From 71d947cd2c30cbab9ce3abcd4fbdd1b9ec58b43a Mon Sep 17 00:00:00 2001 From: John Dennis Date: Thu, 23 Dec 2004 20:17:34 +0000 Subject: [PATCH] improve documentation and migration --- dovecot-conf.patch | 652 ++++----------------------------------- dovecot-configfile.patch | 100 ++++++ dovecot.spec | 74 +++-- 3 files changed, 203 insertions(+), 623 deletions(-) create mode 100644 dovecot-configfile.patch diff --git a/dovecot-conf.patch b/dovecot-conf.patch index 5f699c7..f7350a9 100644 --- a/dovecot-conf.patch +++ b/dovecot-conf.patch @@ -1,17 +1,10 @@ diff -r -u dovecot-0.99.11.orig/configure.in dovecot-0.99.11/configure.in --- dovecot-0.99.11.orig/configure.in 2004-09-04 05:20:19.000000000 -0400 -+++ dovecot-0.99.11/configure.in 2004-11-19 16:36:37.000000000 -0500 -@@ -21,6 +21,20 @@ ++++ dovecot-0.99.11/configure.in 2004-12-14 16:26:18.000000000 -0500 +@@ -21,6 +21,13 @@ # check posix headers AC_CHECK_HEADERS(sys/time.h) -+AC_ARG_WITH(logindir, -+[ --with-logindir=DIR LOGIN directory (LOCALSTATEDIR/run/dovecot)], -+ logindir="$withval", -+ logindir=\${localstatedir}/run/dovecot/login -+) -+AC_SUBST(logindir) -+ +AC_ARG_WITH(docdir, +[ --with-docdir=DIR directory for documentation (DATADIR/doc/dovecot)], + docdir="$withval", @@ -22,607 +15,80 @@ diff -r -u dovecot-0.99.11.orig/configure.in dovecot-0.99.11/configure.in AC_ARG_ENABLE(ipv6, [ --enable-ipv6 Enable IPv6 support (default)], if test x$enableval = xno; then -@@ -180,6 +194,8 @@ - ) - AC_SUBST(ssldir) - -+AM_CONDITIONAL(BUILD_SSL, test "$want_gnutls" = "yes" -o "$want_openssl" = "yes" ) -+ - AC_ARG_WITH(pop3d, - [ --with-pop3d Build POP3 server (default)], - if test x$withval = xno; then -@@ -1121,6 +1137,13 @@ - AC_MSG_RESULT($i_cv_type_in6_addr) - fi - -+if test $i_cv_type_in6_addr = yes; then -+ listenaddr='[[::]]' -+else -+ listenaddr='*' -+fi -+AC_SUBST(listenaddr) -+ - dnl ** - dnl ** storage classes - dnl ** -@@ -1148,7 +1171,9 @@ - - AC_OUTPUT( - Makefile -+dovecot.conf - doc/Makefile -+doc/mkcert.sh - src/Makefile - src/lib/Makefile - src/lib-charset/Makefile -diff -r -u dovecot-0.99.11.orig/doc/Makefile.am dovecot-0.99.11/doc/Makefile.am +diff -u -r dovecot-0.99.11.orig/doc/Makefile.am dovecot-0.99.11/doc/Makefile.am --- dovecot-0.99.11.orig/doc/Makefile.am 2004-05-25 14:21:10.000000000 -0400 -+++ dovecot-0.99.11/doc/Makefile.am 2004-11-19 12:21:31.000000000 -0500 -@@ -1,4 +1,4 @@ ++++ dovecot-0.99.11/doc/Makefile.am 2004-12-22 14:49:43.000000000 -0500 +@@ -1,19 +1,26 @@ -docdir = $(datadir)/doc/dovecot +exampledir=$(docdir)/examples - doc_DATA = \ - auth.txt \ -@@ -10,10 +10,13 @@ - nfs.txt \ +-doc_DATA = \ +- auth.txt \ +- configuration.txt \ +- design.txt \ +- index.txt \ +- mail-storages.txt \ +- multiaccess.txt \ +- nfs.txt \ ++doc_DATA = \ ++ auth.txt \ ++ configuration.txt \ ++ design.txt \ ++ index.txt \ ++ mail-storages.txt \ ++ multiaccess.txt \ ++ nfs.txt \ securecoding.txt -EXTRA_DIST = \ -+example_DATA = \ - mkcert.sh \ - dovecot-openssl.cnf \ - dovecot-ldap.conf \ - dovecot-mysql.conf \ +- mkcert.sh \ +- dovecot-openssl.cnf \ +- dovecot-ldap.conf \ +- dovecot-mysql.conf \ - dovecot-pgsql.conf \ ++example_DATA = \ ++ ../dovecot-example.conf \ ++ mkcert.sh \ ++ dovecot-ldap.conf \ ++ dovecot-mysql.conf \ + dovecot-pgsql.conf + -+EXTRA_DIST = \ -+ $(example_DATA) \ ++ssl_DATA = \ ++ dovecot-openssl.cnf ++ ++EXTRA_DIST = \ ++ $(example_DATA) \ ++ $(ssl_DATA) \ $(doc_DATA) -diff -r -u dovecot-0.99.11.orig/Makefile.am dovecot-0.99.11/Makefile.am +diff -u -r dovecot-0.99.11.orig/Makefile.am dovecot-0.99.11/Makefile.am --- dovecot-0.99.11.orig/Makefile.am 2003-05-05 12:46:57.000000000 -0400 -+++ dovecot-0.99.11/Makefile.am 2004-11-22 16:08:01.000000000 -0500 -@@ -1,7 +1,18 @@ ++++ dovecot-0.99.11/Makefile.am 2004-12-21 16:29:26.000000000 -0500 +@@ -1,11 +1,22 @@ SUBDIRS = src doc confdir = $(sysconfdir) -conf_DATA = dovecot-example.conf +conf_DATA = dovecot.conf + +-EXTRA_DIST = \ +- config.rpath \ +- dovecot.spec \ +- dovecot.spec.in \ +- COPYING.LGPL \ + -+doc_DATA = \ -+ AUTHORS \ -+ COPYING \ -+ COPYING.LGPL \ -+ ChangeLog \ -+ INSTALL \ -+ NEWS \ -+ README \ ++doc_DATA = \ ++ AUTHORS \ ++ COPYING \ ++ COPYING.LGPL \ ++ ChangeLog \ ++ INSTALL \ ++ NEWS \ ++ README \ + TODO + - - EXTRA_DIST = \ - config.rpath \ -diff -N -u dovecot-0.99.11.orig/doc/mkcert.sh.in dovecot-0.99.11/doc/mkcert.sh.in ---- dovecot-0.99.11.orig/doc/mkcert.sh.in 1969-12-31 19:00:00.000000000 -0500 -+++ dovecot-0.99.11/doc/mkcert.sh.in 2004-11-19 13:47:38.000000000 -0500 -@@ -0,0 +1,34 @@ -+#!