From: Pavel Zhukov +Date: Mon, 24 Sep 2018 17:24:48 +0200 +Subject: [PATCH] Close backup on failure. + +Static analizers report this as memory leak issue. +--- + backup/ctl_backups.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/backup/ctl_backups.c b/backup/ctl_backups.c +index 3d817e743..e532eedb7 100644 +--- a/backup/ctl_backups.c ++++ b/backup/ctl_backups.c +@@ -955,6 +955,7 @@ static int lock_run_pipe(const char *userid, const char *fname, + + if (r) { + printf("NO failed (%s)\n", error_message(r)); ++ r = backup_close(&backup); + return EC_SOFTWARE; // FIXME would something else be more appropriate? + } + +@@ -993,6 +994,7 @@ static int lock_run_sqlite(const char *userid, const char *fname, + fprintf(stderr, "unable to lock %s: %s\n", + userid ? userid : fname, + error_message(r)); ++ r = backup_close(&backup); + return EC_SOFTWARE; + } + +@@ -1053,6 +1055,7 @@ static int lock_run_exec(const char *userid, const char *fname, + fprintf(stderr, "unable to lock %s: %s\n", + userid ? userid : fname, + error_message(r)); ++ r = backup_close(&backup); + return EC_SOFTWARE; + } + diff --git a/SOURCES/cyrus-imapd-cve_2019_11356.patch b/SOURCES/cyrus-imapd-cve_2019_11356.patch new file mode 100644 index 0000000..bfb3a48 --- /dev/null +++ b/SOURCES/cyrus-imapd-cve_2019_11356.patch @@ -0,0 +1,26 @@ +diff --git a/imap/httpd.c b/imap/httpd.c +index dc53f8c..24b65e5 100644 +--- a/imap/httpd.c ++++ b/imap/httpd.c +@@ -2202,7 +2202,7 @@ EXPORTED time_t calc_compile_time(const char *time, const char *date) + memset(&tm, 0, sizeof(struct tm)); + tm.tm_isdst = -1; + sscanf(time, "%02d:%02d:%02d", &tm.tm_hour, &tm.tm_min, &tm.tm_sec); +- sscanf(date, "%s %2d %4d", month, &tm.tm_mday, &tm.tm_year); ++ sscanf(date, "%3s %2d %4d", month, &tm.tm_mday, &tm.tm_year); + tm.tm_year -= 1900; + for (tm.tm_mon = 0; tm.tm_mon < 12; tm.tm_mon++) { + if (!strcmp(month, monthname[tm.tm_mon])) break; +diff --git a/imap/ical_support.c b/imap/ical_support.c +index 1d7550a..e1bda50 100644 +--- a/imap/ical_support.c ++++ b/imap/ical_support.c +@@ -458,7 +458,7 @@ const char *get_icalcomponent_errstr(icalcomponent *ical) + + /* Check if this is an empty property error */ + if (sscanf(errstr, +- "No value for %s property", propname) == 1) { ++ "No value for %255s property", propname) == 1) { + /* Empty LOCATION is OK */ + if (!strcasecmp(propname, "LOCATION")) continue; + if (!strcasecmp(propname, "COMMENT")) continue; diff --git a/SOURCES/cyrus-imapd-init.service b/SOURCES/cyrus-imapd-init.service new file mode 100644 index 0000000..07909aa --- /dev/null +++ b/SOURCES/cyrus-imapd-init.service @@ -0,0 +1,12 @@ +[Unit] +Description=One-time configuration for cyrus-imapd + +ConditionPathExists=!/etc/pki/cyrus-imapd/cyrus-imapd.pem +ConditionPathExists=!/etc/pki/cyrus-imapd/cyrus-imapd-key.pem +ConditionPathExists=!/etc/pki/cyrus-imapd/cyrus-imapd-ca.pem + +[Service] +Type=oneshot +Group=mail +RemainAfterExit=no +ExecStart=/usr/bin/sscg --package cyrus-imapd --cert-file /etc/pki/cyrus-imapd/cyrus-imapd.pem --cert-key-file /etc/pki/cyrus-imapd/cyrus-imapd-key.pem --ca-file /etc/pki/cyrus-imapd/cyrus-imapd-ca.pem --cert-key-mode=0640 diff --git a/SOURCES/cyrus-imapd-master_rename.patch b/SOURCES/cyrus-imapd-master_rename.patch new file mode 100644 index 0000000..d1a8a28 --- /dev/null +++ b/SOURCES/cyrus-imapd-master_rename.patch @@ -0,0 +1,66 @@ +diff --git a/Cassandane/Instance.pm b/cassandane/Cassandane/Instance.pm +index 1561143..c60396e 100644 +--- a/Cassandane/Instance.pm ++++ b/Cassandane/Instance.pm +@@ -166,7 +166,7 @@ sub get_version + my $cyrus_master; + foreach my $d (qw( bin sbin libexec libexec/cyrus-imapd lib cyrus/bin )) + { +- my $try = "$cyrus_destdir$cyrus_prefix/$d/master"; ++ my $try = "$cyrus_destdir$cyrus_prefix/$d/cyrus-master"; + if (-x $try) { + $cyrus_master = $try; + last; +diff --git a/Cassandane/Instance.pm b/Cassandane/Instance.pm +index c60396e..7b2883a 100644 +--- a/Cassandane/Instance.pm ++++ b/Cassandane/Instance.pm +@@ -546,7 +546,7 @@ sub _pid_file + { + my ($self, $name) = @_; + +- $name ||= 'master'; ++ $name ||= 'cyrus-master'; + + return $self->{basedir} . "/run/$name.pid"; + } +@@ -569,7 +569,7 @@ sub _list_pid_files + closedir(RUNDIR); + + @pidfiles = sort { $a cmp $b } @pidfiles; +- @pidfiles = ( 'master', grep { $_ ne 'master' } @pidfiles ); ++ @pidfiles = ( 'cyrus-master', grep { $_ ne 'cyrus-master' } @pidfiles ); + + return @pidfiles; + } +@@ -877,7 +877,7 @@ sub _start_master + # Now start the master process. + my @cmd = + ( +- 'master', ++ 'cyrus-master', + # The following is added automatically by _fork_command: + # '-C', $self->_imapd_conf(), + '-l', '255', +@@ -886,7 +886,7 @@ sub _start_master + '-M', $self->_master_conf(), + ); + if (get_verbose) { +- my $logfile = $self->{basedir} . '/conf/master.log'; ++ my $logfile = $self->{basedir} . '/conf/cyrus-master.log'; + xlog "_start_master: logging to $logfile"; + push(@cmd, '-L', $logfile); + } +diff --git a/Cassandane/Instance.pm b/Cassandane/Instance.pm +index 7b2883a..0c1e5fb 100644 +--- a/Cassandane/Instance.pm ++++ b/Cassandane/Instance.pm +@@ -1301,7 +1301,7 @@ sub send_sighup + return if ($self->{_stopped}); + xlog "sighup"; + +- my $pid = $self->_read_pid_file('master') or return; ++ my $pid = $self->_read_pid_file('cyrus-master') or return; + kill(SIGHUP, $pid) or die "Can't send signal SIGHUP to pid $pid: $!"; + return 1; + } diff --git a/SOURCES/cyrus-imapd-memory_leak_on_cleanup.patch b/SOURCES/cyrus-imapd-memory_leak_on_cleanup.patch new file mode 100644 index 0000000..d4d944b --- /dev/null +++ b/SOURCES/cyrus-imapd-memory_leak_on_cleanup.patch @@ -0,0 +1,73 @@ +From acfc393638ad1b81a4234173b060bb63907ee52c Mon Sep 17 00:00:00 2001 +From: Pavel Zhukov +Date: Mon, 1 Oct 2018 15:51:01 +0200 +Subject: [PATCH] Replace simple return with cleanup flow + +Make cleanup more consistence to prevent leaks of memory pointed by +filter/base/res +--- + ptclient/ldap.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/ptclient/ldap.c b/ptclient/ldap.c +index 0b82d2c6b..65bae7bd6 100644 +--- a/ptclient/ldap.c ++++ b/ptclient/ldap.c +@@ -1388,13 +1388,14 @@ static int ptsmodule_make_authstate_group( + + if (strncmp(canon_id, "group:", 6)) { // Sanity check + *reply = "not a group identifier"; +- return PTSM_FAIL; ++ rc = PTSM_FAIL; ++ goto done; + } + + rc = ptsmodule_connect(); + if (rc != PTSM_OK) { + *reply = "ptsmodule_connect() failed"; +- return rc; ++ goto done;; + } + + rc = ptsmodule_expand_tokens(ptsm->group_filter, canon_id+6, NULL, &filter); +@@ -1425,17 +1426,19 @@ static int ptsmodule_make_authstate_group( + + if (rc != LDAP_SUCCESS) { + syslog(LOG_DEBUG, "(groups) Result from domain query not OK"); +- return rc; ++ goto done; + } else { + syslog(LOG_DEBUG, "(groups) Result from domain query OK"); + } + + if (ldap_count_entries(ptsm->ld, res) < 1) { + syslog(LOG_ERR, "(groups) No domain %s found", domain); +- return PTSM_FAIL; ++ rc = PTSM_FAIL; ++ goto done; + } else if (ldap_count_entries(ptsm->ld, res) > 1) { + syslog(LOG_ERR, "(groups) Multiple domains %s found", domain); +- return PTSM_FAIL; ++ rc = PTSM_FAIL; ++ goto done; + } else { + syslog(LOG_DEBUG, "(groups) Domain %s found", domain); + if ((entry = ldap_first_entry(ptsm->ld, res)) != NULL) { +@@ -1452,7 +1455,7 @@ static int ptsmodule_make_authstate_group( + } + + if (rc != PTSM_OK) { +- return rc; ++ goto done; + } else { + base = xstrdup(ptsm->group_base); + syslog(LOG_DEBUG, "Continuing with ptsm->group_base: %s", ptsm->group_base); +@@ -1462,7 +1465,7 @@ static int ptsmodule_make_authstate_group( + } else { + rc = ptsmodule_expand_tokens(ptsm->group_base, canon_id, NULL, &base); + if (rc != PTSM_OK) +- return rc; ++ goto done; + } + + syslog(LOG_DEBUG, "(groups) about to search %s for %s", base, filter); diff --git a/SOURCES/cyrus-imapd-memory_leak_on_cleanup_2.patch b/SOURCES/cyrus-imapd-memory_leak_on_cleanup_2.patch new file mode 100644 index 0000000..8a5a11d --- /dev/null +++ b/SOURCES/cyrus-imapd-memory_leak_on_cleanup_2.patch @@ -0,0 +1,102 @@ +diff --git a/ptclient/ldap.c b/ptclient/ldap.c +index 7e48879..dafa724 100644 +--- a/ptclient/ldap.c ++++ b/ptclient/ldap.c +@@ -932,7 +932,7 @@ static int ptsmodule_get_dn( + { + rc = ptsmodule_expand_tokens(ptsm->filter, canon_id, NULL, &filter); + if (rc != PTSM_OK) +- return rc; ++ goto done; + + if (ptsm->domain_base_dn && ptsm->domain_base_dn[0] != '\0' && (strrchr(canon_id, '@') != NULL)) { + syslog(LOG_DEBUG, "Attempting to get domain for %s from %s", canon_id, ptsm->domain_base_dn); +@@ -955,19 +955,23 @@ static int ptsmodule_get_dn( + ldap_unbind(ptsm->ld); + ptsm->ld = NULL; + syslog(LOG_ERR, "LDAP not available: %s", ldap_err2string(rc)); +- return PTSM_RETRY; ++ rc = PTSM_RETRY; ++ goto done; + } + + syslog(LOG_ERR, "LDAP search for domain failed: %s", ldap_err2string(rc)); +- return PTSM_FAIL; ++ rc = PTSM_FAIL; ++ goto done; + } + + if (ldap_count_entries(ptsm->ld, res) < 1) { + syslog(LOG_ERR, "No domain %s found", domain); +- return PTSM_FAIL; ++ rc = PTSM_FAIL; ++ goto done; + } else if (ldap_count_entries(ptsm->ld, res) > 1) { + syslog(LOG_ERR, "Multiple domains %s found", domain); +- return PTSM_FAIL; ++ rc = PTSM_FAIL; ++ goto done; + } else { + if ((entry = ldap_first_entry(ptsm->ld, res)) != NULL) { + if ((vals = ldap_get_values(ptsm->ld, entry, ptsm->domain_result_attribute)) != NULL) { +@@ -982,7 +986,7 @@ static int ptsmodule_get_dn( + } + + if (rc != PTSM_OK) { +- return rc; ++ goto done; + } else { + base = xstrdup(ptsm->base); + syslog(LOG_DEBUG, "Continuing with ptsm->base: %s", ptsm->base); +@@ -993,23 +997,23 @@ static int ptsmodule_get_dn( + } else { + rc = ptsmodule_expand_tokens(ptsm->base, canon_id, NULL, &base); + if (rc != PTSM_OK) +- return rc; ++ goto done; + } + + rc = ldap_search_st(ptsm->ld, base, ptsm->scope, filter, attrs, 0, &(ptsm->timeout), &res); + + if (rc != LDAP_SUCCESS) { + syslog(LOG_DEBUG, "Searching %s with %s failed", base, base); +- free(filter); +- free(base); + + if (rc == LDAP_SERVER_DOWN) { + ldap_unbind(ptsm->ld); + ptsm->ld = NULL; +- return PTSM_RETRY; ++ rc = PTSM_RETRY; ++ goto done; + } + +- return PTSM_FAIL; ++ rc = PTSM_FAIL; ++ goto done; + } + + free(filter); +@@ -1035,6 +1039,13 @@ static int ptsmodule_get_dn( + } + + return (*ret ? PTSM_OK : PTSM_FAIL); ++ ++ done: ++ if (filter) ++ free(filter); ++ if (base) ++ free(base); ++ return rc; + } + + +@@ -1344,7 +1355,7 @@ static int ptsmodule_make_authstate_group( + rc = ptsmodule_connect(); + if (rc != PTSM_OK) { + *reply = "ptsmodule_connect() failed"; +- goto done;; ++ goto done; + } + + rc = ptsmodule_expand_tokens(ptsm->group_filter, canon_id+6, NULL, &filter); diff --git a/SOURCES/cyrus-imapd.cron-daily b/SOURCES/cyrus-imapd.cron-daily new file mode 100644 index 0000000..ca897c0 --- /dev/null +++ b/SOURCES/cyrus-imapd.cron-daily @@ -0,0 +1,36 @@ +#!/bin/sh +# +# This file is run on a daily basis to perform a backup of your +# mailbox list which can be used to recreate mailboxes.db from backup. +# Restore is done using ctl_mboxlist after uncompressing the file. + +BACKDIR="/var/lib/imap/backup" +MBOXLIST="${BACKDIR}/mboxlist" +ROTATE=6 + +# fallback to su if runuser not available +if [ -x /sbin/runuser ]; then + RUNUSER=runuser +else + RUNUSER=su +fi + +# source custom configuration +if [ -f /etc/sysconfig/cyrus-imapd ]; then + . /etc/sysconfig/cyrus-imapd +fi + +[ -x /usr/sbin/ctl_mboxlist ] || exit 0 +[ -f /var/lib/imap/db/skipstamp ] || exit 0 + +# rotate mailbox lists +seq $[ $ROTATE - 1 ] -1 1 | while read i; do + [ -f ${MBOXLIST}.${i}.gz ] && mv -f ${MBOXLIST}.${i}.gz ${MBOXLIST}.$[ $i + 1 ].gz +done +[ -f ${MBOXLIST}.gz ] && mv -f ${MBOXLIST}.gz ${MBOXLIST}.1.gz + +# export mailboxes.db +$RUNUSER - cyrus -s /bin/sh -c "umask 077 < /dev/null ; /usr/sbin/ctl_mboxlist -d | gzip > ${MBOXLIST}.gz" + +exit 0 +# EOF diff --git a/SOURCES/cyrus-imapd.cvt_cyrusdb_all b/SOURCES/cyrus-imapd.cvt_cyrusdb_all new file mode 100644 index 0000000..5a5227d --- /dev/null +++ b/SOURCES/cyrus-imapd.cvt_cyrusdb_all @@ -0,0 +1,409 @@ +#!/bin/bash + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# This script converts all db files of a cyrus installation from their +# existing format to the format required by the current installation. +# The format of current db files is determined using the 'file' command +# with a magic file added for skiplist db, the new format is read from +# a config file usually in /usr/share/cyrus-imapd/rpm/db.cfg, which is +# created while compiling. After converting, the db.cfg file is +# copied to a cache file usually at /var/lib/imap/rpm/db.cfg.cache to +# allow bypassing this converting script if both files are identical. +# While this is a bit less secure, it may be useful on big server where +# db converting is done automatically. +# +# This script can safely be run as root, it will reexec itself as user +# cyrus if needed. +# +# author: Simon Matter, Invoca Systems + +# changelog +# v1.0.1, Oct 22 2002 Simon Matter +# - added two-step conversion method +# +# v1.0.2, Jan 10 2003 Simon Matter +# - fixed a bug where cvt_cyrusdb was called to convert empty or +# nonexistent files +# +# v1.0.3, Mar 14 2003 Simon Matter +# - fixed a problem with new versions of the file command +# +# v1.0.4 +# - added GPL license +# +# v1.0.5, May 02 2003 Simon Matter +# - modified exec path +# +# v1.0.6, Jul 18 2003 Simon Matter +# - changed db3 to berkeley +# - added new db backends for 2.2 +# +# v1.0.7, Jan 23 2004 Simon Matter +# - included some modifications from Luca Olivetti +# - added masssievec functionality +# +# v1.0.8, Jan 28 2004 Simon Matter +# - convert sieve scripts to UTF-8 before calling masssievec +# +# v1.0.9, Jan 29 2004 Simon Matter +# - convert sieve scripts to UTF-8 only if sievec failed before +# +# v1.0.10, Feb 24 2004 Simon Matter +# - change su within init script to get input from +# /dev/null, this prevents hang when running in SELinux +# +# v1.0.11, Mar 02 2004 Simon Matter +# - fixed SELinux fix +# +# v1.0.12, Dec 16 2004 Simon Matter +# - use runuser instead of su if available +# +# v1.0.13, Jul 15 2005 Simon Matter +# - don't use flat in the two step conversion, use skiplist instead +# +# v1.0.14, Jul 18 2005 Simon Matter +# - replace the order of the magic files in the file call to make +# sure skiplist is detected correctly. +# +# v1.0.15, Aug 17 2005 Simon Matter +# - add functionality to export all berkeley db files to skiplist +# +# v1.1.0, Aug 18 2005 Simon Matter +# - fix export functionality, try to recover Berkeley databases +# as much as possible before any conversion. +# +# v1.1.1, Dec 05 2005 Simon Matter +# - run db_checkpoint in background with a timeout to prevent +# that cyrus-imapd doesn't start at all if it hangs. +# +# v1.1.2, Dec 06 2005 Simon Matter +# - make handling of db_checkpoint more robust +# +# v1.2.0, Jan 12 2006 Simon Matter +# - adopt for cyrus-imapd-2.3 +# +# v1.2.1, Jan 13 2006 Simon Matter +# - code cleanup +# +# v1.2.2, Nov 29 2007 Simon Matter +# - add ability to handle "@include" options in imapd.conf, patch +# provided by Tim Bannister +# +# v1.2.3, Feb 07 2008 Simon Matter +# - add ability to handle tabs in imapd.conf, patch provided +# by Franz Knipp +# - disable default values for some config options like sievedir +# +# v1.2.4, Apr 23 2008 Simon Matter +# - add support for statuscache.db +# +# v1.3.0, Sep 29 2008 Simon Matter +# - add multi-instance support +# +# v1.3.1, Oct 09 2008 Simon Matter +# - improve variable handling +# +# v1.3.2, May 26 2009 Simon Matter +# - add some sanity checks to multi-instance support +# +# v1.3.3, May 27 2009 Simon Matter +# - make some cosmetic changes +# +# v1.3.4, Dec 22 2009 Simon Matter +# - add support for user_deny.db + +VERSION=1.3.4 + +PIDFILE=/var/run/cyrus-master${INSTANCE}.pid + +# instance config +CYRUSCONF=/etc/cyrus${INSTANCE}.conf +IMAPDCONF=/etc/imapd${INSTANCE}.conf + +# make sure what we have is a valid instance +# and that config files are present +if [ -n "$INSTANCE" ]; then + [ -L /etc/rc.d/init.d/${BASENAME} ] || exit 0 +fi +[ -f $CYRUSCONF ] || exit 0 +[ -f $IMAPDCONF ] || exit 0 + +if [ -f $PIDFILE ]; then + read CYRUS_PID < $PIDFILE + if [ -n "$CYRUS_PID" ]; then + if ps -p $CYRUS_PID > /dev/null 2>&1; then + echo "ERROR: cyrus-master is running, unable to convert mailboxes!" + exit 1 + fi + fi +fi + +if [ ! -f $IMAPDCONF ]; then + echo "ERROR: configuration file '${IMAPDCONF}' not found, exiting!" + exit 1 +fi + +# fallback to su if runuser not available +if [ -x /sbin/runuser ]; then + RUNUSER=runuser +else + RUNUSER=su +fi + +# force cyrus user for security reasons +if [ ! $(whoami) = "cyrus" ]; then + exec $RUNUSER - cyrus -c "cd $PWD < /dev/null ; INSTANCE=$INSTANCE $0 $*" +fi + +# special function for migration +EXPORT=$1 + +# files get mode 0600 +umask 166 + +# show version info in log files +echo "cvt_cyrusdb_all version: $VERSION" + +# expand_config +# handle "@include" sections from imapd style config file +expand_config() { + while read line; do + if printf "%s\n" "${line}" | grep -q '^@include:'; then + expand_config "$( printf "%s\n" "${line}" | cut -d : -f 2- | sed -e 's/^[\t ]*//' )" + else + printf "%s\n" "${line}" + fi + done < $1 +} + +# get_config [] +# extracts config option from config file +get_config() { + searchstr=$1 + if config="$(expand_config $IMAPDCONF | egrep "^${searchstr}:")"; then + CFGVAL="$(printf "%s\n" "$config" | cut -d : -f 2- | sed -e 's/^[\t ]*//')" + else + if [ -z "$2" ]; then + echo "ERROR: config option '$1' not found in ${IMAPDCONF}, exiting!" 