From 8cf1d2f9f0f49f7d77f24e5302cc9ea995d56f9e Mon Sep 17 00:00:00 2001
From: Jakub Jirutka <jakub@jirutka.cz>
Date: Sun, 22 Jul 2018 16:29:00 +0200
Subject: [PATCH] main/dovecot: more secure default config
---
main/dovecot/APKBUILD | 4 +++-
main/dovecot/default-config.patch | 32 +++++++++++++++++++++++++++++++
main/dovecot/dovecot.post-install | 2 +-
3 files changed, 36 insertions(+), 2 deletions(-)
create mode 100644 main/dovecot/default-config.patch
diff --git a/main/dovecot/APKBUILD b/main/dovecot/APKBUILD
index 3e1e0b949070..c2c8a3e867f4 100644
--- a/main/dovecot/APKBUILD
+++ b/main/dovecot/APKBUILD
@@ -5,7 +5,7 @@
pkgname=dovecot
pkgver=2.3.2.1
_pkgvermajor=2.3
-pkgrel=0
+pkgrel=1
_pigeonholever=0.5.2
_pigeonholevermajor=${_pigeonholever%.*}
pkgdesc="IMAP and POP3 server"
@@ -28,6 +28,7 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-openrc
source="https://www.dovecot.org/releases/$_pkgvermajor/$pkgname-$pkgver.tar.gz
https://pigeonhole.dovecot.org/releases/$_pkgvermajor/$pkgname-$_pkgvermajor-pigeonhole-$_pigeonholever.tar.gz
skip-iconv-check.patch
+ default-config.patch
dovecot.logrotate
dovecot.initd
"
@@ -206,5 +207,6 @@ _fts_lucene() {
sha512sums="c085a0d04925485423086736a3c7d919ad0ca9efeff005890382da5333edb68c7d23ccb89fbe2ac44f8f016fc993bf2c669e450794c3ab13463676cbb47c7bf7 dovecot-2.3.2.1.tar.gz
6bc24d9241f94db795a012346d9bc94b5cc7d7ce0175c03213c2b5d179d80dec95e9bdbd50bed628c8f9f7c51639e692ba5e429212a3b4a654c1e4764ac4f11c dovecot-2.3-pigeonhole-0.5.2.tar.gz
fe4fbeaedb377d809f105d9dbaf7c1b961aa99f246b77189a73b491dc1ae0aa9c68678dde90420ec53ec877c08f735b42d23edb13117d7268420e001aa30967a skip-iconv-check.patch
+ba76394aac0dc16209855f7a9a66d6828e7cb198400d199cbb129a787f8037c2979eed1cb460bd9ed0914d084d8913959c0293c6dd29ea6b1c12c277fd643df0 default-config.patch
9f19698ab45969f1f94dc4bddf6de59317daee93c9421c81f2dbf8a7efe6acf89689f1d30f60f536737bb9526c315215d2bce694db27e7b8d7896036a59c31f0 dovecot.logrotate
d2758a22e5b3d1d1be867fd237466a1b5fe7ecd4355fdc51fa9e5ceab48a862f8a5d83992d2ae17a3e0b2c611ff92d0de833d7e1c5f00c6f4bfb94403dbda8e4 dovecot.initd"
diff --git a/main/dovecot/default-config.patch b/main/dovecot/default-config.patch
new file mode 100644
index 000000000000..17e2077cec82
--- /dev/null
+++ b/main/dovecot/default-config.patch
@@ -0,0 +1,32 @@
+--- a/doc/example-config/conf.d/10-mail.conf
++++ b/doc/example-config/conf.d/10-mail.conf
+@@ -322,6 +322,7 @@ protocol !indexer-worker {
+ # them simultaneously.
+ #mbox_read_locks = fcntl
+ #mbox_write_locks = dotlock fcntl
++mbox_write_locks = fcntl
+
+ # Maximum time to wait for lock (all of them) before aborting.
+ #mbox_lock_timeout = 5 mins
+--- a/doc/example-config/conf.d/10-ssl.conf
++++ b/doc/example-config/conf.d/10-ssl.conf
+@@ -3,7 +3,10 @@
+ ##
+
+ # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+-#ssl = yes
++# Disable plain (unencrypted) POP3 and IMAP, allowed are only POP3+TLS,
++# POP3S, IMAP+TLS and IMAPS.
++# Plain IMAP and POP3 are still allowed for local connections.
++ssl = required
+
+ # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+ # dropping root privileges, so keep the key file unreadable by anyone but
+@@ -57,6 +59,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
+ #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+ # To disable non-EC DH, use:
+ #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
++ssl_cipher_list = PROFILE=SYSTEM
+
+ # Colon separated list of elliptic curves to use. Empty value (the default)
+ # means use the defaults from the SSL library. P-521:P-384:P-256 would be an
diff --git a/main/dovecot/dovecot.post-install b/main/dovecot/dovecot.post-install
index c014fcbb47ba..5053dddc33a2 100644
--- a/main/dovecot/dovecot.post-install
+++ b/main/dovecot/dovecot.post-install
@@ -3,7 +3,7 @@
# based on doc/mkcert.sh
# if ssl disabled then lets just exit
-doveconf ssl 2>/dev/null | grep -q 'yes' || exit 0
+doveconf ssl 2>/dev/null | grep -Eq '(yes|required)' || exit 0
# Generates a self-signed certificate.
OPENSSL=${OPENSSL-openssl}
--
GitLab