/bin/sh -+ -+# Generates a self-signed certificate. -+# Edit dovecot-openssl.cnf before running this. -+ -+OPENSSL=${OPENSSL-openssl} -+SSLDIR=${SSLDIR-@ssldir@} -+OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf} -+ -+CERTFILE=$SSLDIR/certs/@PACKAGE@.pem -+KEYFILE=$SSLDIR/private/@PACKAGE@.pem -+ -+if [ ! -d $SSLDIR/certs ]; then -+ echo "$SSLDIR/certs directory doesn't exist" -+fi -+ -+if [ ! -d $SSLDIR/private ]; then -+ echo "$SSLDIR/private directory doesn't exist" -+fi -+ -+if [ -f $CERTFILE ]; then -+ echo "$CERTFILE already exists, won't overwrite" -+ exit 1 -+fi -+ -+if [ -f $KEYFILE ]; then -+ echo "$KEYFILE already exists, won't overwrite" -+ exit 1 -+fi -+ -+$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 -+chmod 0600 $KEYFILE -+echo -+$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2 -diff -N -u dovecot-0.99.11.orig/dovecot.conf.in dovecot-0.99.11/dovecot.conf.in ---- dovecot-0.99.11.orig/dovecot.conf.in 1969-12-31 19:00:00.000000000 -0500 -+++ dovecot-0.99.11/dovecot.conf.in 2004-11-19 16:42:03.000000000 -0500 -@@ -0,0 +1,481 @@ -+## Dovecot 1.0 configuration file -+ -+# Base directory where to store runtime data. -+#base_dir = @localstatedir@/run/dovecot/ -+ -+# Protocols we want to be serving: -+# imap imaps pop3 pop3s -+#protocols = imap imaps -+ -+# IP or host address where to listen in for connections. It's not currently -+# possible to specify multiple addresses. "*" listens in all IPv4 interfaces. -+# "[::]" listens in all IPv6 interfaces, but may also listen in all IPv4 -+# interfaces depending on the operating system. You can specify ports with -+# "host:port". -+imap_listen = @listenaddr@ -+pop3_listen = @listenaddr@ -+ -+# IP or host address where to listen in for SSL connections. Defaults -+# to above non-SSL equilevants if not specified. -+#imaps_listen = @listenaddr@ -+#pop3s_listen = @listenaddr@ -+ -+# Disable SSL/TLS support. -+@BUILD_SSL_TRUE@ssl_disable = no -+ -+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before -+# dropping root privileges, so keep the key file unreadable by anyone but -+# root. Included doc/mkcert.sh can be used to easily generate self-signed -+# certificate, just make sure to update the domains in dovecot-openssl.cnf -+@BUILD_SSL_TRUE@ssl_cert_file = @ssldir@/certs/@PACKAGE@.pem -+@BUILD_SSL_TRUE@ssl_key_file = @ssldir@/private/@PACKAGE@.pem -+ -+# SSL parameter file. Master process generates this file for login processes. -+# It contains Diffie Hellman and RSA parameters. -+@BUILD_SSL_TRUE@ssl_parameters_file = @localstatedir@/run/dovecot/ssl-parameters.dat -+ -+# How often to regenerate the SSL parameters file. Generation is quite CPU -+# intensive operation. The value is in hours, 0 disables regeneration -+# entirely. -+@BUILD_SSL_TRUE@ssl_parameters_regenerate = 24 -+ -+# Disable LOGIN command and all other plaintext authentications unless -+# SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and -+# IPv6 ::1 addresses are considered secure, this setting has no effect if -+# you connect from those addresses. -+#disable_plaintext_auth = yes -+ -+# Use this logfile instead of syslog(). /dev/stderr can be used if you want to -+# use stderr for logging (ONLY /dev/stderr - otherwise it is closed). -+#log_path = -+ -+# For informational messages, use this logfile instead of the default -+#info_log_path = -+ -+# Prefix for each line written to log file. % codes are in strftime(3) -+# format. -+#log_timestamp = "%b %d %H:%M:%S " -+ -+## -+## Login processes -+## -+ -+# Directory where authentication process places authentication UNIX sockets -+# which login needs to be able to connect to. The sockets are created when -+# running as root, so you don't have to worry about permissions. Note that -+# everything in this directory is deleted when Dovecot is started. -+#login_dir = @logindir@ -+ -+# chroot login process to the login_dir. Only reason not to do this is if you -+# wish to run the whole Dovecot without roots. -+#login_chroot = yes -+ -+ -+## -+## IMAP login process -+## -+ -+login = imap -+ -+# Executable location. -+#login_executable = @libexecdir@/dovecot/imap-login -+ -+# User to use for the login process. Create a completely new user for this, -+# and don't use it anywhere else. The user must also belong to a group where -+# only it has access, it's used to control