1>&2 + return 1 + fi + CFGVAL="$2" + fi + echo "get_config ${1}: $CFGVAL" 1>&2 + echo "$CFGVAL" +} + +# where to find files and directories +data_dir=/usr/share/cyrus-imapd/rpm +lib_dir=/usr/lib/cyrus-imapd +system_magic=$(file --version | awk '/magic file/ {print $4}') +cyrus_magic=${data_dir}/magic +cvt_cyrusdb=${lib_dir}/cvt_cyrusdb +sievec=${lib_dir}/sievec +masssievec=${lib_dir}/masssievec +imap_prefix=$(get_config configdirectory) || exit 1 +sieve_dir=$(get_config sievedir) || exit 1 +db_cfg=${data_dir}/db.cfg +db_current=${imap_prefix}/rpm/db.cfg.current +db_cache=${imap_prefix}/rpm/db.cfg.cache + +# source default db backend config +. $db_cfg + +# get configured db backend config +duplicate_db=$(get_config duplicate_db $duplicate_db) || exit 1 +mboxlist_db=$(get_config mboxlist_db $mboxlist_db) || exit 1 +seenstate_db=$(get_config seenstate_db $seenstate_db) || exit 1 +subscription_db=$(get_config subscription_db $subscription_db) || exit 1 +tlscache_db=$(get_config tlscache_db $tlscache_db) || exit 1 +annotation_db=$(get_config annotation_db $annotation_db) || exit 1 +mboxkey_db=$(get_config mboxkey_db $mboxkey_db) || exit 1 +ptscache_db=$(get_config ptscache_db $ptscache_db) || exit 1 +quota_db=$(get_config quota_db $quota_db) || exit 1 +statuscache_db=$(get_config statuscache_db $statuscache_db) || exit 1 +userdeny_db=$(get_config userdeny_db $userdeny_db) || exit 1 + +# remember current db backend config +{ +echo "duplicate_db=${duplicate_db}" +echo "mboxlist_db=${mboxlist_db}" +echo "seenstate_db=${seenstate_db}" +echo "subscription_db=${subscription_db}" +echo "tlscache_db=${tlscache_db}" +echo "annotation_db=${annotation_db}" +echo "mboxkey_db=${mboxkey_db}" +echo "ptscache_db=${ptscache_db}" +echo "quota_db=${quota_db}" +echo "statuscache_db=${statuscache_db}" +echo "userdeny_db=${userdeny_db}" +echo "sieve_version=${sieve_version}" +} | sort > $db_current + +# file_type +file_type() { + this_type=$(file -b -m "${cyrus_magic}:${system_magic}" "$1" 2> /dev/null) + if echo "$this_type" | grep -qi skip > /dev/null 2>&1; then + echo skiplist + elif echo "$this_type" | grep -qi text > /dev/null 2>&1; then + echo flat + else + echo berkeley + fi +} + +# cvt_file +cvt_file() { + target="$1" + new_db="$2" + if [ -s "$target" ]; then + old_db=$(file_type "$target") + if [ ! "$old_db" = "$new_db" ]; then + # The two-step conversion is paranoia against the filenames being encoded + # inside the database or logfiles (berkeley does this, for example). + rm -f "${target}.skiplist" + if [ "$old_db" = "skiplist" ]; then + cp -a "$target" "${target}.skiplist" + else + $cvt_cyrusdb -C $IMAPDCONF "$target" "$old_db" "${target}.skiplist" skiplist + fi + RETVAL=$? + ERRVAL=$(( $ERRVAL + $RETVAL )) + if [ $RETVAL -eq 0 ]; then + rm -f "$target" + if [ -s "${target}.skiplist" ]; then + if [ "$new_db" = "skiplist" ]; then + cp -a "${target}.skiplist" "$target" + else + $cvt_cyrusdb -C $IMAPDCONF "${target}.skiplist" skiplist "$target" "$new_db" + fi + fi + RETVAL=$? + ERRVAL=$(( $ERRVAL + $RETVAL )) + if [ $RETVAL -eq 0 ]; then + rm -f "${target}.skiplist" + else + echo "ERROR: unable to convert ${target}.skiplist from skiplist to $new_db" + fi + else + echo "ERROR: unable to convert $target from $old_db to skiplist" + fi + fi + fi +} + +# cvt_to_utf8 +cvt_to_utf8() { + target="$1" + if [ -s "$target" ]; then + if ! $sievec -C $IMAPDCONF "$target" "${target}.sievec"; then + iconv --from-code=ISO-8859-1 --to-code=UTF-8 --output="${target}.UTF-8" "$target" + if [ -s "${target}.UTF-8" ]; then + # preserve timestamp + touch --reference="${target}" "${target}.UTF-8" + mv -f "${target}.UTF-8" "$target" + else + ERRVAL=$(( $ERRVAL + 1 )) + fi + fi + rm -f "${target}.sievec" + fi +} + +ERRVAL=0 + +# make sure our Berkeley databases are in a sane state +# wait for db_checkpoint to end successfully or kill it after a timeout +db_checkpoint -v -1 -h ${imap_prefix}/db & +DB_CHECK_PID=$! +CNT=0 +while [ $CNT -lt 60 ]; do + if ! kill -0 $DB_CHECK_PID > /dev/null 2>&1; then + break + fi + sleep 1 + let CNT+=1 +done +if kill -0 $DB_CHECK_PID > /dev/null 2>&1; then + kill -USR1 $DB_CHECK_PID > /dev/null 2>&1 + sleep 1 + kill -KILL $DB_CHECK_PID > /dev/null 2>&1 + wait $DB_CHECK_PID > /dev/null 2>&1 +fi + +# do a normal recovery +db_recover -v -h ${imap_prefix}/db +RETVAL=$? +if [ $RETVAL -ne 0 ]; then + # try a catastrophic recovery instead of normal recovery + db_recover -v -c -h ${imap_prefix}/db + RETVAL=$? + ERRVAL=$(( $ERRVAL + $RETVAL )) + if [ $RETVAL -ne 0 ]; then + echo "ERROR: catastrophic recovery of Berkeley databases failed" + fi +fi + +if [ "$EXPORT" = "export" ]; then + # convert all db files to portable format for migration + # TODO: quota_db, we don't touch it for now + cvt_file ${imap_prefix}/deliver.db "skiplist" + cvt_file ${imap_prefix}/mailboxes.db "skiplist" + cvt_file ${imap_prefix}/tls_sessions.db "skiplist" + cvt_file ${imap_prefix}/annotations.db "skiplist" + cvt_file ${imap_prefix}/ptclient/ptscache.db "skiplist" + cvt_file ${imap_prefix}/statuscache.db "skiplist" + cvt_file ${imap_prefix}/user_deny.db "flat" + rm -vf ${imap_prefix}/db/log.* + rm -vf ${imap_prefix}/db/__db.* +else + # always convert db files which have been converted to skiplist + # TODO: quota_db, we don't touch it for now + cvt_file ${imap_prefix}/deliver.db "$duplicate_db" + cvt_file ${imap_prefix}/mailboxes.db "$mboxlist_db" + cvt_file ${imap_prefix}/tls_sessions.db "$tlscache_db" + cvt_file ${imap_prefix}/annotations.db "$annotation_db" + cvt_file ${imap_prefix}/ptclient/ptscache.db "$ptscache_db" + cvt_file ${imap_prefix}/statuscache.db "$statuscache_db" + cvt_file ${imap_prefix}/user_deny.db "$userdeny_db" + # do we have to convert all databases? + if ! cmp -s $db_current $db_cache; then + # we treat sieve scripts the same way like db files + find ${sieve_dir}/ -name "*.script" -type f | while read db_file trash; do + cvt_to_utf8 "$db_file" + done + $masssievec $sievec $IMAPDCONF + # convert all db files left + find ${imap_prefix}/user/ -name "*.seen" -type f | while read db_file trash; do + cvt_file "$db_file" "$seenstate_db" + done + find ${imap_prefix}/user/ -name "*.sub" -type f | while read db_file trash; do + cvt_file "$db_file" "$subscription_db" + done + find ${imap_prefix}/user/ -name "*.mboxkey" -type f | while read db_file trash; do + cvt_file "$db_file" "$mboxkey_db" + done + fi +fi + +# update the config cache file so we can check whether something has changed +if [ $ERRVAL -eq 0 ]; then + mv -f $db_current $db_cache +else + rm -f $db_cache + rm -f $db_current +fi + +exit $ERRVAL diff --git a/SOURCES/cyrus-imapd.logrotate b/SOURCES/cyrus-imapd.logrotate new file mode 100644 index 0000000..2f55827 --- /dev/null +++ b/SOURCES/cyrus-imapd.logrotate @@ -0,0 +1,7 @@ +/var/log/imapd.log /var/log/auth.log { + missingok + sharedscripts + postrotate + /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true + endscript +} diff --git a/SOURCES/cyrus-imapd.magic b/SOURCES/cyrus-imapd.magic new file mode 100644 index 0000000..85831fb --- /dev/null +++ b/SOURCES/cyrus-imapd.magic @@ -0,0 +1,9 @@ +# Magic +# Magic data for file(1) command. +# Format is described in magic(files), where: +# files is 5 on V7 and BSD, 4 on SV, and ?? in the SVID. + +#------------------------------------------------------------------------------ +# skiplist: file(1) magic Cyrus skiplist DB +# +0 string \241\002\213\015skiplist\ file\0\0\0 Cyrus skiplist DB diff --git a/SOURCES/cyrus-imapd.pam-config b/SOURCES/cyrus-imapd.pam-config new file mode 100644 index 0000000..5b9f05f --- /dev/null +++ b/SOURCES/cyrus-imapd.pam-config @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth required pam_nologin.so +auth include password-auth +account include password-auth +session include password-auth diff --git a/SOURCES/cyrus-imapd.service b/SOURCES/cyrus-imapd.service new file mode 100644 index 0000000..13891fc --- /dev/null +++ b/SOURCES/cyrus-imapd.service @@ -0,0 +1,21 @@ +[Unit] +Description=Cyrus-imapd IMAP/POP3 email server +After=local-fs.target network.target + +Requires=cyrus-imapd-init.service +After=cyrus-imapd-init.service + +[Service] +Type=simple +EnvironmentFile=/etc/sysconfig/cyrus-imapd +ExecStart=/usr/libexec/cyrus-imapd/cyrus-master $CYRUSOPTIONS +PrivateTmp=true + +# Cyrus may spawn many processes in normal operation. These figures are higher +# than the defaults, but may still need to be tuned for your local +# configuration. +TasksMax=2048 +LimitNOFILE=16384 + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/cyrus-imapd.sysconfig b/SOURCES/cyrus-imapd.sysconfig new file mode 100644 index 0000000..ad8bec5 --- /dev/null +++ b/SOURCES/cyrus-imapd.sysconfig @@ -0,0 +1,5 @@ +# Options to cyrus-master +CYRUSOPTIONS="" + +# Mailbox list dumps are rotated n times via cron.daily +#ROTATE=6 diff --git a/SOURCES/cyrus-imapd.tmpfiles.conf b/SOURCES/cyrus-imapd.tmpfiles.conf new file mode 100644 index 0000000..14a2791 --- /dev/null +++ b/SOURCES/cyrus-imapd.tmpfiles.conf @@ -0,0 +1,5 @@ +d /run/cyrus 0750 cyrus mail - +d /run/cyrus/db 0700 cyrus mail - +d /run/cyrus/lock 0700 cyrus mail - +d /run/cyrus/proc 0700 cyrus mail - +d /run/cyrus/socket 0750 cyrus mail - diff --git a/SOURCES/patch-cassandane-fix-annotator b/SOURCES/patch-cassandane-fix-annotator new file mode 100644 index 0000000..1899ae0 --- /dev/null +++ b/SOURCES/patch-cassandane-fix-annotator @@ -0,0 +1,14 @@ +diff --git a/utils/annotator.pl b/utils/annotator.pl +index 94b84a2..0208831 100755 +--- a/utils/annotator.pl ++++ b/utils/annotator.pl +@@ -140,6 +140,8 @@ GetOptions( + xlog "annotator $$ starting"; + Cassandane::AnnotatorDaemon->run( + pid_file => $pidfile, +- port => $port ++ port => $port, ++ user => (getpwuid($<))[0], ++ group => (getgrgid($())[0], + ); + xlog "annotator $$ exiting"; diff --git a/SOURCES/patch-cassandane-no-syslog b/SOURCES/patch-cassandane-no-syslog new file mode 100644 index 0000000..67d30b3 --- /dev/null +++ b/SOURCES/patch-cassandane-no-syslog @@ -0,0 +1,21 @@ +diff --git a/Cassandane/Util/Log.pm b/Cassandane/Util/Log.pm +index 9cd93d5..8d3b3c1 100644 +--- a/Cassandane/Util/Log.pm ++++ b/Cassandane/Util/Log.pm +@@ -52,16 +52,12 @@ our @EXPORT = qw( + + my $verbose = 0; + +-openlog('cassandane', '', LOG_LOCAL6) +- or die "Cannot openlog"; +- + sub xlog + { + my ($pkg, $file, $line) = caller; + $pkg =~ s/^Cassandane:://; + my $msg = "=====> " . $pkg . "[" . $line . "] " . join(' ', @_); + print STDERR "$msg\n"; +- syslog(LOG_ERR, "$msg"); + } + + sub set_verbose diff --git a/SOURCES/patch-cyrus-default-configs b/SOURCES/patch-cyrus-default-configs new file mode 100644 index 0000000..ca3c93f --- /dev/null +++ b/SOURCES/patch-cyrus-default-configs @@ -0,0 +1,114 @@ +diff --git a/doc/examples/cyrus_conf/prefork.conf b/doc/examples/cyrus_conf/prefork.conf +index 4ce2c0f..3b1e6d7 100644 +--- a/doc/examples/cyrus_conf/prefork.conf ++++ b/doc/examples/cyrus_conf/prefork.conf +@@ -19,15 +19,15 @@ SERVICES { + # nntps cmd="nntpd -s" listen="nntps" prefork=1 + + # these are only necessary if using HTTP for CalDAV, CardDAV, or RSS +-# http cmd="httpd" listen="http" prefork=3 +-# https cmd="httpd -s" listen="https" prefork=1 ++ http cmd="httpd" listen="http" prefork=3 ++ https cmd="httpd -s" listen="https" prefork=1 + + # at least one LMTP is required for delivery + # lmtp cmd="lmtpd" listen="lmtp" prefork=0 +- lmtpunix cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=1 ++ lmtpunix cmd="lmtpd" listen="/run/cyrus/socket/lmtp" prefork=1 + + # this is only necessary if using notifications +-# notify cmd="notifyd" listen="/var/imap/socket/notify" proto="udp" prefork=1 ++# notify cmd="notifyd" listen="/run/cyrus/socket/notify" proto="udp" prefork=1 + } + + EVENTS { +diff --git a/doc/examples/imapd_conf/normal.conf b/doc/examples/imapd_conf/normal.conf +index 95b54e9..3935b77 100644 +--- a/doc/examples/imapd_conf/normal.conf ++++ b/doc/examples/imapd_conf/normal.conf +@@ -10,7 +10,7 @@ admins: cyrus + ################################################################### + + # Configuration directory +-configdirectory: /var/lib/cyrus ++configdirectory: /var/lib/imap + + # Directories for proc and lock files + proc_path: /run/cyrus/proc +@@ -19,18 +19,18 @@ mboxname_lockpath: /run/cyrus/lock + # Locations for DB files + # The following DB are recreated upon initialization, so should live in + # ephemeral storage for best performance. +-duplicate_db_path: /run/cyrus/deliver.db +-ptscache_db_path: /run/cyrus/ptscache.db +-statuscache_db_path: /run/cyrus/statuscache.db +-tls_sessions_db_path: /run/cyrus/tls_sessions.db ++duplicate_db_path: /run/cyrus/db/deliver.db ++ptscache_db_path: /run/cyrus/db/ptscache.db ++statuscache_db_path: /run/cyrus/db/statuscache.db ++tls_sessions_db_path: /run/cyrus/db/tls_sessions.db + + # Which partition to use for default mailboxes + defaultpartition: default +-partition-default: /var/spool/cyrus/mail ++partition-default: /var/spool/imap + + # If sieveusehomedir is false (the default), this directory is searched + # for Sieve scripts. +-sievedir: /var/spool/sieve ++sievedir: /var/lib/imap/sieve + + ################################################################### + ## Important: KEEP THESE IN SYNC WITH cyrus.conf +@@ -51,19 +51,16 @@ syslog_prefix: cyrus + # Space-separated list of HTTP modules that will be enabled in + # httpd(8). This option has no effect on modules that are disabled at + # compile time due to missing dependencies (e.g. libical). +-# +-# Allowed values: caldav, carddav, domainkey, ischedule, rss +-httpmodules: caldav carddav ++# Enable supported modules ++httpmodules: caldav carddav + + # If enabled, the partitions will also be hashed, in addition to the + # hashing done on configuration directories. This is recommended if one + # partition has a very bushy mailbox tree. + hashimapspool: true + +-# Enable virtual domains +-# and set default domain to localhost +-virtdomains: yes +-defaultdomain: localhost ++# Disable virtual domains by default ++virtdomains: off + + ################################################################### + ## User experience settings +@@ -72,6 +69,14 @@ defaultdomain: localhost + # Minimum time between POP mail fetches in minutes + popminpoll: 1 + ++# Conversation support is required for jmap ++conversations: 1 ++conversations_db: twoskip ++ ++# This will default to on in 3.1, and improves compatibility with some Apple ++# devices. Upstream https://github.com/cyrusimap/cyrus-imapd/issues/1556 ++specialusealways: 1 ++ + ################################################################### + ## User Authentication settings + ################################################################### +@@ -99,6 +104,12 @@ sasl_auto_transition: no + ## SSL/TLS Options + ################################################################### + ++# These three files will automatically be generated by the systemd unit when ++# the service starts for the first time. ++tls_server_cert: /etc/pki/cyrus-imapd/cyrus-imapd.pem ++tls_server_key: /etc/pki/cyrus-imapd/cyrus-imapd-key.pem ++tls_client_ca_file: /etc/pki/cyrus-imapd/cyrus-imapd-ca.pem ++ + # File containing the global certificate used for ALL services (imap, + # pop3, lmtp, sieve) + #tls_server_cert: /etc/ssl/certs/ssl-cert-snakeoil.pem diff --git a/SOURCES/patch-cyrus-managesieve-linking b/SOURCES/patch-cyrus-managesieve-linking new file mode 100644 index 0000000..1347c44 --- /dev/null +++ b/SOURCES/patch-cyrus-managesieve-linking @@ -0,0 +1,13 @@ +diff --git a/perl/sieve/managesieve/Makefile.PL.in b/perl/sieve/managesieve/Makefile.PL.in +index 2bb715d..422504d 100644 +--- a/perl/sieve/managesieve/Makefile.PL.in ++++ b/perl/sieve/managesieve/Makefile.PL.in +@@ -69,7 +69,7 @@ WriteMakefile( + 'ABSTRACT' => 'Cyrus Sieve management interface', + 'VERSION_FROM' => "@top_srcdir@/perl/sieve/managesieve/managesieve.pm", # finds $VERSION + 'MYEXTLIB' => '../lib/.libs/libisieve.a @top_builddir@/perl/.libs/libcyrus.a @top_builddir@/perl/.libs/libcyrus_min.a', +- 'LIBS' => ["$LIB_SASL @SSL_LIBS@ @LIB_UUID@ @ZLIB@"], ++ 'LIBS' => ["$LIB_SASL @SSL_LIBS@ @LIB_UUID@ @ZLIB@ -lsqlite3 -lpq -lmariadb"], + 'CCFLAGS' => '@GCOV_CFLAGS@', + 'DEFINE' => '-DPERL_POLLUTE', # e.g., '-DHAVE_SOMETHING' + 'INC' => "-I@top_srcdir@/lib -I@top_srcdir@/perl/sieve -I@top_srcdir@/perl/sieve/lib @SASLFLAGS@ @SSL_CPPFLAGS@", diff --git a/SOURCES/patch-cyrus-testsuite-timeout b/SOURCES/patch-cyrus-testsuite-timeout new file mode 100644 index 0000000..74fa4f8 --- /dev/null +++ b/SOURCES/patch-cyrus-testsuite-timeout @@ -0,0 +1,13 @@ +diff --git a/cunit/unit.c b/cunit/unit.c +index 46dc358..ca37f22 100644 +--- a/cunit/unit.c ++++ b/cunit/unit.c +@@ -97,7 +97,7 @@ EXPORTED void fatal(const char *s, int code) + } + + /* Each test gets a maximum of 20 seconds. */ +-#define TEST_TIMEOUT_MS (20*1000) ++#define