Compare commits

..

No commits in common. "c9" and "c8" have entirely different histories.
c9 ... c8

10 changed files with 601 additions and 427 deletions

View File

@ -1,7 +1,7 @@
diff -up dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf
--- dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings 2021-08-06 11:25:51.000000000 +0200 --- dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf.default-settings 2018-02-28 15:28:57.000000000 +0100
+++ dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf 2021-10-27 11:13:45.666956339 +0200 +++ dovecot-2.3.0.1/doc/example-config/conf.d/10-mail.conf 2018-03-01 10:29:38.208368555 +0100
@@ -175,7 +175,7 @@ namespace inbox { @@ -165,7 +165,7 @@ namespace inbox {
# to make sure that users can't log in as daemons or other system users. # to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't # Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0. # be done even if first_valid_uid is set to 0.
@ -18,9 +18,9 @@ diff -up dovecot-2.3.16/doc/example-config/conf.d/10-mail.conf.default-settings
# Maximum time to wait for lock (all of them) before aborting. # Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins #mbox_lock_timeout = 5 mins
diff -up dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf diff -up dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf
--- dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings 2021-08-06 11:25:51.000000000 +0200 --- dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf.default-settings 2018-02-28 15:28:57.000000000 +0100
+++ dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf 2021-10-27 11:13:02.834533975 +0200 +++ dovecot-2.3.0.1/doc/example-config/conf.d/10-ssl.conf 2018-03-01 10:33:54.779499044 +0100
@@ -3,7 +3,9 @@ @@ -3,7 +3,9 @@
## ##
@ -32,7 +32,7 @@ diff -up dovecot-2.3.16/doc/example-config/conf.d/10-ssl.conf.default-settings d
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but # dropping root privileges, so keep the key file unreadable by anyone but
@@ -64,6 +66,7 @@ ssl_key = </etc/ssl/private/dovecot.pem @@ -57,6 +59,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use: # To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

View File

@ -0,0 +1,13 @@
diff -up dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c.aclfix dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c
--- dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c.aclfix 2018-09-18 15:00:08.778823903 +0200
+++ dovecot-2.2.36/src/plugins/acl/acl-backend-vfile.c 2018-09-18 15:00:08.814823737 +0200
@@ -161,8 +161,7 @@ acl_backend_vfile_object_init(struct acl
T_BEGIN {
if (*name == '\0' ||
mailbox_list_is_valid_name(_backend->list, name, &error)) {
- vname = *name == '\0' ? "" :
- mailbox_list_get_vname(_backend->list, name);
+ vname = mailbox_list_get_vname(_backend->list, name);
dir = acl_backend_vfile_get_local_dir(_backend, name, vname);
aclobj->local_path = dir == NULL ? NULL :

View File

@ -1,34 +0,0 @@
diff -up dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c
--- dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c.opensslv3 2021-06-03 18:56:52.573174433 +0200
+++ dovecot-2.3.14/src/lib-dcrypt/dcrypt-openssl.c 2021-06-03 18:56:52.585174274 +0200
@@ -73,10 +73,30 @@
2<tab>key algo oid<tab>1<tab>symmetric algo name<tab>salt<tab>hash algo<tab>rounds<tab>E(RSA = i2d_PrivateKey, EC=Private Point)<tab>key id
**/
+#if OPENSSL_VERSION_MAJOR == 3
+static EC_KEY *EVP_PKEY_get0_EC_KEYv3(EVP_PKEY *key)
+{
+ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
+ EVP_PKEY_set1_EC_KEY(key, eck);
+ EC_KEY_free(eck);
+ return eck;
+}
+
+static EC_KEY *EVP_PKEY_get1_EC_KEYv3(EVP_PKEY *key)
+{
+ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
+ EVP_PKEY_set1_EC_KEY(key, eck);
+ return eck;
+}
+
+#define EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_EC_KEYv3
+#define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEYv3
+#else
#ifndef HAVE_EVP_PKEY_get0
#define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec
#define EVP_PKEY_get0_RSA(x) x->pkey.rsa
#endif
+#endif
#ifndef HAVE_OBJ_LENGTH
#define OBJ_length(o) ((o)->length)

View File

@ -1,24 +0,0 @@
diff -up dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.15/src/lib-sieve/storage/dict/sieve-dict-script.c
--- dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.16/src/lib-sieve/storage/dict/sieve-dict-script.c.fixvalcond 2021-06-21 23:07:55.269814896 +0200
+++ dovecot-2.3.15/dovecot-2.3-pigeonhole-0.5.16/src/lib-sieve/storage/dict/sieve-dict-script.c 2021-06-21 23:07:55.298814544 +0200
@@ -109,7 +109,7 @@ static int sieve_dict_script_get_stream
{
struct sieve_dict_script *dscript =
(struct sieve_dict_script *)script;
- const char *path, *name = script->name, *data, *error;
+ const char *path, *name = script->name, *data, *error = NULL;
int ret;
dscript->data_pool =
diff -up dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond dovecot-2.3.15/src/lib-storage/index/index-attribute.c
--- dovecot-2.3.15/src/lib-storage/index/index-attribute.c.fixvalcond 2021-06-14 15:40:37.000000000 +0200
+++ dovecot-2.3.15/src/lib-storage/index/index-attribute.c 2021-06-21 21:52:22.963171229 +0200
@@ -249,7 +249,7 @@ int index_storage_attribute_get(struct m
struct mail_attribute_value *value_r)
{
struct dict *dict;
- const char *mailbox_prefix, *error;
+ const char *mailbox_prefix, *error = NULL;
int ret;
i_zero(value_r);

View File

@ -1,20 +0,0 @@
diff -up dovecot-2.3.15/run-test-valgrind.supp.valbasherr dovecot-2.3.15/run-test-valgrind.supp
--- dovecot-2.3.15/run-test-valgrind.supp.valbasherr 2021-06-21 22:52:53.272707239 +0200
+++ dovecot-2.3.15/run-test-valgrind.supp 2021-06-21 22:54:19.786668430 +0200
@@ -1,4 +1,16 @@
{
+ <bashagin>
+ Memcheck:Leak
+ match-leak-kinds: definite
+ fun:malloc
+ fun:make_if_command
+ fun:yyparse
+ fun:parse_command
+ fun:read_command
+ fun:reader_loop
+ fun:main
+}
+{
<bash>
Memcheck:Leak
fun:malloc