access for authentication process. -+#login_user = dovecot -+ -+# Set max. process size in megabytes. If you don't use -+# login_process_per_connection you might need to grow this. -+#login_process_size = 32 -+ -+# Should each login be processed in it's own process (yes), or should one -+# login process be allowed to process multiple connections (no)? Yes is more -+# secure, espcially with SSL/TLS enabled. No is faster since there's no need -+# to create processes all the time. -+#login_process_per_connection = yes -+ -+# Number of login processes to create. If login_process_per_user is -+# yes, this is the number of extra processes waiting for users to log in. -+#login_processes_count = 3 -+ -+# Maximum number of extra login processes to create. The extra process count -+# usually stays at login_processes_count, but when multiple users start logging -+# in at the same time more extra processes are created. To prevent fork-bombing -+# we check only once in a second if new processes should be created - if all -+# of them are used at the time, we double their amount until limit set by this -+# setting is reached. This setting is used only if login_process_per_use is yes. -+#login_max_processes_count = 128 -+ -+# Maximum number of connections allowed in login state. When this limit is -+# reached, the oldest connections are dropped. If login_process_per_user -+# is no, this is a per-process value, so the absolute maximum number of users -+# logging in actually login_processes_count * max_logging_users. -+#login_max_logging_users = 256 -+ -+## -+## POP3 login process -+## -+ -+# Settings default to same as above, so you don't have to set anything -+# unless you want to override them. -+ -+login = pop3 -+ -+# Exception to above rule being the executable location. -+#login_executable = @libexecdir@/dovecot/pop3-login -+ -+## -+## Mail processes -+## -+ -+# Maximum number of running mail processes. When this limit is reached, -+# new users aren't allowed to log in. -+#max_mail_processes = 1024 -+ -+# Show more verbose process titles (in ps). Currently shows user name and -+# IP address. Useful for seeing who are actually using the IMAP processes -+# (eg. shared mailboxes or if same uid is used for multiple accounts). -+#verbose_proctitle = no -+ -+# Show protocol level SSL errors. -+@BUILD_SSL_TRUE@verbose_ssl = no -+ -+# Valid UID range for users, defaults to 500 and above. This is mostly -+# to make sure that users can't log in as daemons or other system users. -+# Note that denying root logins is hardcoded to dovecot binary and can't -+# be done even if first_valid_uid is set to 0. -+#first_valid_uid = 500 -+#last_valid_uid = 0 -+ -+# Valid GID range for users, defaults to non-root/wheel. Users having -+# non-valid GID as primary group ID aren't allowed to log in. If user -+# belongs to supplementary groups with non-valid GIDs, those groups are -+# not set. -+#first_valid_gid = 1 -+#last_valid_gid = 0 -+ -+# Grant access to these extra groups for mail processes. Typical use would be -+# to give "mail" group write access to /var/mail to be able to create dotlocks. -+#mail_extra_groups = -+ -+# ':' separated list of directories under which chrooting is allowed for mail -+# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too). -+# This setting doesn't affect login_chroot or auth_chroot variables. -+# WARNING: Never add directories here which local users can modify, that -+# may lead to root exploit. Usually this should be done only if you don't -+# allow shell access for users. See doc/configuration.txt for more information. -+#valid_chroot_dirs = -+ -+# Default chroot directory for mail processes. This can be overridden by -+# giving /./ in user's home directory (eg. /home/./user chroots into /home). -+#mail_chroot = -+ -+# Default MAIL environment to use when it's not set. By leaving this empty -+# dovecot tries to do some automatic detection as described in -+# doc/mail-storages.txt. There's a few special variables you can use: -+# -+# %u - username -+# %n - user part in user@domain, same as %u if there's no domain -+# %d - domain part in user@domain, empty if user there's no domain -+# %h - home directory -+# -+# You can also limit a width of string by giving the number of max. characters -+# after the '%' character. For example %1u gives the first character of -+# username. Some examples: -+# -+# default_mail_env = maildir:/var/mail/%1u/%u/Maildir -+# default_mail_env = mbox:~/mail/:INBOX=/var/mail/%u -+# default_mail_env = mbox:/var/mail/%d/%n/:INDEX=/var/indexes/%d/%n -+# -+#default_mail_env = -+ -+# Space-separated list of fields to cache for all mails. Currently these -+# fields are allowed followed by a list of commands they speed up: -+# -+# Envelope - FETCH ENVELOPE and SEARCH FROM, TO, CC, BCC, SUBJECT, -+# SENTBEFORE, SENTON, SENTSINCE, HEADER MESSAGE-ID, -+# HEADER IN-REPLY-TO -+# Body - FETCH BODY -+# Bodystructure - FETCH BODY, BODYSTRUCTURE -+# MessagePart - FETCH BODY[1.2.3] (ie. body parts), RFC822.SIZE, -+# SEARCH SMALLER, LARGER, also speeds up BODY/BODYSTRUCTURE -+# generation. This is always set with mbox mailboxes, and -+# also default with Maildir. -+# -+# Different IMAP clients work in different ways, that's why Dovecot by default -+# only caches MessagePart which speeds up most operations. Whenever client -+# does something where caching could be used, the field is automatically marked -+# to be cached later. For example after FETCH BODY the BODY will be cached -+# for all new messages. Normally you should leave this alone, unless you know -+# what most of your IMAP clients are. Caching more fields than needed makes -+# the index files larger and generate useless I/O. -+# -+# With maildir there's one extra optimization - if nothing is cached, indexing -+# the maildir becomes much faster since it's not opening any of the mail files. -+# This could be useful if your IMAP clients access only new mails. -+ -+#mail_cache_fields = MessagePart -+ -+# Space-separated list of fields that Dovecot should never set to be cached. -+# Useful if you want to save disk space at the cost of more I/O when the fields -+# needed. -+#mail_never_cache_fields = -+ -+# Workarounds for various client bugs: -+# oe6-fetch-no-newmail: -+# Never send EXISTS/RECENT when replying to FETCH command. Outlook Express -+# seems to think they are FETCH replies and gives user "Message no longer -+# in server" error. Note that OE6 still breaks even with this workaround -+# if synchronization is set to "Headers Only". -+# outlook-idle: -+# Outlook and Outlook Express never abort IDLE command, so if no mail -+# arrives in half a hour, Dovecot closes the connection. This is still -+# fine, except Outlook doesn't connect back so you don't see if new mail -+# arrives. -+# outlook-pop3-no-nuls: -+# Outlook and Outlook Express hang if mails contain NUL characters. -+# This setting replaces them with 0x80 character. -+#client_workarounds = -+ -+# Dovecot can notify client of new mail in selected mailbox soon after it's -+# received. This setting specifies the minimum interval in seconds between -+# new mail notifications to client - internally they may be checked more or -+# less often. Setting this to 0 disables the checking. -+# NOTE: Evolution client breaks with this option when it's trying to APPEND. -+#mailbox_check_interval = 0 -+ -+# Like mailbox_check_interval, but used for IDLE command. -+#mailbox_idle_check_interval = 30 -+ -+# Allow full filesystem access to clients. There's no access checks other than -+# what the operating system does for the active UID/GID. It works with both -+# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/ -+# or ~user/. -+#mail_full_filesystem_access = no -+ -+# Maximum allowed length for custom flag name. It's only forced when trying -+# to create new flags. -+#mail_max_flag_length = 50 -+ -+# Save mails with CR+LF instead of plain LF. This makes sending those mails -+# take less CPU, especially with sendfile() syscall with Linux and FreeBSD. -+# But it also creates a bit more disk I/O which may just make it slower. -+#mail_save_crlf = no -+ -+# Use mmap() instead of read() to read mail files. read() seems to be a bit -+# faster with my Linux/x86 and it's better with NFS, so that's the default. -+#mail_read_mmaped = no -+ -+# By default LIST command returns all entries in maildir beginning with dot. -+# Enabling this option makes Dovecot return only entries which are directories. -+# This is done by stat()ing each entry, so it causes more disk I/O. -+# (For systems setting struct dirent->d_type, this check is free and it's -+# done always regardless of this setting) -+#maildir_stat_dirs = no -+ -+# Copy mail to another folders using hard links. This is much faster than -+# actually copying the file. This is problematic only if something modifies -+# the mail in one folder