TEST_TIMEOUT_MS (30*1000) + + static jmp_buf jbuf; + static const char *code; diff --git a/SOURCES/patch-vzic-proper-cflags b/SOURCES/patch-vzic-proper-cflags new file mode 100644 index 0000000..0e299b3 --- /dev/null +++ b/SOURCES/patch-vzic-proper-cflags @@ -0,0 +1,25 @@ +diff --git a/tools/vzic/Makefile b/tools/vzic/Makefile +index 8ae6afa..3882998 100644 +--- a/tools/vzic/Makefile ++++ b/tools/vzic/Makefile +@@ -45,17 +45,17 @@ LIBICAL_LDADD = -lical + GLIB_CFLAGS = `pkg-config --cflags glib-2.0` + GLIB_LDADD = `pkg-config --libs glib-2.0` + +-CFLAGS = -g -I../.. -DOLSON_DIR=\"$(OLSON_DIR)\" -DPRODUCT_ID='"$(PRODUCT_ID)"' -DTZID_PREFIX='"$(TZID_PREFIX)"' $(GLIB_CFLAGS) $(LIBICAL_CFLAGS) ++CFLAGS += -I../.. -DOLSON_DIR=\"$(OLSON_DIR)\" -DPRODUCT_ID='"$(PRODUCT_ID)"' -DTZID_PREFIX='"$(TZID_PREFIX)"' $(GLIB_CFLAGS) $(LIBICAL_CFLAGS) + + OBJECTS = vzic.o vzic-parse.o vzic-dump.o vzic-output.o + + all: vzic + + vzic: $(OBJECTS) +- $(CC) $(OBJECTS) $(GLIB_LDADD) -o vzic ++ $(CC) $(LDFLAGS) $(OBJECTS) $(GLIB_LDADD) -o vzic + + test-vzic: test-vzic.o +- $(CC) test-vzic.o $(LIBICAL_LDADD) -o test-vzic ++ $(CC) $(LDFLAGS) test-vzic.o $(LIBICAL_LDADD) -o test-vzic + + # Dependencies. + $(OBJECTS): vzic.h diff --git a/SPECS/cyrus-imapd.spec b/SPECS/cyrus-imapd.spec new file mode 100644 index 0000000..c2c2d6e --- /dev/null +++ b/SPECS/cyrus-imapd.spec @@ -0,0 +1,931 @@ +%define scmt(l:) %(c=%1; echo ${c:0:%{-l:%{-l*}}%{!-l:7}}) + +# Cassandane commit hash. Cassandane doesn't have releases often, but it +# receives constant development. This was fetched on 20180518. +%global cocas 00bfe0109f80437ed09154aca9fbd53eef8f1b09 + +# Cassandane run by default. '--without cassandane' disables. +%bcond_without cassandane + +Name: cyrus-imapd +Version: 3.0.7 +Release: 19%{?dist} + +%define ssl_pem_file_prefix /etc/pki/%name/%name + +# UID/GID 76 have long been reserved for Cyrus +%define uid 76 +%define gid 76 + +%define cyrususer cyrus +%define cyrusgroup mail +%define cyrexecdir %_libexecdir/%name + +Summary: A high-performance email, contacts and calendar server +License: BSD +URL: http://www.cyrusimap.org/ +Source0: http://www.cyrusimap.org/releases/%name-%version.tar.gz +Source1: CHANGES.rpm + +# Adapt a timeout to handle our slower builders +Patch0: patch-cyrus-testsuite-timeout + +# Upstream https://github.com/cyrusimap/cyrus-imapd/issues/2026 +Patch1: patch-cyrus-managesieve-linking + +# Fedora-specific patch for the default configuration file +Patch2: patch-cyrus-default-configs + +# vzic uses an old makefile that needs hacks to use the proper flags +Patch3: patch-vzic-proper-cflags + +Patch4: cyrus-imapd-close_backup_on_failure.patch +Patch5: cyrus-imapd-memory_leak_on_cleanup.patch +Patch6: cyrus-imapd-memory_leak_on_cleanup_2.patch +Patch7: cyrus-imapd-close_backup_fd_on_error.patch +Patch8: cyrus-imapd-cve_2019_11356.patch +Patch9: cyrus-imapd-CVE-2019-19783.patch +Patch10: cyrus-imapd-CVE-2019-18928.patch + +Source10: cyrus-imapd.logrotate +Source11: cyrus-imapd.pam-config +Source12: cyrus-imapd.sysconfig +Source13: cyrus-imapd.cvt_cyrusdb_all +Source14: cyrus-imapd.magic +# XXX A systemd timer would probably be better +Source15: cyrus-imapd.cron-daily +Source16: README.rpm +Source17: cyrus-imapd.service +Source18: cyrus-imapd-init.service +Source19: cyrus-imapd.tmpfiles.conf + + + +# Source files for running the Cassandane test suite at build time. +Source80: https://github.com/cyrusimap/cassandane/archive/%cocas.tar.gz#/cassandane-%{scmt %cocas}.tar.gz + +# The CPAN version, and hence the Fedora-packaged version, of Net::CalDAVTalk +# doesn't include the testdata directory. Cassandane can use it for testing +# calendaring, so it's included here. +# This archive was generated by running: +# svn export https://github.com/brong/Net-CalDAVTalk/trunk/testdata +# tar cfz cassandane-testdata-20170523.tar.gz testdata +# Note that this changes very rarely. See +# https://github.com/brong/Net-CalDAVTalk/tree/master/testdata +Source81: cassandane-testdata-20170523.tar.gz + +# A template config file for cassandane; we will substitute in varions values. +Source82: cassandane.ini + +# These are source files and not patches because you can't use autosetup to +# apply patches to secondary unpacked source files. + +# Prevent cassandane from trying to syslog things +Source91: patch-cassandane-no-syslog + +# Tell the annotator script to run as the current user/group +# Upstream ticket https://github.com/cyrusimap/cyrus-imapd/issues/1995 +Source92: patch-cassandane-fix-annotator + +Source93: cyrus-imapd-master_rename.patch + + +BuildRequires: autoconf automake bison flex gcc gcc-c++ git groff libtool +BuildRequires: pkgconfig systemd transfig + +BuildRequires: perl-devel perl-generators perl(ExtUtils::MakeMaker) +BuildRequires: perl(Pod::Html) + +%if 0%{?fedora} && 0%{?fedora} >= 0 +BuildRequires: clamav-devel xapian-core-devel shapelib-devel +%endif +BuildRequires: CUnit-devel cyrus-sasl-devel glib2-devel +BuildRequires: jansson-devel krb5-devel libical-devel libicu-devel +BuildRequires: libnghttp2-devel libxml2-devel mariadb-devel net-snmp-devel +BuildRequires: openldap-devel openssl-devel postgresql-devel +BuildRequires: sqlite-devel + +# Miscellaneous modules needed for 'make check' to function: +BuildRequires: cyrus-sasl-plain cyrus-sasl-md5 + +%if %{with cassandane} +# Additional packages required for cassandane to function +BuildRequires: imaptest net-tools words +BuildRequires: perl(AnyEvent) perl(BSD::Resource) perl(Clone) +BuildRequires: perl(experimental) perl(File::chdir) perl(File::Slurp) +BuildRequires: perl(IO::Socket::INET6) perl(Mail::IMAPTalk) +BuildRequires: perl(Config::IniFiles) perl(Mail::JMAPTalk) perl(Math::Int64) +BuildRequires: perl(Net::CalDAVTalk) perl(Net::CardDAVTalk) +BuildRequires: perl(Net::Server) perl(News::NNTPClient) perl(Path::Tiny) +BuildRequires: perl(String::CRC32) perl(Sys::Syslog) +BuildRequires: perl(Test::Unit::TestRunner) perl(Time::HiRes) +BuildRequires: perl(Unix::Syslog) perl(XML::DOM) perl(XML::Generator) + +# For tls tests +BuildRequires: sscg + +# These were only for JMAP-Tester +# perl(Moo), perl(Moose), perl(MooseX::Role::Parameterized) perl(Throwable), perl(Safe::Isa) +%endif + +Requires(pre): shadow-utils +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig +%{?systemd_requires} + +Requires: %name-utils = %version-%release +Recommends: %name-vzic = %version-%release +Requires: file libdb-utils sscg +Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) +Requires: cyrus-imapd = %{version}-%{release} + +%{?perl_default_filter} + +%description +The Cyrus IMAP (Internet Message Access Protocol) server provides access to +personal mail, system-wide bulletin boards, news-feeds, calendar and contacts +through the IMAP, JMAP, NNTP, CalDAV and CardDAV protocols. The Cyrus IMAP +server is a scalable enterprise groupware system designed for use from small to +large enterprise environments using technologies based on well-established Open +Standards. + +A full Cyrus IMAP implementation allows a seamless mail and bulletin board +environment to be set up across one or more nodes. It differs from other IMAP +server implementations in that it is run on sealed nodes, where users are not +normally permitted to log in. The mailbox database is stored in parts of the +filesystem that are private to the Cyrus IMAP system. All user access to mail +is through software using the IMAP, IMAPS, JMAP, POP3, POP3S, KPOP, CalDAV +and/or CardDAV protocols. + +The private mailbox database design gives the Cyrus IMAP server large +advantages in efficiency, scalability, and administratability. Multiple +concurrent read/write connections to the same mailbox are permitted. The server +supports access control lists on mailboxes and storage quotas on mailbox +hierarchies. + + +%package devel +Summary: Cyrus IMAP server development files +Requires: %name%{?