View File

@ -0,0 +1,353 @@
diff -up dovecot-2.3.16/configure.ac.keeplzma dovecot-2.3.16/configure.ac
--- dovecot-2.3.16/configure.ac.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/configure.ac 2022-02-28 13:58:02.337149927 +0100
@@ -173,7 +173,7 @@ AS_HELP_STRING([--with-bzlib], [Build wi
want_bzlib=auto)
AC_ARG_WITH(lzma,
-AS_HELP_STRING([--with-lzma], [Build with LZMA decompression support (auto)]),
+AS_HELP_STRING([--with-lzma], [Build with LZMA compression support (auto)]),
TEST_WITH(lzma, $withval),
want_lzma=auto)
diff -up dovecot-2.3.16/run-test-valgrind.supp.keeplzma dovecot-2.3.16/run-test-valgrind.supp
--- dovecot-2.3.16/run-test-valgrind.supp.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/run-test-valgrind.supp 2022-02-28 13:58:02.337149927 +0100
@@ -5,6 +5,17 @@
obj:*/bash
}
{
+ <liblzma>
+ Memcheck:Cond
+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
+ obj:/lib/x86_64-linux-gnu/liblzma.so.5.*
+ fun:lzma_stream_encoder
+ fun:lzma_easy_encoder
+}
+{
<openssl_centos6_i386_v1_0_1_compression_methods>
Memcheck:Leak
fun:malloc
diff -up dovecot-2.3.16/src/lib-compression/compression.c.keeplzma dovecot-2.3.16/src/lib-compression/compression.c
--- dovecot-2.3.16/src/lib-compression/compression.c.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-compression/compression.c 2022-02-28 14:22:32.467944396 +0100
@@ -25,6 +25,7 @@
#endif
#ifndef HAVE_LZMA
# define i_stream_create_lzma NULL
+# define o_stream_create_lzma NULL
#endif
#ifndef HAVE_LZ4
# define i_stream_create_lz4 NULL
@@ -216,7 +217,7 @@ const struct compression_handler compres
.ext = ".xz",
.is_compressed = is_compressed_xz,
.create_istream = i_stream_create_lzma,
- .create_ostream = NULL,
+ .create_ostream = o_stream_create_lzma,
.get_min_level = compression_get_min_level_unsupported,
.get_default_level = compression_get_default_level_unsupported,
.get_max_level = compression_get_max_level_unsupported,
diff -up dovecot-2.3.16/src/lib-compression/Makefile.am.keeplzma dovecot-2.3.16/src/lib-compression/Makefile.am
--- dovecot-2.3.16/src/lib-compression/Makefile.am.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-compression/Makefile.am 2022-02-28 13:58:02.337149927 +0100
@@ -13,6 +13,7 @@ libcompression_la_SOURCES = \
istream-zlib.c \
istream-bzlib.c \
istream-zstd.c \
+ ostream-lzma.c \
ostream-lz4.c \
ostream-zlib.c \
ostream-bzlib.c \
diff -up dovecot-2.3.16/src/lib-compression/ostream-lzma.c.keeplzma dovecot-2.3.16/src/lib-compression/ostream-lzma.c
--- dovecot-2.3.16/src/lib-compression/ostream-lzma.c.keeplzma 2022-02-28 13:58:02.338149934 +0100
+++ dovecot-2.3.16/src/lib-compression/ostream-lzma.c 2022-02-28 13:58:02.338149934 +0100
@@ -0,0 +1,263 @@
+/* Copyright (c) 2010-2018 Dovecot authors, see the included COPYING file */
+
+#include "lib.h"
+
+#ifdef HAVE_LZMA
+
+#include "ostream-private.h"
+#include "ostream-zlib.h"
+#include <lzma.h>
+
+#define CHUNK_SIZE (1024*64)
+
+struct lzma_ostream {
+ struct ostream_private ostream;
+ lzma_stream strm;
+
+ unsigned char outbuf[CHUNK_SIZE];
+ unsigned int outbuf_offset, outbuf_used;
+
+ bool flushed:1;
+};
+
+static void o_stream_lzma_close(struct iostream_private *stream,
+ bool close_parent)
+{
+ struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
+ i_assert(zstream->ostream.finished ||
+ zstream->ostream.ostream.stream_errno != 0 ||
+ zstream->ostream.error_handling_disabled);
+ lzma_end(&zstream->strm);
+ if (close_parent)
+ o_stream_close(zstream->ostream.parent);
+}
+
+static int o_stream_zlib_send_outbuf(struct lzma_ostream *zstream)
+{
+ ssize_t ret;
+ size_t size;
+
+ if (zstream->outbuf_used == 0)
+ return 1;
+
+ size = zstream->outbuf_used - zstream->outbuf_offset;
+ i_assert(size > 0);
+ ret = o_stream_send(zstream->ostream.parent,
+ zstream->outbuf + zstream->outbuf_offset, size);
+ if (ret < 0) {
+ o_stream_copy_error_from_parent(&zstream->ostream);
+ return -1;
+ }
+ if ((size_t)ret != size) {
+ zstream->outbuf_offset += ret;
+ return 0;
+ }
+ zstream->outbuf_offset = 0;
+ zstream->outbuf_used = 0;
+ return 1;
+}
+
+static ssize_t
+o_stream_lzma_send_chunk(struct lzma_ostream *zstream,
+ const void *data, size_t size)
+{
+ lzma_stream *zs = &zstream->strm;
+ int ret;
+
+ i_assert(zstream->outbuf_used == 0);
+
+ zs->next_in = (void *)data;
+ zs->avail_in = size;
+ while (zs->avail_in > 0) {
+ if (zs->avail_out == 0) {
+ /* previous block was compressed. send it and start
+ compression for a new block. */
+ zs->next_out = zstream->outbuf;
+ zs->avail_out = sizeof(zstream->outbuf);
+
+ zstream->outbuf_used = sizeof(zstream->outbuf);
+ if ((ret = o_stream_zlib_send_outbuf(zstream)) < 0)
+ return -1;
+ if (ret == 0) {
+ /* parent stream's buffer full */
+ break;
+ }
+ }
+
+ ret = lzma_code(zs, LZMA_RUN);
+ switch (ret) {
+ case LZMA_OK:
+ break;
+ case LZMA_MEM_ERROR:
+ i_fatal_status(FATAL_OUTOFMEM,
+ "lzma.write(%s): Out of memory",
+ o_stream_get_name(&zstream->ostream.ostream));
+ default:
+ i_panic("lzma.write(%s) failed with unexpected code %d",
+ o_stream_get_name(&zstream->ostream.ostream), ret);
+ }
+ }
+ size -= zs->avail_in;
+
+ return size;
+}
+
+static int o_stream_lzma_send_flush(struct lzma_ostream *zstream, bool final)
+{
+ lzma_stream *zs = &zstream->strm;
+ size_t len;
+ bool done = FALSE;
+ int ret;
+
+ i_assert(zs->avail_in == 0);
+
+ if (zstream->flushed) {
+ i_assert(zstream->outbuf_used == 0);
+ return 1;
+ }
+
+ if ((ret = o_stream_flush_parent_if_needed(&zstream->ostream)) <= 0)
