Follow initial system setup guidelines.

An extra systemd service file will call sscg to setup a secure initial
certificate if it does not exist.  The new default imapd.conf file will
reference that cert.

cyrus-imapd.imap-2.3.x-conf

@@ -1,15 +0,0 @@
-configdirectory: /var/lib/imap
-partition-default: /var/spool/imap
-admins: cyrus
-sievedir: /var/lib/imap/sieve
-sendmail: /usr/sbin/sendmail
-hashimapspool: true
-sasl_pwcheck_method: saslauthd
-sasl_mech_list: PLAIN LOGIN
-allowplaintext: no
-defaultdomain: mail
-tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
-tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
-tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
-# uncomment this if you're operating in a DSCP environment (RFC-4594)
-# qosmarking: af13

cyrus-imapd.imap-2.5.x-conf

@@ -8,9 +8,11 @@ sasl_pwcheck_method: saslauthd
 sasl_mech_list: PLAIN LOGIN
 allowplaintext: no
 defaultdomain: mail
+
+# These three files will automatically be generated by sustemd
 tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
-tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
+tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd-key.pem
-tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
+tls_ca_file: /etc/pki/cyrus-imapd/cyrus-imapd-ca.pem
 
 # Support system-wide crypto policy
 # https://fedoraproject.org/wiki/Packaging:CryptoPolicies

cyrus-imapd.service

@@ -2,6 +2,9 @@
 Description=Cyrus-imapd IMAP/POP3 email server
 After=local-fs.target network.target
 
+Requires=cyrus-imapd-init.service
+After=cyrus-imapd-init.service
+
 [Service]
 Type=simple
 EnvironmentFile=/etc/sysconfig/cyrus-imapd

cyrus-imapd.spec

@@ -17,7 +17,7 @@ License: BSD
 URL: http://www.cyrusimap.org/
 Source0: http://www.cyrusimap.org/releases/%name-%version.tar.gz
 Source1: cyrus-imapd.logrotate
-Source2: cyrus-imapd.imap-2.3.x-conf
+Source2: cyrus-imapd.imap-2.5.x-conf
 Source3: cyrus-imapd.pam-config
 Source7: cyrus-imapd.sysconfig
 Source8: cyrus-imapd.cvt_cyrusdb_all
@@ -25,7 +25,8 @@ Source9: cyrus-imapd.magic
 Source10: cyrus-imapd.cron-daily
 Source11: README.rpm
 Source12: cyrus-imapd.service
-Source13: cyr_systemd_helper
+Source13: cyrus-imapd-init.service
+Source14: cyr_systemd_helper
 
 # There is a conflict between the sched_param structure defined in the source
 # and one defined by a system header.  Fixed upstream as
@@ -49,7 +50,7 @@ Requires(postun): /sbin/ldconfig
 
 Requires: %name-utils = %version-%release
 Recommends: %name-vzic = %version-%release
-Requires: file, libdb-utils
+Requires: file libdb-utils sscg
 Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 
 %{?perl_default_filter}
@@ -226,7 +227,8 @@ install -p -m 644 %{SOURCE7}   %{buildroot}/etc/sysconfig/%{name}
 install -p -m 755 %{SOURCE10}   %{buildroot}/etc/cron.daily/%{name}
 
 install -p -D -m 644 %{SOURCE12}   %{buildroot}%{_unitdir}/cyrus-imapd.service
-install -p -D -m 755 %{SOURCE13}   %{buildroot}%{cyrexecdir}/cyr_systemd_helper
+install -p -D -m 644 %{SOURCE13}   %{buildroot}%{_unitdir}/cyrus-imapd-init.service
+install -p -D -m 755 %{SOURCE14}   %{buildroot}%{cyrexecdir}/cyr_systemd_helper
 
 # Cleanup of doc dir
 find doc perl -name CVS -type d -prune -exec rm -rf {} \;
@@ -317,6 +319,7 @@ getent passwd cyrus >/dev/null || /usr/sbin/useradd -c "Cyrus IMAP Server" -d /v
 
 /etc/cron.daily/cyrus-imapd
 %_unitdir/cyrus-imapd.service
+%_unitdir/cyrus-imapd-init.service
 
 %dir %cyrexecdir/
 %cyrexecdir/[a-uw-z]*
@@ -364,6 +367,10 @@ getent passwd cyrus >/dev/null || /usr/sbin/useradd -c "Cyrus IMAP Server" -d /v
 * Wed Nov 23 2016 Jason L Tibbitts III <tibbs@math.uh.edu> - 2.5.10-1
 - Initial update to the 2.5 series.
 - Significant spec cleanups.
+- Add sscg dep and follow
+  https://fedoraproject.org/wiki/Packaging:Initial_Service_Setup for initial
+  cert generation.
+- Change default conf to use the system crypto policy.
 
 * Tue May 17 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.18-3
 - Perl 5.24 rebuild