_isa} = %version-%release +Requires: pkgconfig + +%description devel +The %name-devel package contains header files and libraries +necessary for developing applications which use the imclient library. + + +%package doc-extra +Summary: Extra documentation for the Cyrus IMAP server +BuildArch: noarch + +%description doc-extra +This package contains the HTML documentation for the Cyrus IMAP server, as well +as some legacy and internal documentation not useful for normal operation of +the server. + + +%package utils +Summary: Cyrus IMAP server administration utilities + +%description utils +The cyrus-imapd-utils package contains administrative tools for the +Cyrus IMAP server. It can be installed on systems other than the +one running the server. + + +%package vzic +Summary: Utilities to convert timezone database files +License: GPLv2+ +Requires: %name = %version-%release +# Contains a lightly forked version of vzic. This seems to have been bundled +# into various other things and it's old, so I'm not sure where the upstream +# is. Here are a couple of possible upstreams: +# https://github.com/libical/vzic +# https://sourceforge.net/projects/vzic/ +# It is probably a good idea to split it out and package it separately, but the +# code here definitely differs from that at the second link above. +Provides: bundled(vzic) = 1.3 + +%description vzic +vzic is a program to convert the Olson timezone database files into VTIMEZONE +files compatible with the iCalendar specification (RFC2445). + +This package contains a forked version of vzic for internal use by the Cyrus +IMAP server. + +# Build dir is either $PWD, $(pwd) or % + +%prep +%autosetup -p1 -S git +echo %version > VERSION + +# Install the Fedora-specific documentation file +install -m 644 %SOURCE1 doc/ +install -m 644 %SOURCE16 doc/ + +# Unpack and prepare cassandane +tar xf %SOURCE80 +ln -s cassandane-%cocas cassandane +pushd cassandane +mkdir work +tar xf %SOURCE81 + +patch -p1 < %SOURCE91 +patch -p1 < %SOURCE92 +patch -p1 < %SOURCE93 + +cp %SOURCE82 cassandane.ini +# RF rpm-buildroot-usage +sed -i \ + -e "s!CASSDIR!$(pwd)!" \ + -e "s!BUILDROOT!%buildroot!" \ + cassandane.ini + +popd + +# Drop expired certificates and generate new ones +pushd cunit +rm -rf *pem +%{_bindir}/sscg --package %{name} --cert-file cert.pem --cert-key-file key.pem --ca-file cacert.pem +popd + +## Modify docs master --> cyrus-master +#%{__perl} -pi -e "s@master\(8\)@cyrus-master(8)@" man/*5 man/*8 lib/imapoptions +#sed -i -e 's|\([^-]\)master|\1cyrus-master|g;s|^master|cyrus-master|g;s|Master|Cyrus-master|g;s|MASTER|CYRUS-MASTER|g' \ +# man/master.8 doc/man.html + + +%build +# This is the test suite, which doesn't build much but does verify its dependencies. +# If this is done after the configure call, the one thing it does build fails +# because the configure macro puts some hardening flags into the environment. +%if %{with cassandane} +pushd cassandane +make +popd +%endif + +# Notes about configure options: +# --enable-objectstore +# It's experimental, and it doesn't appear that either openio or caringo are +# in Fedora. +# --with-cyrus-prefix and --with-service-path went away; use --with-libexecdir= +# instead. + +# Needed because of Patch4. +autoreconf -vi + +%configure \ + --disable-silent-rules \ + \ + --libexecdir=%cyrexecdir \ + --with-extraident="%release Fedora" \ + --with-krbimpl=mit \ + --with-ldap=/usr \ + --with-libwrap=no \ + --with-mysql \ + --with-pgsql \ + --with-perl=%__perl \ + --with-snmp \ + --with-syslogfacility=MAIL \ + \ + --enable-autocreate \ + --enable-backup \ + --enable-calalarmd \ + --enable-http \ + --enable-idled \ + --enable-jmap \ + --enable-murder \ + --enable-nntp \ + --enable-replication \ + --enable-unit-tests \ +%if 0%{?fedora} && 0%{?fedora} >= 0 + --enable-xapian \ + --with-clamav \ +%endif +# + +# The configure script will set up the Perl makefiles, but not in the way +# Fedora needs them. So regenerate them manually. +for i in perl/annotator perl/imap perl/sieve/managesieve; do + pushd $i + rm -f Makefile + perl Makefile.PL INSTALLDIRS=vendor # NO_PERLOCAL=1 NO_PACKLIST=1 + popd +done + +%make_build + +# This isn't built by default, but this package has always installed it. +make notifyd/notifytest + +# Also not built by default, but the tools are needed for serving timezone info +make -C tools/vzic + +# Modify docs master --> cyrus-master +%{__perl} -pi -e "s@master\(8\)@cyrus-master(8)@" man/*5 man/*8 lib/imapoptions +sed -i -e 's|\([^-]\)master|\1cyrus-master|g;s|^master|cyrus-master|g;s|Master|Cyrus-master|g;s|MASTER|CYRUS-MASTER|g' \ + man/master.8 doc/legacy/man.html + +%install +make install DESTDIR=%buildroot + +# Create directories +install -d \ + %buildroot/etc/{rc.d/init.d,logrotate.d,pam.d,sysconfig,cron.daily} \ + %buildroot/%_libdir/sasl \ + %buildroot/var/spool/imap \ + %buildroot/var/lib/imap/{user,quota,proc,log,msg,socket,db,sieve,sync,md5,rpm,backup,meta} \ + %buildroot/var/lib/imap/ptclient \ + %buildroot/%_datadir/%name/rpm \ + %buildroot/%cyrexecdir \ + %buildroot/etc/pki/%name + +install -d -m 0750 \ + %buildroot/run/cyrus \ + %buildroot/run/cyrus/socket + +install -d -m 0700 \ + %buildroot/run/cyrus/db \ + %buildroot/run/cyrus/lock \ + %buildroot/run/cyrus/proc + +# Some tools which aren't installed by the makefile which we have always installed +install -m 755 notifyd/notifytest %buildroot%_bindir/ +install -m 755 perl/imap/cyradm %buildroot%_bindir/ +for i in arbitronsort.pl masssievec mkimap mknewsgroups rehash translatesieve; do + install -m 755 tools/$i %buildroot/%cyrexecdir/ +done + +for i in vzic vzic-test.pl vzic-merge.pl vzic-dump.pl; do + install -m 755 tools/vzic/$i %buildroot/%cyrexecdir/ +done + +# Install additional files +install -p -m 644 %SOURCE10 %buildroot/etc/logrotate.d/%name +install -p -m 644 %SOURCE11 %buildroot/etc/pam.d/pop +install -p -m 644 %SOURCE11 %buildroot/etc/pam.d/imap +install -p -m 644 %SOURCE11 %buildroot/etc/pam.d/sieve +install -p -m 644 %SOURCE11 %buildroot/etc/pam.d/mupdate +install -p -m 644 %SOURCE11 %buildroot/etc/pam.d/lmtp +install -p -m 644 %SOURCE11 %buildroot/etc/pam.d/nntp +install -p -m 644 %SOURCE11 %buildroot/etc/pam.d/csync +install -p -m 644 %SOURCE12 %buildroot/etc/sysconfig/%name +install -p -m 755 %SOURCE13 %buildroot/%cyrexecdir/cvt_cyrusdb_all +install -p -m 644 %SOURCE14 %buildroot/%_datadir/%name/rpm/magic +install -p -m 755 %SOURCE15 %buildroot/etc/cron.daily/%name +install -p -m 644 doc/examples/cyrus_conf/prefork.conf %buildroot/etc/cyrus.conf +install -p -m 644 doc/examples/imapd_conf/normal.conf %buildroot/etc/imapd.conf +install -p -D -m 644 %SOURCE17 %buildroot/%_unitdir/cyrus-imapd.service +install -p -D -m 644 %SOURCE18 %buildroot/%_unitdir/cyrus-imapd-init.service +install -p -D -m 644 %SOURCE19 %buildroot/%_tmpfilesdir/cyrus-imapd.conf + +# Rename 'master' binary and manpage to avoid clash with postfix +mv -f %{buildroot}%{cyrexecdir}/master %{buildroot}%{cyrexecdir}/cyrus-master + +# mv -f %{buildroot}%{_mandir}/man8/master.8 %{buildroot}%{_mandir}/man8/cyrus-master.8 + +# Rename 'fetchnews' binary and manpage to avoid clash with leafnode +#mv -f %{buildroot}%{cyrexecdir}/fetchnews %{buildroot}%{cyrexecdir}/cyrfetchnews +#mv -f %{buildroot}%{_mandir}/man8/fetchnews.8 %{buildroot}%{_mandir}/man8/cyrfetchnews.8 +#%{__perl} -pi -e 's|fetchnews|cyrfetchnews|g;s|Fetchnews|Cyrfetchnews|g;s/FETCHNEWS/CYRFETCHNEWS/g' \ +# %{buildroot}%{_mandir}/man8/cyrfetchnews.8 + +#remove executable bit from docs +for ddir in doc perl/imap/examples +do + find $ddir -type f -exec chmod -x {} \; +done + + +# Cleanup of doc dir +find doc perl -name CVS -type d -prune -exec rm -rf {} \; +find doc perl -name .cvsignore -type f -exec rm -f {} \; +rm -f doc/Makefile.dist* +rm -f doc/text/htmlstrip.c +rm -f doc/text/Makefile +rm -rf doc/man + +# fix permissions on perl .so files +find %buildroot/%_libdir/perl5/ -type f -name "*.so" -exec chmod 755 {} \; + +# Generate db config file +# XXX Is this still necessary? +( grep '^{' lib/imapoptions | grep _db | cut -d'"' -f 2,4 | \ + sed -e 's/^ *//' -e 's/-nosync//' -e 's/ *$//' -e 's/"/=/' + echo sieve_version=2.2.3 ) | sort > %buildroot/%_datadir/%name/rpm/db.cfg + +# Cyrus has various files with extremely conflicting names. Some of these are +# not unexpected ("imapd" itself) but some like "httpd" are rather surprising. + +# Where there are only conflicting manpages, they have been moved to a "8cyrus" +# section. If the binary was renamed, then the manpages are renamed to match +# but a internal replacement has not been done. This may lead to more +# confusion but involves modifying fewer upstream files. + +# Actual binary conflicts +# Rename 'fetchnews' binary and manpage to avoid clash with leafnode +mv %buildroot/%_sbindir/fetchnews %buildroot/%_sbindir/cyr_fetchnews +mv %buildroot/%_mandir/man8/fetchnews.8 %buildroot/%_mandir/man8/cyr_fetchnews.8 + +# Fix conflict with dump +mv %buildroot/%_sbindir/restore %buildroot/%_sbindir/cyr_restore +mv %buildroot/%_mandir/man8/restore.8 %buildroot/%_mandir/man8/cyr_restore.8 + +# Fix conceptual conflict with quota +mv %buildroot/%_sbindir/quota %buildroot/%_sbindir/cyr_quota +mv %buildroot/%_mandir/man8/quota.8 %buildroot/%_mandir/man8/cyr_quota.8 + +# fix conflicts with uw-imap +mv %buildroot/%_mandir/man8/imapd.8 %buildroot/%_mandir/man8/imapd.8cyrus +mv %buildroot/%_mandir/man8/pop3d.8 %buildroot/%_mandir/man8/pop3d.8cyrus + +# Rename 'master' manpage +mv %buildroot/%_mandir/man8/master.8 %buildroot/%_mandir/man8/master.8cyrus + +# Rename 'httpd' manpage to avoid clash with Apache +mv %buildroot/%_mandir/man8/httpd.8 %buildroot/%_mandir/man8/httpd.8cyrus + +# Old cyrus packages used to keep some executables in /usr/lib/cyrus-imapd +# RF hardcoded-library-path in %%buildroot/usr/lib/cyrus-imapd +mkdir %buildroot/usr/lib/cyrus-imapd +pushd %buildroot/usr/lib/cyrus-imapd +ln -s ../../sbin/deliver +popd + +#remove executable bit from docs +for ddir in doc perl/imap/examples +do + find $ddir -type f -exec chmod -x {} \; +done + +# Remove pointless libtool archives +rm %buildroot/%_libdir/*.la + +# Remove installed but not packaged files +rm %buildroot/%cyrexecdir/pop3proxyd +find %buildroot -name "perllocal.pod" -exec rm {} \; +find %buildroot -name ".packlist" -exec rm {} \; + + +%check +make %{?