+ return ret;
+ if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0)
+ return ret;
+
+ if (!final)
+ return 1;
+
+ i_assert(zstream->outbuf_used == 0);
+ do {
+ len = sizeof(zstream->outbuf) - zs->avail_out;
+ if (len != 0) {
+ zs->next_out = zstream->outbuf;
+ zs->avail_out = sizeof(zstream->outbuf);
+
+ zstream->outbuf_used = len;
+ if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0)
+ return ret;
+ if (done)
+ break;
+ }
+ ret = lzma_code(zs, LZMA_FINISH);
+ switch (ret) {
+ case LZMA_OK:
+ /* still unfinished - need to call lzma_code() again */
+ break;
+ case LZMA_STREAM_END:
+ /* output is fully finished */
+ done = TRUE;
+ break;
+ case LZMA_MEM_ERROR:
+ i_fatal_status(FATAL_OUTOFMEM,
+ "lzma.write(%s): Out of memory",
+ o_stream_get_name(&zstream->ostream.ostream));
+ default:
+ i_panic("lzma.write(%s) flush failed with unexpected code %d",
+ o_stream_get_name(&zstream->ostream.ostream), ret);
+ }
+ } while (zs->avail_out != sizeof(zstream->outbuf));
+
+ if (final)
+ zstream->flushed = TRUE;
+ i_assert(zstream->outbuf_used == 0);
+ return 1;
+}
+
+static int o_stream_lzma_flush(struct ostream_private *stream)
+{
+ struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
+ int ret;
+
+ if ((ret = o_stream_lzma_send_flush(zstream, stream->finished)) < 0)
+ return -1;
+ else if (ret > 0)
+ return o_stream_flush_parent(stream);
+ return ret;
+}
+
+static size_t
+o_stream_lzma_get_buffer_used_size(const struct ostream_private *stream)
+{
+ const struct lzma_ostream *zstream =
+ (const struct lzma_ostream *)stream;
+
+ /* outbuf has already compressed data that we're trying to send to the
+ parent stream. We're not including lzma's internal compression
+ buffer size. */
+ return (zstream->outbuf_used - zstream->outbuf_offset) +
+ o_stream_get_buffer_used_size(stream->parent);
+}
+
+static size_t
+o_stream_lzma_get_buffer_avail_size(const struct ostream_private *stream)
+{
+ /* FIXME: not correct - this is counting compressed size, which may be
+ too larger than uncompressed size in some situations. Fixing would
+ require some kind of additional buffering. */
+ return o_stream_get_buffer_avail_size(stream->parent);
+}
+
+static ssize_t
+o_stream_lzma_sendv(struct ostream_private *stream,
+ const struct const_iovec *iov, unsigned int iov_count)
+{
+ struct lzma_ostream *zstream = (struct lzma_ostream *)stream;
+ ssize_t ret, bytes = 0;
+ unsigned int i;
+
+ if ((ret = o_stream_zlib_send_outbuf(zstream)) <= 0) {
+ /* error / we still couldn't flush existing data to
+ parent stream. */
+ return ret;
+ }
+
+ for (i = 0; i < iov_count; i++) {
+ ret = o_stream_lzma_send_chunk(zstream, iov[i].iov_base,
+ iov[i].iov_len);
+ if (ret < 0)
+ return -1;
+ bytes += ret;
+ if ((size_t)ret != iov[i].iov_len)
+ break;
+ }
+ stream->ostream.offset += bytes;
+
+ /* avail_in!=0 check is used to detect errors. if it's non-zero here
+ it simply means we didn't send all the data */
+ zstream->strm.avail_in = 0;
+ return bytes;
+}
+
+struct ostream *o_stream_create_lzma(struct ostream *output, int level)
+{
+ struct lzma_ostream *zstream;
+ lzma_ret ret;
+
+ i_assert(level >= 1 && level <= 9);
+
+ zstream = i_new(struct lzma_ostream, 1);
+ zstream->ostream.sendv = o_stream_lzma_sendv;
+ zstream->ostream.flush = o_stream_lzma_flush;
+ zstream->ostream.get_buffer_used_size =
+ o_stream_lzma_get_buffer_used_size;
+ zstream->ostream.get_buffer_avail_size =
+ o_stream_lzma_get_buffer_avail_size;
+ zstream->ostream.iostream.close = o_stream_lzma_close;
+
+ ret = lzma_easy_encoder(&zstream->strm, level, LZMA_CHECK_CRC64);
+ switch (ret) {
+ case LZMA_OK:
+ break;
+ case LZMA_MEM_ERROR:
+ i_fatal_status(FATAL_OUTOFMEM, "lzma: Out of memory");
+ case LZMA_OPTIONS_ERROR:
+ i_fatal("lzma: Invalid level");
+ default:
+ i_fatal("lzma_easy_encoder() failed with %d", ret);
+ }
+
+ zstream->strm.next_out = zstream->outbuf;
+ zstream->strm.avail_out = sizeof(zstream->outbuf);
+ return o_stream_create(&zstream->ostream, output,
+ o_stream_get_fd(output));
+}
+#endif
diff -up dovecot-2.3.16/src/lib-compression/ostream-zlib.h.keeplzma dovecot-2.3.16/src/lib-compression/ostream-zlib.h
--- dovecot-2.3.16/src/lib-compression/ostream-zlib.h.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-compression/ostream-zlib.h 2022-02-28 13:58:02.338149934 +0100
@@ -4,6 +4,7 @@
struct ostream *o_stream_create_gz(struct ostream *output, int level);
struct ostream *o_stream_create_deflate(struct ostream *output, int level);
struct ostream *o_stream_create_bz2(struct ostream *output, int level);
+struct ostream *o_stream_create_lzma(struct ostream *output, int level);
struct ostream *o_stream_create_lz4(struct ostream *output, int level);
struct ostream *o_stream_create_zstd(struct ostream *output, int level);
diff -up dovecot-2.3.16/src/lib-compression/test-compression.c.keeplzma dovecot-2.3.16/src/lib-compression/test-compression.c
--- dovecot-2.3.16/src/lib-compression/test-compression.c.keeplzma 2021-08-06 11:25:51.000000000 +0200
+++ dovecot-2.3.16/src/lib-compression/test-compression.c 2022-02-28 13:58:02.338149934 +0100
@@ -730,7 +730,6 @@ static void test_compression_int(bool au
for (i = 0; compression_handlers[i].name != NULL; i++) {
if (compression_handlers[i].create_istream != NULL &&
- compression_handlers[i].create_ostream != NULL &&
(!autodetect ||
compression_handlers[i].is_compressed != NULL)) T_BEGIN {
if (compression_handlers[i].is_compressed != NULL &&

