diff --git a/CVE-2019-10691.patch b/CVE-2019-10691.patch new file mode 100644 index 0000000000000000000000000000000000000000..01ccbf826b1dc3d12cb93373d7a65d5130b74242 --- /dev/null +++ b/CVE-2019-10691.patch @@ -0,0 +1,62 @@ +From 973769d74433de3c56c4ffdf4f343cb35d98e4f7 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Tue, 2 Apr 2019 13:09:48 +0300 +Subject: [PATCH] lib: json - Escape invalid UTF-8 as unicode bytes + +This prevents dovecot from crashing if invalid UTF-8 input +is given. +--- + src/lib/json-parser.c | 12 ++++++++---- + src/lib/test-json-parser.c | 8 ++++---- + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/lib/json-parser.c b/src/lib/json-parser.c +index 677091d649..e7846a329f 100644 +--- a/src/lib/json-parser.c ++++ b/src/lib/json-parser.c +@@ -803,9 +803,13 @@ void json_append_escaped_data(string_t *dest, const unsigned char *src, size_t s + + for (i = 0; i < size;) { + bytes = uni_utf8_get_char_n(src+i, size-i, &chr); +- /* refuse to add invalid data */ +- i_assert(bytes > 0 && uni_is_valid_ucs4(chr)); +- json_append_escaped_ucs4(dest, chr); +- i += bytes; ++ if (bytes > 0 && uni_is_valid_ucs4(chr)) { ++ json_append_escaped_ucs4(dest, chr); ++ i += bytes; ++ } else { ++ str_append_data(dest, UNICODE_REPLACEMENT_CHAR_UTF8, ++ UTF8_REPLACEMENT_CHAR_LEN); ++ i++; ++ } + } + } +diff --git a/src/lib/test-json-parser.c b/src/lib/test-json-parser.c +index bae6fb202b..9ce1e489ba 100644 +--- a/src/lib/test-json-parser.c ++++ b/src/lib/test-json-parser.c +@@ -267,20 +267,20 @@ static void test_json_append_escaped(void) + string_t *str = t_str_new(32); + + test_begin("json_append_escaped()"); +- json_append_escaped(str, "\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7"); +- test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0); ++ json_append_escaped(str, "\b\f\r\n\t\"\\\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff"); ++ test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0001\\u0002-\\u00e4\\ud801\\udc37" UNICODE_REPLACEMENT_CHAR_UTF8) == 0); + test_end(); + } + + static void test_json_append_escaped_data(void) + { + static const unsigned char test_input[] = +- "\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7"; ++ "\b\f\r\n\t\"\\\000\001\002-\xC3\xA4\xf0\x90\x90\xb7\xff"; + string_t *str = t_str_new(32); + + test_begin("json_append_escaped()"); + json_append_escaped_data(str, test_input, sizeof(test_input)-1); +- test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37") == 0); ++ test_assert(strcmp(str_c(str), "\\b\\f\\r\\n\\t\\\"\\\\\\u0000\\u0001\\u0002-\\u00e4\\ud801\\udc37" UNICODE_REPLACEMENT_CHAR_UTF8) == 0); + test_end(); + } diff --git a/CVE-2019-11494-1.patch b/CVE-2019-11494-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..a74ff16e9ab5a74b277c1b2378fffa6259248ed2 --- /dev/null +++ b/CVE-2019-11494-1.patch @@ -0,0 +1,31 @@ +From e9d60648abb9bbceff89882a5309cb9532e702e9 Mon Sep 17 00:00:00 2001 +From: Stephan Bosch +Date: Thu, 25 Apr 2019 09:51:32 +0200 +Subject: [PATCH 3/3] lib-smtp: smtp-server-cmd-auth - Fix AUTH response error + handling so that it stops reading more input. + +Otherwise, it may try to read more data from the stream as the next AUTH +response, which causes an assert crash in the command parser later on. Even when +the parser finds no input from the stream, it will advance its state +towards AUTH response parsing, which is a problem when the next command is +subsequently being parsed. + +Panic was: + +Panic: file smtp-command-parser.c: line 438 (smtp_command_parse_next): assertion failed: (!parser->auth_response || parser->state.state == SMTP_COMMAND_PARSE_STATE_INIT || parser->state.state == SMTP_COMMAND_PARSE_STATE_ERROR) +--- + src/lib-smtp/smtp-server-cmd-auth.c | 1 + + 1 file changed, 1 insertion(+) + +Index: dovecot-2.3.4.1/src/lib-smtp/smtp-server-cmd-auth.c +=================================================================== +--- dovecot-2.3.4.1.orig/src/lib-smtp/smtp-server-cmd-auth.c 2019-04-29 07:39:15.045289307 -0400 ++++ dovecot-2.3.4.1/src/lib-smtp/smtp-server-cmd-auth.c 2019-04-29 07:39:15.037289277 -0400 +@@ -97,6 +97,7 @@ static void cmd_auth_input(struct smtp_s + smtp_server_connection_debug(conn, + "Client sent invalid AUTH response: %s", error); + ++ smtp_server_command_input_lock(cmd); + switch (error_code) { + case SMTP_COMMAND_PARSE_ERROR_BROKEN_COMMAND: + conn->input_broken = TRUE; diff --git a/CVE-2019-11494-2.patch b/CVE-2019-11494-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..ba79ce298a2735452c328f606876b9f9336204c2 --- /dev/null +++ b/CVE-2019-11494-2.patch @@ -0,0 +1,37 @@ +From f79745dae4a9a5fca33320e03a4fc9064b88d01e Mon Sep 17 00:00:00 2001 +From: Stephan Bosch +Date: Tue, 12 Mar 2019 03:18:33 +0100 +Subject: [PATCH 2/3] submission-login: client-authenticate - Fix crash + occurring when client disconnects during authentication. + +--- + src/submission-login/client-authenticate.c | 3 +++ + src/submission-login/client.c | 1 + + 2 files changed, 4 insertions(+) + +Index: dovecot-2.3.4.1/src/submission-login/client-authenticate.c +=================================================================== +--- dovecot-2.3.4.1.orig/src/submission-login/client-authenticate.c 2019-04-29 07:39:05.705254949 -0400 ++++ dovecot-2.3.4.1/src/submission-login/client-authenticate.c 2019-04-29 07:39:05.705254949 -0400 +@@ -89,6 +89,9 @@ void submission_client_auth_result(struc + container_of(client, struct submission_client, common); + struct smtp_server_cmd_ctx *cmd = subm_client->pending_auth; + ++ if (subm_client->conn == NULL) ++ return; ++ + subm_client->pending_auth = NULL; + i_assert(cmd != NULL); + +Index: dovecot-2.3.4.1/src/submission-login/client.c +=================================================================== +--- dovecot-2.3.4.1.orig/src/submission-login/client.c 2019-04-29 07:39:05.705254949 -0400 ++++ dovecot-2.3.4.1/src/submission-login/client.c 2019-04-29 07:39:05.705254949 -0400 +@@ -176,6 +176,7 @@ static void client_connection_disconnect + { + struct submission_client *client = context; + ++ client->pending_auth = NULL; + client_disconnect(&client->common, reason); + } + diff --git a/CVE-2019-11499.patch b/CVE-2019-11499.patch new file mode 100644 index 0000000000000000000000000000000000000000..e10d43eef857ac03426cc687e8a419ecaa0f5b0d --- /dev/null +++ b/CVE-2019-11499.patch @@ -0,0 +1,22 @@ +From 754f791dd26313de8d75b740bddd1a192f11bf3f Mon Sep 17 00:00:00 2001 +From: Stephan Bosch +Date: Tue, 23 Apr 2019 00:13:46 +0200 +Subject: [PATCH 1/3] submission-login: Remove unused client->pending_starttls. + +--- + src/submission-login/client.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: dovecot-2.3.4.1/src/submission-login/client.h +=================================================================== +--- dovecot-2.3.4.1.orig/src/submission-login/client.h 2019-04-29 07:38:39.541158696 -0400 ++++ dovecot-2.3.4.1/src/submission-login/client.h 2019-04-29 07:38:39.537158682 -0400 +@@ -22,7 +22,7 @@ struct submission_client { + const struct submission_login_settings *set; + + struct smtp_server_connection *conn; +- struct smtp_server_cmd_ctx *pending_auth, *pending_starttls; ++ struct