_smp_mflags} check || exit 1 + +%if %{without cassandane} +exit 0 +%endif + +# Run the Cassandane test suite. This will exhaustively test the various +# server components, but running it in a mock chroot is rather an exercise. +pushd cassandane + +mkdir -p imaptest/src +ln -s /usr/bin/imaptest imaptest/src +ln -s /usr/share/imaptest/tests imaptest/src + +export LD_LIBRARY_PATH=%buildroot/%_libdir +export CYRUS_USER=$USER + +# Construct the set of excluded tests to pass to Cassandane +# --------------------------------------------------------- +exclude+=("!Master.maxforkrate") # Some builders are too slow to complete this test properly +tests=( + # This is more a test of system performance and according to upstream won't + # be reliable on shared hardware like our builders. + Metronome + + # This tests coredumping and won't work on a machine where systemd + # intercepts coredumps, which includes our builders. + Cassandane::Test::Core + + # Upstream recommends disabling this because it has an internal race and + # will fail randomly. https://github.com/cyrusimap/cassandane/issues/17 + Master.sighup_recycling + + # Fails because our Xapian is too old for proper CJK support. 1.5 will be + # OK, but it is not yet released. The alternative is to bundle. + SearchFuzzy.cjk_words + + # These additionaly fail because Cyrus 3.0.7 no longer enables + # SNIPPET_EMPTY_WITHOUT_MATCH when the Cyrus-patched Xapian is not in use. + # https://github.com/cyrusimap/cyrus-imapd/commit/f008060cb53b3286fcedf7b8b4dd12c1980d665f + SearchFuzzy.normalize_snippets + SearchFuzzy.snippet_wildcard + SearchFuzzy.snippets_termcover + SearchFuzzy.snippets_escapehtml + SearchFuzzy.stem_verbs + + # As of yet unexplained + # https://github.com/cyrusimap/cyrus-imapd/issues/2047 + Admin.imap_admins + + # Upstream on IRC indicates that these two are expected to fail on 3.0. + Carddav.sharing_contactpaths + Metadata.set_specialuse_twice + + # This one needs a patch to xapian. + # https://github.com/cyrusimap/cyrus-imapd/issues/2348 + SearchFuzzy.search_subjectsnippet +) +for i in ${tests[@]}; do exclude+=("!$i"); done + +%if 0%{?fedora} <= 28 +# imaptest on F28 has bugs which make some additional tests fail +tests=( + # Three new failures with imaptest 20170719 + # https://github.com/cyrusimap/cyrus-imapd/issues/2087 + ImapTest.append-binary + ImapTest.fetch-binary-mime + ImapTest.urlauth-binary + + # This one seems to fail randomly. + ImapTest.urlauth2 +) +for i in ${tests[@]}; do exclude+=("!$i"); done +%endif + +%if 0%{?fedora} <= 26 +# Some F26-specific test exclusions +tests=( + # These all fail because F26 perl doesn't support quad types in unpack. + Metadata.expunge_messages + Metadata.msg_replication_new_mas_partial_wwd + Metadata.msg_replication_new_rep + Metadata.msg_replication_new_mas + Metadata.msg_replication_exp_bot + Metadata.msg_replication_new_mas_partial_wwsw + Metadata.msg_replication_exp_mas + Metadata.msg_replication_mod_mas + Metadata.msg_replication_exp_rep + Metadata.msg_replication_mod_bot_msl + Metadata.msg_replication_new_bot_mse_gul + Metadata.msg_replication_mod_bot_msh + Metadata.msg_replication_new_bot_mse_guh + Metadata.msg_replication_mod_rep +) +for i in ${tests[@]}; do exclude+=("!$i"); done +%endif + +# Add -vvv for too much output +./testrunner.pl %{?_smp_mflags} -v -f pretty ${exclude[@]} 2>&1 + + +%pre +# Create 'cyrus' user on target host +getent group saslauth >/dev/null || /usr/sbin/groupadd -g %gid -r saslauth +getent passwd cyrus >/dev/null || /usr/sbin/useradd -c "Cyrus IMAP Server" -d /var/lib/imap -g %cyrusgroup \ + -G saslauth -s /sbin/nologin -u %uid -r %cyrususer + +%post +/sbin/ldconfig +%systemd_post cyrus-imapd.service + +%preun +%systemd_preun cyrus-imapd.service + +%postun +/sbin/ldconfig +%systemd_postun_with_restart cyrus-imapd.service + + +%files +%license COPYING +%doc README.md doc/README.* doc/examples doc/text doc/CHANGES.rpm + +%_datadir/cyrus-imapd +%_libdir/libcyrus*.so.* +%_mandir/man5/* +%_mandir/man8/* + +%dir /etc/pki/cyrus-imapd +%attr(0644,root,%cyrusgroup) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %ssl_pem_file_prefix-ca.pem +%attr(0644,root,%cyrusgroup) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %ssl_pem_file_prefix.pem +%attr(0640,root,%cyrusgroup) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %ssl_pem_file_prefix-key.pem + +%config(noreplace) /etc/cyrus.conf +%config(noreplace) /etc/imapd.conf +%config(noreplace) /etc/logrotate.d/cyrus-imapd +%config(noreplace) /etc/sysconfig/cyrus-imapd +%config(noreplace) /etc/pam.d/* + +/etc/cron.daily/cyrus-imapd +%_unitdir/cyrus-imapd.service +%_unitdir/cyrus-imapd-init.service +%_tmpfilesdir/cyrus-imapd.conf + +%dir %cyrexecdir/ +%cyrexecdir/[a-uw-z]* + +# This creates some directories which in the default configuration cyrus will +# never use because they are placed under /run instead. However, old +# configurations or setup advice from the 'net might reference them, and so +# it's simpler to just leave them in the package. +%attr(0750,%cyrususer,%cyrusgroup) %dir /var/lib/imap/ +%attr(0700,%cyrususer,%cyrusgroup) /var/lib/imap/backup/ +%attr(0700,%cyrususer,%cyrusgroup) /var/lib/imap/db/ +%attr(0700,%cyrususer,%cyrusgroup) /var/lib/imap/log/ +%attr(0700,%cyrususer,%cyrusgroup) /var/lib/imap/meta/ +%attr(0700,%cyrususer,%cyrusgroup) /var/lib/imap/md5/ +%attr(0700,%cyrususer,%cyrusgroup) /var/lib/imap/msg/ +%attr(0700,%cyrususer,%cyrusgroup) /var/lib/imap/proc/ +%attr(0700,%cyrususer,%cyrusgroup) /var/lib/imap/ptclient/ +%attr(0700,%cyrususer,%cyrusgroup) /var/lib/imap/quota/ +%attr(0700,%cyrususer,%cyrusgroup) /var/lib/imap/rpm/ +%attr(0700,%cyrususer,%cyrusgroup) /var/lib/imap/sieve/ +%attr(0750,%cyrususer,%cyrusgroup) /var/lib/imap/socket +%attr(0700,%cyrususer,%cyrusgroup) /var/lib/imap/sync/ +%attr(0700,%cyrususer,%cyrusgroup) /var/lib/imap/user/ +%attr(0700,%cyrususer,%cyrusgroup) /var/spool/imap/ + +# The new locations +%attr(0750,%cyrususer,%cyrusgroup) %dir /run/cyrus/ +%attr(0700,%cyrususer,%cyrusgroup) /run/cyrus/db/ +%attr(0700,%cyrususer,%cyrusgroup) /run/cyrus/lock/ +%attr(0700,%cyrususer,%cyrusgroup) /run/cyrus/proc/ +%attr(0750,%cyrususer,%cyrusgroup) /run/cyrus/socket/ + + +%files devel +%_includedir/cyrus/ +%_libdir/libcyrus*.so +%_libdir/pkgconfig/*.pc +%_mandir/man3/imclient.3* + + +%files doc-extra +%doc doc/html doc/internal doc/legacy + + +%files utils +%license COPYING +%doc perl/imap/README +%doc perl/imap/Changes +%doc perl/imap/examples +%{_bindir}/* +%{_sbindir}/* +%{perl_vendorarch}/auto/Cyrus +%{perl_vendorarch}/Cyrus +%{perl_vendorlib}/Cyrus +%{_mandir}/man3/*.3pm* +%{_mandir}/man1/* +# RF hardcoded-library-path in /usr/lib/cyrus-imapd +/usr/lib/cyrus-imapd + + +%files vzic +%cyrexecdir/vzic* + + +%changelog +* Thu Apr 23 2020 Pavel Zhukov - 3.0.7-19 +- change ownership of pki files (#1710722) + +* Thu Apr 23 2020 Pavel Zhukov - 3.0.7-18 +- Move old changelog into separate file (#1671239) + +* Tue Apr 21 2020 Pavel Zhukov - 3.0.7-17 +- Add fix for CVE-2019-19783 +- Add fix for CVE-2019-18928 + +* Fri Jun 7 2019 Pavel Zhukov - 3.0.7-16 +- Resolves: #1718195 - don't overrun buffer when parsing strings with sscanf() + +* Mon Oct 8 2018 Pavel Zhukov - 3.0.7-15 +- Related: #1602472 - Fix rpmdiff warnings + +* Mon Oct 8 2018 Pavel Zhukov - 3.0.7-14 +- Related: #1602472 - Fix misused syntax warning + +* Tue Oct 2 2018 Pavel Zhukov - 3.0.7-13 +- Related: #1602472 - Fix few covscan warnings + +* Sun Aug 12 2018 Pavel Zhukov - 3.0.7-12 +- Rename master -> cyrus-master in documentation + +* Thu Aug 9 2018 Josef Ridky - 3.0.7-11 +- Rebuild