0
SOURCES/dovecot.init Normal file → Executable file
View File

View File

@ -1,9 +0,0 @@
#Type Name ID GECOS Home directory Shell
g dovecot 97
u dovecot 97 "Dovecot IMAP server" /usr/libexec/dovecot /sbin/nologin
m dovecot dovecot
g dovenull -
u dovenull - "Dovecot - unauthorized user" /usr/libexec/dovecot /sbin/nologin
m dovenull dovenull

View File

@ -1,28 +1,26 @@
%global __provides_exclude_from %{_docdir} %global __provides_exclude_from %{_docdir}
%global __requires_exclude_from %{_docdir} %global __requires_exclude_from %{_docdir}
Summary: Secure imap and pop3 server Summary: Secure imap and pop3 server
Name: dovecot Name: dovecot
Epoch: 1 Epoch: 1
Version: 2.3.16 Version: 2.3.16
%global prever %{nil} %global prever %{nil}
Release: 11%{?dist}.1 Release: 6%{?dist}
#dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
License: MIT and LGPLv2 License: MIT and LGPLv2
Group: System Environment/Daemons
URL: https://www.dovecot.org/ URL: http://www.dovecot.org/
Source: https://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz
Source1: dovecot.init Source1: dovecot.init
Source2: dovecot.pam Source2: dovecot.pam
%global pigeonholever 0.5.16 %global pigeonholever 0.5.16
Source8: https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-%{pigeonholever}.tar.gz
Source9: dovecot.sysconfig Source9: dovecot.sysconfig
Source10: dovecot.tmpfilesd Source10: dovecot.tmpfilesd
#our own #our own
Source14: dovecot.conf.5 Source14: dovecot.conf.5
Source15: prestartscript
Source16: dovecot.sysusers
# 3x Fedora/RHEL specific # 3x Fedora/RHEL specific
Patch1: dovecot-2.0-defaultconfig.patch Patch1: dovecot-2.0-defaultconfig.patch
@ -34,65 +32,60 @@ Patch6: dovecot-2.1.10-waitonline.patch
Patch8: dovecot-2.2.20-initbysystemd.patch Patch8: dovecot-2.2.20-initbysystemd.patch
Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch Patch9: dovecot-2.2.22-systemd_w_protectsystem.patch
Patch15: dovecot-2.3.11-bigkey.patch
# sent upstream, rhbz#1630380
Patch11: dovecot-2.2.36-aclfix.patch
Patch13: dovecot-2.2.36-bigkey.patch
# do not use own implementation of HMAC, use OpenSSL for certification purposes # do not use own implementation of HMAC, use OpenSSL for certification purposes
# not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces # not sent upstream as proper fix would use dovecot's lib-dcrypt but it introduces
# hard to break circular dependency between lib and lib-dcrypt # hard to break circular dependency between lib and lib-dcrypt
Patch16: dovecot-2.3.6-opensslhmac.patch Patch14: dovecot-2.3.6-opensslhmac.patch
Patch17: dovecot-2.3.14-opensslv3.patch # from upstream, for dovecot < 2.3.17, s390x FTBFS fix
Patch15: dovecot-2.3.16-ftbfsbigend.patch
# FTBFS Patch16: dovecot-2.3.16-keeplzma.patch
Patch18: dovecot-2.3.15-fixvalcond.patch
Patch19: dovecot-2.3.15-valbasherr.patch
Patch20: dovecot-2.3.16-ftbfsbigend.patch
# from upstream, for <= 2.3.19.1, rhbz#2106232 # from upstream, for <= 2.3.19.1, rhbz#2106232
Patch21: dovecot-2.3.19.1-7bad6a24.patch Patch17: dovecot-2.3.19.1-7bad6a24.patch
# from upstream, for < 2.3.19.1, rhbz#2128857 # from upstream, for < 2.3.19.1, rhbz#2128857
Patch22: dovecot-2.3.18-bdf447e4.patch Patch18: dovecot-2.3.18-9f300239..4596d399.patch
Patch23: dovecot-2.3.18-9f300239..4596d399.patch Patch19: dovecot-2.3.18-bdf447e4.patch
# from upstream, for < 2.3.21, RHEL-25434 # from upstream, for < 2.3.21, RHEL-22854
Patch24: dovecot-2.3.16-d7705bc6.patch Patch20: dovecot-2.3.16-d7705bc6.patch
# from upstream for < 2.3.21.1, RHEL-55206
# https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch
Patch21: dovecot-2.3.21.1-CVE-2024-23184.patch
# from upstream for < 2.3.21.1, RHEL-55219
# https://github.com/dovecot/core/compare/f020e13%5E...ce88c33.patch
Patch22: dovecot-2.3.21.1-CVE-2024-23185.patch
# fix test failing due to too long path with all the mock path prefixes # fix test failing due to too long path with all the mock path prefixes
Patch27: dovecot-2.3.21-test-socket-path.patch Patch23: dovecot-2.3.21-test-socket-path.patch
# from upstream for < 2.3.21.1, RHEL-55211 Source15: prestartscript
# https://github.com/dovecot/core/compare/8e4c42d%5E...1481c04.patch
Patch28: dovecot-2.3.21.1-CVE-2024-23184.patch
# from upstream for < 2.3.21.1, RHEL-55225 BuildRequires: openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
# https://github.com/dovecot/core/compare/f020e13%5E...ce88c33.patch
Patch29: dovecot-2.3.21.1-CVE-2024-23185.patch
BuildRequires: gcc, gcc-c++, openssl-devel, pam-devel, zlib-devel, bzip2-devel, libcap-devel
BuildRequires: libtool, autoconf, automake, pkgconfig BuildRequires: libtool, autoconf, automake, pkgconfig
BuildRequires: sqlite-devel BuildRequires: sqlite-devel
BuildRequires: libpq-devel BuildRequires: postgresql-devel
#BuildRequires: libpq-devel
BuildRequires: mariadb-connector-c-devel BuildRequires: mariadb-connector-c-devel
BuildRequires: libxcrypt-devel #BuildRequires: libxcrypt-devel
BuildRequires: openldap-devel BuildRequires: openldap-devel
BuildRequires: krb5-devel BuildRequires: krb5-devel
BuildRequires: quota-devel BuildRequires: quota-devel
BuildRequires: rpcgen
BuildRequires: xz-devel BuildRequires: xz-devel
BuildRequires: lz4-devel BuildRequires: lz4-devel
BuildRequires: libzstd-devel
%if %{?rhel}0 == 0
BuildRequires: libsodium-devel
%endif
BuildRequires: libicu-devel
BuildRequires: libexttextcat-devel
BuildRequires: libstemmer-devel
BuildRequires: multilib-rpm-config BuildRequires: multilib-rpm-config
BuildRequires: flex, bison #BuildRequires: libsodium-devel
BuildRequires: systemd-devel #BuildRequires: libexttextcat-devel
# for dovecot.sysusers #BuildRequires: libstemmer-devel
BuildRequires: systemd-rpm-macros
# gettext-devel is needed for running autoconf because of the # gettext-devel is needed for running autoconf because of the
# presence of AM_ICONV # presence of AM_ICONV
@ -103,19 +96,33 @@ Requires: openssl >= 0.9.7f-4
# Package includes an initscript service file, needs to require initscripts package # Package includes an initscript service file, needs to require initscripts package
Requires(pre): shadow-utils Requires(pre): shadow-utils
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
Requires: systemd Requires: systemd
Requires(post): systemd-units Requires(post): systemd-units
Requires(preun): systemd-units Requires(preun): systemd-units
Requires(postun): systemd-units Requires(postun): systemd-units
%else
Requires: initscripts
Requires(post): chkconfig
Requires(preun): chkconfig initscripts
Requires(postun): initscripts
%endif
%if %{?fedora}0 > 150 || %{?rhel}0 >60
#clucene in fedora <=15 and rhel<=6 is too old
BuildRequires: clucene-core-devel BuildRequires: clucene-core-devel
%endif
%global ssldir %{_sysconfdir}/pki/%{name} %global ssldir %{_sysconfdir}/pki/%{name}
%if %{?fedora}00%{?rhel} < 6
%global _initddir %{_initrddir}
BuildRequires: curl-devel expat-devel
%else
BuildRequires: libcurl-devel expat-devel BuildRequires: libcurl-devel expat-devel
BuildRequires: make %endif
%global restart_flag /run/%{name}/%{name}-restart-after-rpm-install %global restart_flag /var/run/%{name}/%{name}-restart-after-rpm-install
%description %description
Dovecot is an IMAP server for Linux/UNIX-like systems, written with security Dovecot is an IMAP server for Linux/UNIX-like systems, written with security