but doesn't want it modified in the others. I don't -+# know any MUA which would modify mail files directly. IMAP protocol also -+# requires that the mails don't change, so it would be problematic in any case. -+# If you care about performance, enable it. -+#maildir_copy_with_hardlinks = no -+ -+# Check if mails' content has been changed by external programs. This slows -+# down things as extra stat() needs to be called for each file. If changes are -+# noticed, the message is treated as a new message, since IMAP protocol -+# specifies that existing messages are immutable. -+#maildir_check_content_changes = no -+ -+# Which locking methods to use for locking mbox. There's three available: -+# dotlock: Create .lock file. This is the oldest and most NFS-safe -+# solution. If you want to use /var/mail/ like directory, the users -+# will need write access to that directory. -+# fcntl : Use this if possible. Works with NFS too if lockd is used. -+# flock : May not exist in all systems. Doesn't work with NFS. -+# -+# You can use both fcntl and flock too; if you do the order they're declared -+# with is important to avoid deadlocks if other MTAs/MUAs are using both fcntl -+# and flock. Some operating systems don't allow using both of them -+# simultaneously, eg. BSDs. If dotlock is used, it's always created first. -+#mbox_locks = dotlock fcntl -+ -+# Should we create dotlock file even when we want only a read-lock? Setting -+# this to yes hurts the performance when the mailbox is accessed simultaneously -+# by multiple processes, but it's needed for reliable reading if no other -+# locking methods are available. -+#mbox_read_dotlock = no -+ -+# Maximum time in seconds to wait for lock (all of them) before aborting. -+#mbox_lock_timeout = 300 -+ -+# If dotlock exists but the mailbox isn't modified in any way, override the -+# lock file after this many seconds. -+#mbox_dotlock_change_timeout = 30 -+ -+# umask to use for mail files and directories -+#umask = 0077 -+ -+# Drop all privileges before exec()ing the mail process. This is mostly -+# meant for debugging, otherwise you don't get core dumps. Note that setting -+# this to yes means that log file is opened as the logged in user, which -+# might not work. It could also be a small security risk if you use single UID -+# for multiple users, as the users could ptrace() each others processes then. -+#mail_drop_priv_before_exec = no -+ -+## -+## IMAP process -+## -+ -+# Executable location -+#imap_executable = @libexecdir@/dovecot/imap -+ -+# Set max. process size in megabytes. Most of the memory goes to mmap()ing -+# files, so it shouldn't harm much even if this limit is set pretty high. -+#imap_process_size = 256 -+ -+# Support for dynamically loadable modules. -+#imap_use_modules = no -+#imap_modules = @moduledir@/imap -+ -+## -+## POP3 process -+## -+ -+# Executable location -+#pop3_executable = @libexecdir@/dovecot/pop3 -+ -+# Set max. process size in megabytes. Most of the memory goes to mmap()ing -+# files, so it shouldn't harm much even if this limit is set pretty high. -+#pop3_process_size = 256 -+ -+# Support for dynamically loadable modules. -+#pop3_use_modules = no -+#pop3_modules = @moduledir@/pop3 -+ -+## -+## Authentication processes -+## -+ -+# An Authentication process is a child process used by Dovecot that -+# handles the authentication steps. The steps cover an authentication -+# mechanism (auth_mechanisms, how the client authenticates in the IMAP or -+# POP3 protocol), which password database should be queried (auth_passdb), -+# and which user database should be queried (auth_userdb, to obtain -+# UID, GID, and location of the user's mailbox/home directory). -+# -+# You can have multiple processes, though a typical configuration will -+# have only one. Each time "auth = xx" is seen, a new process -+# definition is started. The point of multiple processes is to be able -+# to set stricter permissions. (See auth_user below.) -+# -+# Just remember that only one Authentication process is asked for the -+# password, so you can't have different passwords accessible through -+# different process definitions (unless they have different -+# auth_mechanisms, and you're ok with having different password for -+# each mechanisms). -+ -+# Authentication process name. -+auth = default -+ -+# Specifies how the client authenticates in the IMAP protocol. -+# Space separated list of permitted authentication