for Net-SNMP + +* Wed Aug 8 2018 Pavel Zhukov - 3.0.7-10 +- Rename master -> cyrus-master + +* Wed Aug 8 2018 Pavel Zhukov - 3.0.7-9 +- Load supported modules only + +* Mon Aug 6 2018 Pavel Zhukov - 3.0.7-7 +- Resolves: №1611713 - Generate SSl cerificates for starttls test + +* Mon Jun 25 2018 Pavel Zhukov - 3.0.7-6 +- Drop shapelib in RHEL + +* Fri Jun 22 2018 Pavel Zhukov - 3.0.7-5 +- Drop xapian support + +* Tue May 22 2018 Pavel Zhukov - 3.0.7-4 +- Disable clamav support for non Fedora's +- Disable forktest due to builders slowness + +* Fri May 18 2018 Jason L Tibbitts III - 3.0.7-2 +- Really enable mysql and clamav support. + +* Fri May 18 2018 Jason L Tibbitts III - 3.0.7-1 +- Update to 3.0.7. +- Update Cassandane checkout. +- Update excluded Cassandane test list. + +* Tue May 01 2018 Jason L Tibbitts III - 3.0.6-1 +- Update to 3.0.6. +- Remove upstreamed patches and renumber the rest. +- Disable one new failing test: + https://github.com/cyrusimap/cyrus-imapd/issues/2332 + +* Mon Apr 30 2018 Pete Walter - 3.0.5-15 +- Rebuild for ICU 61.1 + +* Tue Apr 17 2018 Jason L Tibbitts III - 3.0.5-14 +- Update Cassandane again, fixing a broken test. + +* Fri Apr 13 2018 Jason L Tibbitts III - 3.0.5-13 +- Update Cassandane, fixing a few tests and a class of weird random build + failures. + +* Fri Apr 06 2018 Jason L Tibbitts III - 3.0.5-12 +- Update list of excluded tests. +- Update Cassandane snapshot; use new base_port config setting. No need to + patch that in now. +- Add four new expected-to-fail tests from new Cassandane snapshot. +- Add patch to collect extra Cassandane logging in case we hit some of those + sporadic failures again. + +* Tue Apr 03 2018 Jason L Tibbitts III - 3.0.5-11 +- Re-enable imaptest on >= F29. +- F29's imaptest fixes several bugs, allowing all tests to be run there. +- Relocate cassandane base port to hopefully work better in koji. + +* Mon Apr 02 2018 Jason L Tibbitts III - 3.0.5-10 +- Update cassandane checkout to fix a test that was broken by DST. +- Add patch to fix sieve scripts for usernames containing a dot. +- Disable imaptest in cassandane until + https://bugzilla.redhat.com/show_bug.cgi?id=1562970 is fixed. +- Re-enable tests on s390; it seems to be better now. + +* Thu Mar 15 2018 Jason L Tibbitts III - 3.0.5-9 +- Re-enable clamav on ppc64. + +* Thu Mar 01 2018 Jason L Tibbitts III - 3.0.5-8 +- Bump client_timeout value in test suite. + +* Thu Mar 01 2018 Jason L Tibbitts III - 3.0.5-7 +- Add patch to fix imtest (rhbz#1543481). +- Fix vzic makefile to use proper cflags (rhbz#1550543). + +* Mon Feb 26 2018 Jason L Tibbitts III - 3.0.5-6 +- Update cassandane checkout. +- Add two new build dependencies. +- Remove all JMAP-related tests from the exclusion lists, since cassandane no + longer runs any JMAP tests on cyrus 3.0. +- Collapse unused test skip lists. +- Add ten additional skipped tests, after consultation with upstream. + +* Mon Feb 26 2018 Jason L Tibbitts III - 3.0.5-5 +- Add patch to fix segfaults in squatter. +- Exclude one test on all releases instead of just F28+. +- Remove --cleanup from cassandane invocation. + +* Wed Feb 07 2018 Fedora Release Engineering - 3.0.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Jan 09 2018 Jason L Tibbitts III - 3.0.5-3 +- Re-enable clamav and mariadb support as those are now built with openssl 1.1. +- But no clamav on ppc64 because of + https://bugzilla.redhat.com/show_bug.cgi?id=1534071 + +* Thu Jan 04 2018 Jason L Tibbitts III - 3.0.5-2 +- Reorganize some test exclusions so things build on all releases. + +* Thu Jan 04 2018 Jason L Tibbitts III - 3.0.5-1 +- Update to 3.0.5. +- Add one new failing test. +- Remove one now-passing test on rawhide. + +* Mon Dec 18 2017 Pavel Zhukov - 3.0.4-6 +- Rebuild with new net-snmp + +* Thu Nov 30 2017 Pete Walter - 3.0.4-5 +- Rebuild for ICU 60.1 + +* Wed Nov 29 2017 Pavel Zhukov - 3.0.4-4 +- Do not require tcp_wrappers (#1518759) + +* Tue Nov 14 2017 Jason L Tibbitts III - 3.0.4-3 +- Rebuild for new libical. +- Add patch to fix compilation error with new libical. +- Disable two tests which fail due to the new libical. + +* Tue Oct 24 2017 Jason L Tibbitts III - 3.0.4-2 +- Fix typo in default config; + https://bugzilla.redhat.com/show_bug.cgi?id=1506000 + +* Tue Sep 05 2017 Pavel Zhukov - 3.0.4-1 +- Update to 3.0.4 +- Patched cassandane for new behaviour. It should be updated idealy. +- Disable ImapTest.urlauth2 test; it seems to fail randomly regardless of + architecture. + +* Fri Aug 11 2017 Jason L Tibbitts III - 3.0.3-1 +- Update to 3.0.3, which contains an important security fix. The fix is not + embargoed but no CVE has been assigned yet. +- Drop patches merged upstream. +- An update of imaptest has resulted in three additional cassandane failures, + reported upstream as https://github.com/cyrusimap/cyrus-imapd/issues/2087. + In order to get the security fix out without delay, those three tests have been + disabled. + +* Fri Aug 11 2017 Igor Gnatenko - 3.0.2-9 +- Rebuilt after RPM update (№ 3) + +* Thu Aug 10 2017 Igor Gnatenko - 3.0.2-8 +- Rebuilt for RPM soname bump + +* Wed Aug 02 2017 Fedora Release Engineering - 3.0.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 3.0.2-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Jun 30 2017 Jason L Tibbitts III - 3.0.2-5 +- Add two patches from upstream which fix JMAPCalendars issues on 32-bit and + big-endian architectures. +- Clean up test invocation and exclusion list. More tests pass now. + +* Wed Jun 28 2017 Jason L Tibbitts III - 3.0.2-4 +- Explicitly set specialusealways: 1 in the default config. + +* Tue Jun 27 2017 Jason L Tibbitts III - 3.0.2-3 +- Patch the provided imapd.conf and cyrus.conf to more closely match previous + Fedora defaults and directories included in this package and to enable + features which are supported by the Fedora build. +- Add tmpfiles.d configuration file for directories in /run. + +* Tue Jun 27 2017 Jason L Tibbitts III - 3.0.2-2 +- Exclude one more test from 32-bit arches. Looks like this failure crept in + with the Cassandane update. + +* Thu Jun 22 2017 Jason L Tibbitts III - 3.0.2-1 +- Update to 3.0.2. +- New Cassandane snapshot, with more tests (all of which are passing). + +* Tue Jun 20 2017 Jason L Tibbitts III - 3.0.1-7 +- Add old /usr/lib/cyrus-imapd directory to the utils package and add a symlink + there to the deliver binary. This should help a bit with migrations. +- Add upstream patch to fix reconstruct failures on 32-bit architectures. + Re-enable those five Cassandane tests. + +* Thu Jun 15 2017 Jason L Tibbitts III - 3.0.1-6 +- Rename two commands: quota -> cyr_quota, restore -> cyr_restore. +- Fix Cassandane to handle those renames. +- Fix location of cyr_fetchnews. +- Fix Perl 5.26-related module linking issue which caused a test failure. + Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1461669 + +* Tue Jun 06 2017 Jason L Tibbitts III - 3.0.1-5 +- Use proper path to ctl_mboxlist in cron file. +- Add patch to increase individual test timeout. Sometimes armv7hl can't + complete a single test in 20 seconds. +- Disable the Metronome tests; upstream says that they just won't reliably on + shared hardware. +- Don't bother running Cassandane on s390x for now. The machines are simply + too slow. + +* Tue Jun 06 2017 Jitka Plesnikova - 3.0.1-4 +- Perl 5.26 rebuild + +* Fri Jun 02 2017 Jason L Tibbitts III - 3.0.1-3 +- Remove clamav from build requirements. +- Add --cleanup to Cassandane call to hopefully reduce build disk usage. +- Disable maxforkrate test on s390x; our builders are too slow to run it. + +* Fri Jun 02 2017 Jason L Tibbitts III - 3.0.1-2 +- Add patch to fix up some endianness issues. +- Enable both test suites on all architectures. +- Add arch-specific excludes for a few Cassandane tests. + +* Thu Apr 20 2017 Jason L Tibbitts III - 3.0.1-1 +- Initial attempt at importing 3.0. Many new dependencies. +- Use a stock sample imapd.conf file instead of a Fedora-provided one. + +* Fri Feb 10 2017 Fedora Release Engineering - 2.5.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Jan 09 2017 Jason L Tibbitts III - 2.5.10-2 +- Rename httpd manpage to "cyrhttpd" to avoid conflict with the httpd package. + +* Wed Nov 23 2016 Jason L Tibbitts III - 2.5.10-1 +- Initial update to the 2.5 series. +- Significant spec cleanups. +- Add sscg dep and follow + https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup for initial + cert generation. +- Change default conf to use the system crypto policy. + +* Sat Jan 01 2000 Pavel Zhukov - 0.0.1-1 +- See /usr/share/doc/cyrus-imapd/CHANGELOG.rpm for more history