@ -127,6 +134,7 @@ The SQL drivers and authentication plug-ins are in their subpackages.
%package pigeonhole %package pigeonhole
Requires: %{name} = %{epoch}:%{version}-%{release} Requires: %{name} = %{epoch}:%{version}-%{release}
Summary: Sieve and managesieve plug-in for dovecot Summary: Sieve and managesieve plug-in for dovecot
Group: System Environment/Daemons
License: MIT and LGPLv2 License: MIT and LGPLv2
%description pigeonhole %description pigeonhole
@ -135,18 +143,21 @@ This package provides sieve and managesieve plug-in for dovecot LDA.
%package pgsql %package pgsql
Requires: %{name} = %{epoch}:%{version}-%{release} Requires: %{name} = %{epoch}:%{version}-%{release}
Summary: Postgres SQL back end for dovecot Summary: Postgres SQL back end for dovecot
Group: System Environment/Daemons
%description pgsql %description pgsql
This package provides the Postgres SQL back end for dovecot-auth etc. This package provides the Postgres SQL back end for dovecot-auth etc.
%package mysql %package mysql
Requires: %{name} = %{epoch}:%{version}-%{release} Requires: %{name} = %{epoch}:%{version}-%{release}
Summary: MySQL back end for dovecot Summary: MySQL back end for dovecot
Group: System Environment/Daemons
%description mysql %description mysql
This package provides the MySQL back end for dovecot-auth etc. This package provides the MySQL back end for dovecot-auth etc.
%package devel %package devel
Requires: %{name} = %{epoch}:%{version}-%{release} Requires: %{name} = %{epoch}:%{version}-%{release}
Summary: Development files for dovecot Summary: Development files for dovecot
Group: Development/Libraries
%description devel %description devel
This package provides the development files for dovecot. This package provides the development files for dovecot.
@ -158,26 +169,22 @@ This package provides the development files for dovecot.
%patch -P 6 -p1 -b .waitonline %patch -P 6 -p1 -b .waitonline
%patch -P 8 -p1 -b .initbysystemd %patch -P 8 -p1 -b .initbysystemd
%patch -P 9 -p1 -b .systemd_w_protectsystem %patch -P 9 -p1 -b .systemd_w_protectsystem
%patch -P 15 -p1 -b .bigkey %patch -P 11 -p1 -b .aclfix
%patch -P 16 -p1 -b .opensslhmac %patch -P 13 -p1 -b .bigkey
%patch -P 17 -p1 -b .opensslv3 %patch -P 14 -p1 -b .opensslhmac
%patch -P 18 -p1 -b .fixvalcond %patch -P 15 -p1 -b .ftbfsbigend
%patch -P 19 -p1 -b .valbasherr %patch -P 16 -p1 -b .keeplzma
%patch -P 20 -p1 -b .ftbfsbigend %patch -P 17 -p1 -b .7bad6a24
%patch -P 21 -p1 -b .7bad6a24 %patch -P 19 -p1 -b .bdf447e4
%patch -P 22 -p1 -b .bdf447e4 %patch -P 20 -p1 -b .d7705bc6
%patch -P 24 -p1 -b .d7705bc6 %patch -P 21 -p1 -b .CVE-2024-23184
%patch -P 27 -p1 -b .test-socket-path %patch -P 22 -p1 -b .CVE-2024-23185
%patch -P 28 -p1 -b .CVE-2024-23184 %patch -P 23 -p1 -b .test-socket-path
%patch -P 29 -p1 -b .CVE-2024-23185
cp run-test-valgrind.supp dovecot-2.3-pigeonhole-%{pigeonholever}/
# valgrind would fail with shell wrapper
echo "testsuite" >dovecot-2.3-pigeonhole-%{pigeonholever}/run-test-valgrind.exclude
pushd dovecot-2*3-pigeonhole-%{pigeonholever} pushd dovecot-2*3-pigeonhole-%{pigeonholever}
%patch -P 23 -p1 -b .9f300239..4596d399 %patch -P 18 -p1 -b .9f300239..4596d399
popd popd
sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in
%build %build
@ -185,8 +192,11 @@ sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src
%global _hardened_build 1 %global _hardened_build 1
export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none" export CFLAGS="%{__global_cflags} -fno-strict-aliasing -fstack-reuse=none"
export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}"
# el6 autoconf too old to regen; use packaged files (#1082384)
%if %{?fedora}00%{?rhel} > 6
mkdir -p m4 mkdir -p m4
autoreconf -I . -fiv #required for aarch64 support autoreconf -I . -fiv #required for aarch64 support
%endif
%configure \ %configure \
INSTALL_DATA="install -c -p -m644" \ INSTALL_DATA="install -c -p -m644" \
--with-rundir=%{_rundir}/%{name} \ --with-rundir=%{_rundir}/%{name} \
@ -204,18 +214,17 @@ autoreconf -I . -fiv #required for aarch64 support
--with-mysql \ --with-mysql \
--with-sqlite \ --with-sqlite \
--with-zlib \ --with-zlib \
--with-zstd \
--with-libcap \ --with-libcap \
--with-icu \
--with-lucene \ --with-lucene \
--with-ssl=openssl \ --with-ssl=openssl \
--with-ssldir=%{ssldir} \ --with-ssldir=%{ssldir} \
--with-solr \ --with-solr \
--with-systemdsystemunitdir=%{_unitdir} \ --with-systemdsystemunitdir=%{_unitdir} \
--with-docs --with-docs
sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf
%make_build make %{?_smp_mflags}
#pigeonhole #pigeonhole
pushd dovecot-2*3-pigeonhole-%{pigeonholever} pushd dovecot-2*3-pigeonhole-%{pigeonholever}
@ -230,13 +239,13 @@ pushd dovecot-2*3-pigeonhole-%{pigeonholever}
--with-dovecot=../ \ --with-dovecot=../ \
--without-unfinished-features --without-unfinished-features
%make_build make %{?_smp_mflags}
popd popd
%install %install
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
%make_install make install DESTDIR=$RPM_BUILD_ROOT
# move doc dir back to build dir so doc macro in files section can use it # move doc dir back to build dir so doc macro in files section can use it
mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall
@ -245,13 +254,17 @@ mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/
%multilib_fix_c_header --file %{_includedir}/dovecot/config.h %multilib_fix_c_header --file %{_includedir}/dovecot/config.h
pushd dovecot-2*3-pigeonhole-%{pigeonholever} pushd dovecot-2*3-pigeonhole-%{pigeonholever}
%make_install make install DESTDIR=$RPM_BUILD_ROOT
mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole
install -m 644 AUTHORS ChangeLog COPYING COPYING.LGPL INSTALL NEWS README $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole install -m 644 AUTHORS ChangeLog COPYING COPYING.LGPL INSTALL NEWS README $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole
popd popd
%if %{?fedora}00%{?rhel} < 6
sed -i 's|password-auth|system-auth|' %{SOURCE2}
%endif
install -p -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/dovecot install -p -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/dovecot
#install man pages #install man pages
@ -260,8 +273,6 @@ install -p -D -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_mandir}/man5/dovecot.conf.5
#install waitonline script #install waitonline script
install -p -D -m 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/dovecot/prestartscript install -p -D -m 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/dovecot/prestartscript
install -p -D -m 0644 %{SOURCE16} $RPM_BUILD_ROOT%{_sysusersdir}/dovecot.sysusers
# generate ghost .pem files # generate ghost .pem files
mkdir -p $RPM_BUILD_ROOT%{ssldir}/certs mkdir -p $RPM_BUILD_ROOT%{ssldir}/certs
mkdir -p $RPM_BUILD_ROOT%{ssldir}/private mkdir -p $RPM_BUILD_ROOT%{ssldir}/private
@ -270,9 +281,14 @@ chmod 600 $RPM_BUILD_ROOT%{ssldir}/certs/dovecot.pem
touch $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem touch $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem
chmod 600 $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem chmod 600 $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
install -p -D -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_tmpfilesdir}/dovecot.conf install -p -D -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_tmpfilesdir}/dovecot.conf
