update min uid value to 1000 as everywhere

use sysusers method for user creation
related: #RHEL-40657

dovecot-2.0-defaultconfig.patch

@@ -1,6 +1,15 @@
-diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf
+diff -up dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf
---- dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings	2018-02-28 15:28:57.000000000 +0100
+--- dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings	2021-08-06 11:25:51.000000000 +0200
-+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf	2018-03-01 10:29:38.208368555 +0100
++++ dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf	2021-10-27 11:13:45.666956339 +0200
+@@ -175,7 +175,7 @@ namespace inbox {
+ # to make sure that users can't log in as daemons or other system users.
+ # Note that denying root logins is hardcoded to dovecot binary and can't
+ # be done even if first_valid_uid is set to 0.
+-#first_valid_uid = 500
++first_valid_uid = 1000
+ #last_valid_uid = 0
+ 
+ # Valid GID range for users, defaults to non-root/wheel. Users having
 @@ -322,6 +322,7 @@ protocol !indexer-worker {
  # them simultaneously.
  #mbox_read_locks = fcntl
@@ -9,9 +18,9 @@ diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings
  
  # Maximum time to wait for lock (all of them) before aborting.
  #mbox_lock_timeout = 5 mins
-diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf
+diff -up dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf
---- dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings	2018-02-28 15:28:57.000000000 +0100
+--- dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings	2021-08-06 11:25:51.000000000 +0200
-+++ dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf	2018-03-01 10:33:54.779499044 +0100
++++ dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf	2021-10-27 11:13:02.834533975 +0200
 @@ -3,7 +3,9 @@
  ##
  
@@ -23,7 +32,7 @@ diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings
  
  # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
  # dropping root privileges, so keep the key file unreadable by anyone but
-@@ -57,6 +59,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
+@@ -64,6 +66,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
  #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
  # To disable non-EC DH, use:
  #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

dovecot.spec

@@ -6,7 +6,7 @@ Name: dovecot
 Epoch: 1
 Version: 2.3.21
 %global prever %{nil}
-Release: 9%{?dist}
+Release: 10%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT AND LGPL-2.1-only
 
@@ -21,6 +21,8 @@ Source10: dovecot.tmpfilesd
 
 #our own
 Source14: dovecot.conf.5
+Source15: prestartscript
+Source16: dovecot.sysusers
 
 # 3x Fedora/RHEL specific
 Patch1: dovecot-2.0-defaultconfig.patch
@@ -53,8 +55,6 @@ Patch23: dovecot-2.3.20-nolibotp.patch
 # adapted from 2.4 dovecot, issue #RHEL-33733
 Patch24: dovecot-2.3.21-noengine.patch
 
-Source15: prestartscript
-
 BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
 BuildRequires: libtool, autoconf, automake, pkgconfig
 BuildRequires: sqlite-devel
@@ -261,6 +261,8 @@ install -p -D -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_mandir}/man5/dovecot.conf.5
 #install waitonline script
 install -p -D -m 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/dovecot/prestartscript
 
+install -p -D -m 0644 %{SOURCE16} $RPM_BUILD_ROOT%{_sysusersdir}/dovecot.sysusers
+
 # generate ghost .pem files
 mkdir -p $RPM_BUILD_ROOT%{ssldir}/certs
 mkdir -p $RPM_BUILD_ROOT%{ssldir}/private
@@ -298,13 +300,7 @@ popd
 
 %pre
 #dovecot uid and gid are reserved, see /usr/share/doc/setup-*/uidgid 
-getent group dovecot >/dev/null || groupadd -r --gid 97 dovecot
+%sysusers_create_compat %{SOURCE16}
-getent passwd dovecot >/dev/null || \
-useradd -r --uid 97 -g dovecot -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot IMAP server" dovecot
-
-getent group dovenull >/dev/null || groupadd -r dovenull
-getent passwd dovenull >/dev/null || \
-useradd -r -g dovenull -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot's unauthorized user" dovenull
 
 if [ -z "$LEAPP_IPU_IN_PROGRESS" ]
 then
@@ -382,6 +378,7 @@ make check
 
 
 %_tmpfilesdir/dovecot.conf
+%{_sysusersdir}/dovecot.sysusers
 %{_unitdir}/dovecot.service
 %{_unitdir}/dovecot-init.service
 %{_unitdir}/dovecot.socket
@@ -519,6 +516,9 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so
 
 %changelog
+* Tue Jun 18 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-10
+- set min uid to 1000
+
 * Thu Jun 13 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.21-9
 - do not run during systemd commands during leap upgrade
 

dovecot.sysusers

@@ -0,0 +1,9 @@
+#Type Name    ID    GECOS                       Home directory       Shell
+g     dovecot 97
+u     dovecot 97   "Dovecot IMAP server"        /usr/libexec/dovecot /sbin/nologin
+m     dovecot dovecot
+
+g     dovenull -
+u     dovenull -   "Dovecot - unauthorized user" /usr/libexec/dovecot /sbin/nologin
+m     dovenull dovenull
+