mechanisms: -+# anonymous plain digest-md5 cram-md5 -+# -+# anonymous - No authentication required. -+# plain - The password is sent as plain text. All IMAP/POP3 clients -+# support this, and the password can be encrypted by Dovecot to match -+# any of the encryption schemes used in password databases. -+# digest-md5 and cram-md5 - both encrypt the password so it is more -+# secure in transit, but are not well supported by clients, and -+# require that the password database use a matching encryption -+# scheme (or be in plaintext). -+# -+# See auth.txt for more details. -+# -+# If you are using SSL there is less benefit to digest-md5 and -+# cram-md5 as the communication is already encrypted. -+auth_mechanisms = plain -+ -+# Space separated list of realms for SASL authentication mechanisms that need -+# them. You can leave it empty if you don't want to support multiple realms. -+# Many clients simply use the first one listed here, so keep the default realm -+# first. -+#auth_realms = -+ -+# Default realm/domain to use if none was specified. This is used for both -+# SASL realms and appending @domain to username in plaintext logins. -+#auth_default_realm = -+ -+# Where user database is kept: -+# passwd: /etc/passwd or similiar, using getpwnam() -+# passwd-file : passwd-like file with specified location -+# static uid= gid= home=: static settings -+# vpopmail: vpopmail library -+# ldap : LDAP, see doc/dovecot-ldap.conf -+# pgsql : a PostgreSQL database, see doc/dovecot-pgsql.conf -+auth_userdb = passwd -+ -+# Where password database is kept: -+# passwd: /etc/passwd or similiar, using getpwnam() -+# shadow: /etc/shadow or similiar, using getspnam() -+# pam [ | *]: PAM authentication -+# passwd-file : passwd-like file with specified location -+# vpopmail: vpopmail authentication -+# ldap : LDAP, see doc/dovecot-ldap.conf -+# pgsql : a PostgreSQL database, see doc/dovecot-pgsql.conf -+auth_passdb = pgsql @sysconfdir@/dovecot-pgsql.conf -+ -+#auth_executable = @libexecdir@/dovecot/dovecot-auth -+ -+# Set max. process size in megabytes. -+#auth_process_size = 256 -+ -+# User to use for the process. This user needs access to only user and -+# password databases, nothing else. Only shadow and pam authentication -+# requires roots, so use something else if possible. Note that passwd -+# authentication with BSDs internally accesses shadow files, which also -+# requires roots. -+auth_user = root -+ -+# Directory where to chroot the process. Most authentication backends don't -+# work if this is set, and there's no point chrooting if auth_user is root. -+#auth_chroot = -+ -+# Number of authentication processes to create -+#auth_count = 1 -+ -+# List of allowed characters in username. If the user-given username contains -+# a character not listed in here, the login automatically fails. This is just -+# an extra check to make sure user can't exploit any potential quote escaping -+# vulnerabilities with SQL/LDAP databases. If you want to allow all characters, -+# set this value to empty. -+#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ -+ -+# Username to use for users logging in with ANONYMOUS SASL mechanism -+#auth_anonymous_username = anonymous -+ -+# More verbose logging. Useful for figuring out why authentication isn't -+# working. -+#auth_verbose = no -+ -+# Even more verbose logging for debugging purposes. Shows for example SQL -+# queries. -+#auth_debug = no -+ -+# digest-md5 authentication process. It requires special MD5 passwords which -+# /etc/shadow and PAM doesn't support, so we never need roots to handle it. -+# Note that the passwd-file is opened before chrooting and dropping root -+# privileges, so it may be 0600-root owned file. -+ -+#auth = digest_md5 -+#auth_mechanisms = digest-md5 -+#auth_realms = -+#auth_userdb = passwd-file /etc/passwd.imap -+#auth_passdb = passwd-file /etc/passwd.imap -+#auth_user = imapauth -+#auth_chroot = -+ -+# if you plan to use only passwd-file, you don't need the two auth processes, -+# simply set "auth_methods = plain digest-md5" ++EXTRA_DIST = \ ++ config.rpath \ ++ dovecot.spec \ ++ dovecot.spec.in \ ++ COPYING.LGPL \ + $(conf_DATA) diff --git a/dovecot-configfile.patch b/dovecot-configfile.patch new file mode 100644 index 0000000..4f22163 --- /dev/null +++ b/dovecot-configfile.patch @@ -0,0 +1,100 @@ +diff -u dovecot-0.99.11/dovecot-example.conf dovecot-0.99.11/dovecot.conf +--- dovecot-0.99.11/dovecot-example.conf 