%else
install -p -D -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initddir}/dovecot
install -p -D -m 600 %{SOURCE9} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/dovecot
%endif
mkdir -p $RPM_BUILD_ROOT/run/dovecot/{login,empty,token-login} mkdir -p $RPM_BUILD_ROOT/var/run/dovecot/{login,empty,token-login}
# Install dovecot configuration and dovecot-openssl.cnf # Install dovecot configuration and dovecot-openssl.cnf
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d
@ -299,63 +315,78 @@ popd
%pre %pre
#dovecot uid and gid are reserved, see /usr/share/doc/setup-*/uidgid #dovecot uid and gid are reserved, see /usr/share/doc/setup-*/uidgid
%sysusers_create_compat %{SOURCE16} getent group dovecot >/dev/null || groupadd -r --gid 97 dovecot
getent passwd dovecot >/dev/null || \
useradd -r --uid 97 -g dovecot -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot IMAP server" dovecot
if [ -z "$LEAPP_IPU_IN_PROGRESS" ] getent group dovenull >/dev/null || groupadd -r dovenull
then getent passwd dovenull >/dev/null || \
# during LEAPP upgrade, services are not running anyway useradd -r -g dovenull -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot's unauthorized user" dovenull
# do not let dovecot run during upgrade rhbz#134325 # do not let dovecot run during upgrade rhbz#134325
if [ "$1" = "2" ]; then if [ "$1" = "2" ]; then
rm -f %restart_flag rm -f %restart_flag
/bin/systemctl is-active %{name}.service >/dev/null 2>&1 && touch %restart_flag ||: %if %{?fedora}0 > 140 || %{?rhel}0 > 60
/bin/systemctl stop %{name}.service >/dev/null 2>&1 /bin/systemctl is-active %{name}.service >/dev/null 2>&1 && touch %restart_flag ||:
fi /bin/systemctl stop %{name}.service >/dev/null 2>&1
%else
/sbin/service %{name} status >/dev/null 2>&1 && touch %restart_flag ||:
/sbin/service %{name} stop >/dev/null 2>&1
%endif
fi fi
%post %post
if [ $1 -eq 1 ] if [ $1 -eq 1 ]
then then
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
%systemd_post dovecot.service %systemd_post dovecot.service
%else
/sbin/chkconfig --add %{name}
%endif
fi fi
install -d -m 0755 -g dovecot -d /run/dovecot install -d -m 0755 -g dovecot -d /var/run/dovecot
install -d -m 0755 -d /run/dovecot/empty install -d -m 0755 -d /var/run/dovecot/empty
install -d -m 0750 -g dovenull -d /run/dovecot/login install -d -m 0750 -g dovenull -d /var/run/dovecot/login
install -d -m 0750 -g dovenull -d /run/dovecot/token-login install -d -m 0750 -g dovenull -d /var/run/dovecot/token-login
[ -x /sbin/restorecon ] && /sbin/restorecon -R /run/dovecot ||: [ -x /sbin/restorecon ] && /sbin/restorecon -R /var/run/dovecot ||:
%preun %preun
if [ $1 = 0 ]; then if [ $1 = 0 ]; then
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
/bin/systemctl disable dovecot.service dovecot.socket >/dev/null 2>&1 || : /bin/systemctl disable dovecot.service dovecot.socket >/dev/null 2>&1 || :
/bin/systemctl stop dovecot.service dovecot.socket >/dev/null 2>&1 || : /bin/systemctl stop dovecot.service dovecot.socket >/dev/null 2>&1 || :
rm -rf /run/dovecot %else
/sbin/service %{name} stop > /dev/null 2>&1
/sbin/chkconfig --del %{name}
%endif
rm -rf /var/run/dovecot
fi fi
%postun %postun
if [ -z "$LEAPP_IPU_IN_PROGRESS" ] %if %{?fedora}0 > 140 || %{?rhel}0 > 60
then /bin/systemctl daemon-reload >/dev/null 2>&1 || :
# during LEAPP upgrade, services are not running anyway %endif
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
if [ "$1" -ge "1" -a -e %restart_flag ]; then if [ "$1" -ge "1" -a -e %restart_flag ]; then
/bin/systemctl start dovecot.service >/dev/null 2>&1 || : %if %{?fedora}0 > 140 || %{?rhel}0 > 60
rm -f %restart_flag /bin/systemctl start dovecot.service >/dev/null 2>&1 || :
fi %else
/sbin/service %{name} start >/dev/null 2>&1 || :
%endif
rm -f %restart_flag
fi fi
%posttrans %posttrans
# dovecot should be started again in %%postun, but it's not executed on reinstall
if [ -z "$LEAPP_IPU_IN_PROGRESS" ] # if it was already started, restart_flag won't be here, so it's ok to test it again
then if [ -e %restart_flag ]; then
# during LEAPP upgrade, services are not running anyway %if %{?fedora}0 > 140 || %{?rhel}0 > 60
# dovecot should be started again in %%postun, but it's not executed on reinstall
# if it was already started, restart_flag won't be here, so it's ok to test it again
if [ -e %restart_flag ]; then
/bin/systemctl start dovecot.service >/dev/null 2>&1 || : /bin/systemctl start dovecot.service >/dev/null 2>&1 || :
rm -f %restart_flag %else
fi /sbin/service %{name} start >/dev/null 2>&1 || :
%endif
rm -f %restart_flag
fi fi
%check %check
@ -373,11 +404,15 @@ make check
%{_bindir}/dovecot-sysreport %{_bindir}/dovecot-sysreport
%if %{?fedora}0 > 140 || %{?rhel}0 > 60
%_tmpfilesdir/dovecot.conf %_tmpfilesdir/dovecot.conf
%{_sysusersdir}/dovecot.sysusers
%{_unitdir}/dovecot.service %{_unitdir}/dovecot.service
%{_unitdir}/dovecot-init.service %{_unitdir}/dovecot-init.service
%{_unitdir}/dovecot.socket %{_unitdir}/dovecot.socket
%else
%{_initddir}/dovecot
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/dovecot
%endif
%dir %{_sysconfdir}/dovecot %dir %{_sysconfdir}/dovecot
%dir %{_sysconfdir}/dovecot/conf.d %dir %{_sysconfdir}/dovecot/conf.d
@ -448,10 +483,10 @@ make check
%{_libexecdir}/%{name} %{_libexecdir}/%{name}
%exclude %{_libexecdir}/%{name}/managesieve* %exclude %{_libexecdir}/%{name}/managesieve*
%dir %attr(0755,root,dovecot) %ghost /run/dovecot %dir %attr(0755,root,dovecot) %ghost /var/run/dovecot
%attr(0750,root,dovenull) %ghost /run/dovecot/login %attr(0750,root,dovenull) %ghost /var/run/dovecot/login
%attr(0750,root,dovenull) %ghost /run/dovecot/token-login %attr(0750,root,dovenull) %ghost /var/run/dovecot/token-login
%attr(0755,root,root) %ghost /run/dovecot/empty %attr(0755,root,root) %ghost /var/run/dovecot/empty
%attr(0750,dovecot,dovecot) /var/lib/dovecot %attr(0750,dovecot,dovecot) /var/lib/dovecot
@ -509,257 +544,117 @@ make check
%{_libdir}/%{name}/dict/libdriver_pgsql.so %{_libdir}/%{name}/dict/libdriver_pgsql.so
%changelog %changelog
* Mon Sep 02 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-11.1 * Tue Aug 20 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-6
- fix CVE-2024-23184: using a large number of address headers may trigger a denial of service (RHEL-55211) - fix CVE-2024-23185: very large headers can cause resource exhaustion when parsing message (RHEL-55219)
- fix CVE-2024-23185: very large headers can cause resource exhaustion when parsing message (RHEL-55225) - fix CVE-2024-23184: using a large number of address headers may trigger a denial of service (RHEL-55206)
* Fri Feb 16 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-11 * Fri Feb 16 2024 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-5
- fixes assert-crash when IMAP client uses QRESYNC (#RHEL-25434) - fixes assert-crash when IMAP client uses QRESYNC (#RHEL-22854)
* Tue Aug 15 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-10 * Fri Aug 04 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-4
- fix leaking mailboxes if virtual mailbox can't be opened (#2231408) - fix leaking mailboxes if virtual mailbox can't be opened (#2128857)
* Sat May 27 2023 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-9 * Tue Jul 19 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-3
- add buildrequire of rpcgen to enable rquota support(#2157045) - fix possible privilege escalation when similar master and non-master passdbs are used (#2106231)
* Tue Sep 13 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-8 * Wed Dec 08 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-2
- do not run systemd commands during leapp upgrade (#2119385) - do not disable xz/lzma for now despite being deprecated
* Tue Jul 12 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-7 * Wed Dec 08 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-1
- fix possible privilege escalation when similar master and non-master passdbs are used (#2106232)
* Wed Jul 06 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-6
- fix possible nonzero return value of postinst script(#2053368)
* Tue Jul 05 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-5
- workaround sysuers macro defficiency (#2095399)
* Tue Jul 05 2022 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-4
- use systemd-sysusers for user creation (#2095399)
* Wed Nov 03 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-3
- re-enable LTO build (#1990080)
* Wed Oct 27 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-2
- set first_valid_uid to 1000 to match system default (#2009716)
* Fri Aug 20 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.16-1
- dovecot updated to 2.3.16, pigeonhole to 0.5.16 - dovecot updated to 2.3.16, pigeonhole to 0.5.16
- fixes several regressions (#1997583) - fix CVE-2021-33515 plaintext commands injection (#1980014)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.3.15-2 * Wed Feb 03 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-9
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - fix CVE-2020-24386 IMAP hibernation function allows mail access (#1913534)
Related: rhbz#1991688
* Wed Jul 21 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.15-1 * Tue Jan 12 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-8
- dovecot updated to 2.3.15, pigeonhole updated to 0.5.15 - fix CVE-2020-25275 denial of service via mail MIME parsing (#1914019)
- CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in
JWT tokens. This may be used to supply attacker controlled keys to
validate tokens, if attacker has local access (#1979833)
- CVE-2021-33515: On-path attacker could have injected plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client
- Add TSLv1.3 support to min_protocols.
* Wed Jul 14 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-5 * Thu Jan 07 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-7
- fix mail storage block count parsing (#1974281) - change run directory from /var/run to /run (#1805947)
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.3.14-4 * Wed Dec 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-6
- Rebuilt for RHEL 9 BETA for openssl 3.0 - fix mail storage block count parsing (#1894418)
Related: rhbz#1971065 - MIME parser crashed when boundaries were wrong (#1888111)
* Fri Jun 04 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-3 * Mon Nov 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-5
- compatibility with openssl 3.0 (#1962035) - multilib compatibility (#1853137)
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.3.14-2 * Fri Aug 07 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-4
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 - fix CVE-2020-12100 resource exhaustion via deeply nested MIME parts (#1866756)
- fix CVE-2020-12673 out of bound reads in dovecot NTLM implementation (#1866761)
- fix CVE-2020-12674 crash due to assert in RPA implementation (#1866768)
* Mon Mar 22 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.14-1 * Mon Jun 01 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-3
- dovecot updated to 2.3.14, pigeonhole to 0.5.14 - fix CVE-2020-10957 dovecot: malformed NOOP commands leads to DoS (#1840354)
- use OpenSSL's implementation of HMAC - fix CVE-2020-10958 dovecot: command followed by sufficient number of newlines
- Remove autocreate, expire, snarf and mail-filter plugins. leads to use-after-free (#1840357)
- Remove cydir storage driver. - fix CVE-2020-10967 dovecot: sending mail with empty quoted localpart
- Remove XZ/LZMA write support. Read support will be removed in future release. leads to DoS (#1840356)
* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 1:2.3.13-7 * Thu Jan 09 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-2
- rebuild for libpq ABI fix rhbz#1908268 - fix default attributes for ghost files
* Mon Feb 01 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-6 * Tue Nov 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-1
- use make macros - dovecot updated to 2.3.8 with pigeonhole updated to 0.5.8 (#1653117)
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.13-5 * Thu Aug 29 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - fix CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
* Mon Jan 18 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-4
- fix multilib issues
* Mon Jan 18 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-3
- bump release and rebuild
* Thu Jan 07 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-2
- fix rundir location
* Wed Jan 06 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-1
- fix release number
* Mon Jan 04 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.13-0
- dovecot updated to 2.3.13, pigeonhole to 0.5.13
- CVE-2020-24386: Specially crafted command can cause IMAP hibernate to
allow logged in user to access other people's emails and filesystem
information.
- Metric filter and global event filter variable syntax changed to a
SQL-like format.
- auth: Added new aliases for %{variables}. Usage of the old ones is
possible, but discouraged.
- auth: Removed RPA auth mechanism, SKEY auth mechanism, NTLM auth
mechanism and related password schemes.
- auth: Removed passdb-sia, passdb-vpopmail and userdb-vpopmail.
- auth: Removed postfix postmap socket
* Wed Oct 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-7
- change run directory from /var/run to /run (#1777922)
* Wed Oct 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-6
- use bigger default key size (#1882939)
* Wed Sep 02 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-5
- fix gssapi issue
* Wed Aug 26 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-4
- fix FTBFS on 32bit systems
* Mon Aug 17 2020 Jeff Law <law@redhat.com> - 1:2.3.11.3-2
- Disable LTO
* Sat Aug 15 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.11.3-1
- CVE-2020-12100: Parsing mails with a large number of MIME parts could
have resulted in excessive CPU usage or a crash due to running out of
stack memory.
- CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
message buffer size, which leads to reading past allocation which can
lead to crash.
- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
address that has the empty quoted string as local-part causes the lmtp
service to crash.
- CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
zero-length message, which leads to assert-crash later on.
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.10.1-3