2004-08-28 08:26:10.000000000 -0400 ++++ dovecot-0.99.11/dovecot.conf 2004-12-21 17:18:01.000000000 -0500 +@@ -1,25 +1,19 @@ + ## Dovecot 1.0 configuration file + +-# Default values are shown after each value, it's not required to uncomment +-# any of the lines. Exception to this are paths, they're just examples +-# with real defaults being based on configure options. The paths listed here +-# are for configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var +-# --with-ssldir=/etc/ssl +- + # Base directory where to store runtime data. + #base_dir = /var/run/dovecot/ + + # Protocols we want to be serving: + # imap imaps pop3 pop3s +-#protocols = imap imaps ++protocols = imap imaps pop3 pop3s + + # IP or host address where to listen in for connections. It's not currently + # possible to specify multiple addresses. "*" listens in all IPv4 interfaces. + # "[::]" listens in all IPv6 interfaces, but may also listen in all IPv4 + # interfaces depending on the operating system. You can specify ports with + # "host:port". +-#imap_listen = * +-#pop3_listen = * ++imap_listen = [::] ++pop3_listen = [::] + + # IP or host address where to listen in for SSL connections. Defaults + # to above non-SSL equilevants if not specified. +@@ -33,8 +27,8 @@ + # dropping root privileges, so keep the key file unreadable by anyone but + # root. Included doc/mkcert.sh can be used to easily generate self-signed + # certificate, just make sure to update the domains in dovecot-openssl.cnf +-#ssl_cert_file = /etc/ssl/certs/dovecot.pem +-#ssl_key_file = /etc/ssl/private/dovecot.pem ++ssl_cert_file = /usr/share/ssl/certs/dovecot.pem ++ssl_key_file = /usr/share/ssl/private/dovecot.pem + + # SSL parameter file. Master process generates this file for login processes. + # It contains Diffie Hellman and RSA parameters. +@@ -70,7 +64,7 @@ + # which login needs to be able to connect to. The sockets are created when + # running as root, so you don't have to worry about permissions. Note that + # everything in this directory is deleted when Dovecot is started. +-#login_dir = /var/run/dovecot/login ++login_dir = /var/run/dovecot-login + + # chroot login process to the login_dir. Only reason not to do this is if you + # wish to run the whole Dovecot without roots. +@@ -305,7 +299,7 @@ + # with is important to avoid deadlocks if other MTAs/MUAs are using both fcntl + # and flock. Some operating systems don't allow using both of them + # simultaneously, eg. BSDs. If dotlock is used, it's always created first. +-#mbox_locks = dotlock fcntl ++#mbox_locks = fcntl + + # Should we create dotlock file even when we want only a read-lock? Setting + # this to yes hurts the performance when the mailbox is accessed simultaneously +@@ -431,8 +425,8 @@ + # vpopmail: vpopmail authentication + # ldap : LDAP, see doc/dovecot-ldap.conf + # pgsql : a PostgreSQL database, see doc/dovecot-pgsql.conf +-auth_passdb = pgsql /usr/local/etc/dovecot-pgsql.conf ++#auth_passdb = pgsql /usr/local/etc/dovecot-pgsql.conf + + #auth_executable = /usr/libexec/dovecot/dovecot-auth + + +diff -u -r dovecot-0.99.11.orig/doc/mkcert.sh dovecot-0.99.11/doc/mkcert.sh +--- dovecot-0.99.11.orig/doc/mkcert.sh 2004-07-22 20:04:37.000000000 -0400 ++++ dovecot-0.99.11/doc/mkcert.sh 2004-12-22 16:33:20.000000000 -0500 +@@ -4,11 +4,12 @@ + # Edit dovecot-openssl.cnf before running this. + + OPENSSL=${OPENSSL-openssl} +-SSLDIR=${SSLDIR-/etc/ssl} +-OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf} ++SSLDIR=${SSLDIR-/usr/share/ssl} ++OPENSSLCONFIG=${OPENSSLCONFIG-$SSLDIR/dovecot-openssl.cnf} ++CERTNAME=${CERTNAME-dovecot} + +-CERTFILE=$SSLDIR/certs/imapd.pem +-KEYFILE=$SSLDIR/private/imapd.pem ++CERTFILE=$SSLDIR/certs/$CERTNAME.pem ++KEYFILE=$SSLDIR/private/$CERTNAME.pem + + if [ ! -d $SSLDIR/certs ]; then + echo "$SSLDIR/certs directory doesn't exist" +@@ -29,6 +30,7 @@ + fi + + $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 +-chmod 0600 $KEYFILE ++chown root:root $CERTFILE $KEYFILE ++chmod 0600 $CERTFILE $KEYFILE + echo + $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2 diff --git a/dovecot.spec b/dovecot.spec index d0d6575..50e096c 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -1,7 +1,7 @@ Summary: Dovecot Secure imap server Name: dovecot Version: 0.99.11 -Release: 6.devel +Release: 7.devel License: LGPL Group: System Environment/Daemons Source: %{name}-%{version}.tar.gz @@ -12,6 +12,7 @@ Source4: migrate-folders Source5: migrate-users Source6: perfect_maildir.pl Patch100: dovecot-conf.patch +Patch101: dovecot-configfile.patch # Patches 500+ from upstream fixes URL: http://dovecot.procontrol.fi/ @@ -23,11 +24,12 @@ BuildRequires: openldap-devel BuildRequires: pam-devel BuildRequires: pkgconfig BuildRequires: zlib-devel -BuildRequires: gettext-devel Prereq: openssl, /sbin/chkconfig, /usr/sbin/useradd %define docdir %{_docdir}/%{name}-%{version} %define ssldir /usr/share/ssl +%define dovecot-uid 97 +%define dovecot-gid 97 %description Dovecot is an IMAP server for Linux/UNIX-like systems, written with security @@ -39,28 +41,27 @@ in either of maildir or mbox formats. %setup -q -n %{name}-%{version} %patch100 -p1 -b .config +cp $RPM_BUILD_DIR/${RPM_PACKAGE_NAME}-${RPM_PACKAGE_VERSION}/dovecot-example.conf $RPM_BUILD_DIR/${RPM_PACKAGE_NAME}-${RPM_PACKAGE_VERSION}/dovecot.conf +%patch101 -p1 -b .configfile %build rm -f ./configure aclocal -automake -a -f -autoconf -f -%configure \ - --with-docdir=%{docdir} \ - --with-logindir=/var/run/dovecot-login \ - --with-mbox-locks=fcntl \ - --with-pgsql \ - --with-mysql \ - --with-ssl=openssl \ - --with-ssldir=%{ssldir} \ +automake -a +autoconf +%configure \ + --with-docdir=%{docdir} \ + --with-pgsql \ + --with-mysql \ + --with-ssl=openssl \ + --with-ssldir=%{ssldir} \ --with-ldap make %install rm -rf $RPM_BUILD_ROOT -make DESTDIR=$RPM_BUILD_ROOT install - +make install DESTDIR=$RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT/%{_datadir}/%{name} mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rc.d/init.d install -m 755 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/rc.d/init.d/dovecot @@ -77,33 +78,40 @@ mkdir -p $RPM_BUILD_ROOT/var/run/dovecot chmod 700 $RPM_BUILD_ROOT/var/run/dovecot mkdir -p $RPM_BUILD_ROOT/var/run/dovecot-login +# Install some of our own documentation install -m755 -d $RPM_BUILD_ROOT%{docdir}/UW-to-Dovecot-Migration -for f in maildir-migration.txt migrate-folders migrate-users perfect_maildir.pl +for f in maildir-migration.txt do install -m644 $RPM_SOURCE_DIR/$f $RPM_BUILD_ROOT%{docdir}/UW-to-Dovecot-Migration done +for f in migrate-folders migrate-users perfect_maildir.pl +do + install -m755 $RPM_SOURCE_DIR/$f $RPM_BUILD_ROOT%{docdir}/UW-to-Dovecot-Migration +done + %pre -/usr/sbin/useradd -c "dovecot" -u 97 -s /sbin/nologin -r -d /usr/libexec/dovecot dovecot 2>/dev/null || : +/usr/sbin/useradd -c "dovecot" -u %{dovecot-uid} -s /sbin/nologin -r -d /usr/libexec/dovecot dovecot 2>/dev/null || : %post /sbin/chkconfig --add dovecot # create a ssl cert if [ ! -f %{ssldir}/certs/dovecot.pem ]; then -pushd %{ssldir} &>/dev/null -umask 077 -cat << EOF | openssl req -new -x509 -days 365 -nodes -out certs/dovecot.pem -keyout private/dovecot.pem &>/dev/null --- -SomeState -SomeCity -SomeOrganization -SomeOrganizationalUnit -localhost.localdomain -root@localhost.localdomain -EOF -chown root:root private/dovecot.pem certs/dovecot.pem -chmod 600 private/dovecot.pem certs/dovecot.pem -popd &>/dev/null +%{docdir}/examples/mkcert.sh &> /dev/null +#pushd %{ssldir} &>/dev/null +#umask 077 +#cat << EOF | openssl req -new -x509 -days 365 -nodes -out certs/dovecot.pem -keyout private/dovecot.pem &>/dev/null +#-- +#SomeState +#SomeCity +#SomeOrganization +#SomeOrganizationalUnit +#localhost.localdomain +#root@localhost.localdomain +#EOF +#chown root:root private/dovecot.pem certs/dovecot.pem +#chmod 600 private/dovecot.pem certs/dovecot.pem +#popd &>/dev/null fi exit 0 @@ -125,6 +133,7 @@ rm -rf $RPM_BUILD_ROOT %config(noreplace) %{_sysconfdir}/dovecot.conf %config %{_sysconfdir}/rc.d/init.d/dovecot %config %{_sysconfdir}/pam.d/dovecot +%config(noreplace) %{ssldir}/dovecot-openssl.cnf %attr(0600,root,root) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %{ssldir}/certs/dovecot.pem %attr(0600,root,root) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %{ssldir}/private/dovecot.pem %dir %{_libexecdir}/%{name} @@ -132,9 +141,14 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/dovecot %dir /var/run/dovecot %attr(0750,root,dovecot) %dir /var/run/dovecot-login +%attr(0750,root,dovecot) %{docdir}/examples/mkcert.sh %changelog +* Thu Dec 23 2004 John Dennis 0.99.11-7.devel +- add UW to Dovecot migration documentation and scripts, bug #139954 + fix SSL documentation and scripts, add missing documentation, bug #139276 + * Thu Nov 15 2004 Warren Togami 0.99.11-2.FC4.1 - rebuild against MySQL4