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.10.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon May 18 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.10.1-1
- dovecot updated to 2.3.10.1
- fixes CVE-2020-10967, CVE-2020-10958, CVE-2020-10957
* Tue Apr 21 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.10-1
- dovecot updated to 2.3.10, pigeonhole updated to 0.5.10
* Wed Feb 12 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9.3-1
- dovecot updated to 2.3.9.3
- fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS
submission-login and lmtp processes.
- fixes CVE-2020-7957: Specially crafted mail can crash snippet generation.
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.9.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Dec 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9.2-1
- CVE-2019-19722: Mails with group addresses in From or To fields
caused crash in push notification drivers.
* Wed Dec 04 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9-1
- dovecot updated to 2.3.9, pigeonhole updated to 0.5.9
* Thu Oct 10 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.8-1
- dovecot updated to 2.3.8, pigeonhole 0.5.8
* Thu Aug 29 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.7.2-1
- dovecot updated to 2.3.7.2, pigeonhole 0.5.7.2
- fixes CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
when scanning data in quoted strings, leading to out of bounds heap when scanning data in quoted strings, leading to out of bounds heap
memory writes memory writes (#1741788)
* Mon Aug 19 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:1-2.3.7.1 * Fri Aug 23 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-9
- dovecot updated to 2.3.7.1, pigeonhole updated to 0.5.7.1 - reset errno before iterating through users (#1630410)
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.6-4 * Mon Jun 17 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - fix CVE-2019-3814: improper certificate validation (#1674370)
* Fri May 31 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-3 * Fri Jun 14 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-7
- disable gcc 9 stack reuse temporarily - do not print error message when restorecon is not present
during install (#1626395)
- change default config to use minimal UID = 1000 (#1630410)
* Mon May 13 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-2 * Mon Jun 10 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-6
- use /run instead of /var/run (#1706372) - use OpenSSl implementation of HMAC, disable CRAM-MD5 when FIPS is enabled (#1618749)
* Thu May 02 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.6-1 * Tue Oct 16 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-5
- dovecot updated to 2.3.6, pigeonhole updated to 0.5.6 - make key not that bigger (#1618714)
* Thu Apr 18 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5.2-1 * Tue Oct 16 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-4
- dovecot updated to 2.3.5.2 - generated key was too small (#1618714)
- fixes CVE-2019-10691: Trying to login with 8bit username containing
invalid UTF8 input causes auth process to crash if auth policy is enabled.
* Thu Mar 28 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5.1-1 * Wed Sep 19 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-3
- dovecot updated to 2.3.5.1 - fix global ACL directory configuration search path (#1630383)
- CVE-2019-7524: Missing input buffer size validation leads into - update first/last_valid_gid range patch (#1630410)
arbitrary buffer overflow when reading fts or pop3 uidl header
from Dovecot index.
* Wed Mar 06 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.5-1 * Mon Jul 30 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-2
- dovecot updated to 2.3.5, pigeonhole updated to 0.5.5 - fix defaut permissions of gost run files
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.4-3 * Thu Jun 28 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.36-1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - dovecot updated to 2.2.36, pigeonhole to 0.4.24
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 1:2.3.4-2 * Thu May 24 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.35-3
- Rebuilt for libcrypt.so.2 (#1666033) - disable tcp_wrappers as it's not available in rhel8
* Wed Jan 09 2019 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.4-1 * Thu Apr 19 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.35-2
- dovecot updated to 2.3.4, pigeonhole updated to 0.5.4 - include crypt.h explicitely
* Tue Oct 02 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.3-1 * Wed Mar 21 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.35-1
- dovecot updated to 2.3.3, pigeonhole pdated to 0.5.3 - dovecot updated to 2.2.35, pigeonhole updated to 0.4.23
- doveconf hides more secrets now in the default output
- NUL bytes in mail headers can cause truncated replies when fetched.
- virtual plugin: Some searches used 100% CPU for many seconds
- dsync assert-crashed with acl plugin in some situations.
- imapc: Fixed various assert-crashes when reconnecting to server.
* Thu Mar 01 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.2.34-1
* Tue Oct 02 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2.1-4 - dovecot updated to 2.2.34, pigeonhole updated to 0.4.22
- fix dovecot-init service syntax error (#1635017) - fixes CVE-2017-15130: TLS SNI config lookups may lead to excessive
memory usage, causing imap-login/pop3-login VSZ limit to be reached
* Mon Aug 13 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2.1-3 and the process restarted. This happens only if Dovecot config has
- do not try to generate ssl-params as its obsolete (#1614640) local_name { } or local { } configuration blocks and attacker uses
randomly generated SNI servernames.
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.2.1-2 - fixes CVE-2017-14461: Parsing invalid email addresses may cause a crash or
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild leak memory contents to attacker. For example, these memory contents
might contain parts of an email from another user if the same imap
* Tue Jul 10 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2.1-1 process is reused for multiple users.
- SSL/TLS servers may have crashed during client disconnection - fixes CVE-2017-15132: Aborted SASL authentication leaks memory in login
process.
* Mon Jul 09 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.2-1
- dovecot updated to 2.3.2, pigeonhole to 0.5.2
* Wed Mar 28 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.1-2
- fix ftbfs - murmurhash3 check fail
* Wed Mar 28 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.1-1
- dovecot updated to 2.3.1, pigeonhole updated to 0.5.1
* Tue Mar 27 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.0.1-3
- use libxcrypt for Fedora >= 28, part of ftbfs fix (#1548520)
* Wed Mar 07 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.0.1-2
- add gcc buildrequire
* Thu Mar 01 2018 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.0.1-1
- dovecot updated to 2.3.0.1, pigeonhole updated to 0.5.0.1
* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1:2.2.33.2-5 * Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1:2.2.33.2-5
- Escape macros in %%changelog - Escape macros in %%changelog