smtp_server_cmd_ctx *pending_auth; + + enum submission_proxy_state proxy_state; + enum smtp_capability proxy_capability; diff --git a/CVE-2019-3814-1.patch b/CVE-2019-3814-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..fbcb8b5f0d32da90a6642a451ed2b69f57465480 --- /dev/null +++ b/CVE-2019-3814-1.patch @@ -0,0 +1,22 @@ +From d21218b416c7f26cb42a491bbd04bcd0d6a65b51 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Wed, 16 Jan 2019 18:28:57 +0200 +Subject: [PATCH 1/3] auth: Do not import empty certificate username + +--- + src/auth/auth-request.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: dovecot-2.3.2.1/src/auth/auth-request.c +=================================================================== +--- dovecot-2.3.2.1.orig/src/auth/auth-request.c 2019-01-28 08:49:08.117668002 -0500 ++++ dovecot-2.3.2.1/src/auth/auth-request.c 2019-01-28 08:49:08.113667992 -0500 +@@ -454,7 +454,7 @@ bool auth_request_import_auth(struct aut + else if (strcmp(key, "valid-client-cert") == 0) + request->valid_client_cert = TRUE; + else if (strcmp(key, "cert_username") == 0) { +- if (request->set->ssl_username_from_cert) { ++ if (request->set->ssl_username_from_cert && *value != '\0') { + /* get username from SSL certificate. it overrides + the username given by the auth mechanism. */ + request->user = p_strdup(request->pool, value); diff --git a/CVE-2019-3814-2.patch b/CVE-2019-3814-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..a871535b414c718021335c4b54fd427a339565d4 --- /dev/null +++ b/CVE-2019-3814-2.patch @@ -0,0 +1,31 @@ +From 1a6d921b831af5228e8ad493a88bc46bdb30ca4b Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Wed, 16 Jan 2019 18:24:20 +0200 +Subject: [PATCH 2/3] auth: Fail authentication if certificate username was + unexpectedly missing + +--- + src/auth/auth-request-handler.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/auth/auth-request-handler.c b/src/auth/auth-request-handler.c +index ae7b458c9..318f15031 100644 +--- a/src/auth/auth-request-handler.c ++++ b/src/auth/auth-request-handler.c +@@ -581,6 +581,14 @@ bool auth_request_handler_auth_begin(struct auth_request_handler *handler, + return TRUE; + } + ++ if (request->set->ssl_require_client_cert && ++ request->set->ssl_username_from_cert && ++ !request->cert_username) { ++ auth_request_handler_auth_fail(handler, request, ++ "SSL certificate didn't contain username"); ++ return TRUE; ++ } ++ + /* Handle initial respose */ + if (initial_resp == NULL) { + /* No initial response */ +-- +2.11.0 diff --git a/CVE-2019-3814-3.patch b/CVE-2019-3814-3.patch new file mode 100644 index 0000000000000000000000000000000000000000..008fd87d04e3f7b45cdaee7332b4d69a7813096d --- /dev/null +++ b/CVE-2019-3814-3.patch @@ -0,0 +1,88 @@ +From 3f109288a477fbf69db300b55d0dd8cd1c4da8ea Mon Sep 17 00:00:00 2001 +From: Aki Tuomi +Date: Tue, 15 Jan 2019 17:36:37 +0200 +Subject: [PATCH 3/3] login-common: Ensure we get username from certificate + +--- + src/login-common/sasl-server.c | 52 +++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 49 insertions(+), 3 deletions(-) + +diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c +index dedfb5b8f..ea14c0b6e 100644 +--- a/src/login-common/sasl-server.c ++++ b/src/login-common/sasl-server.c +@@ -338,6 +338,43 @@ authenticate_callback(struct auth_client_request *request, + } + } + ++static bool get_cert_username(struct client *client, const char **username_r, ++ const char **error_r) ++{ ++ /* this was proxied connection, so we use the name here */ ++ if (client->client_cert_common_name != NULL) { ++ *username_r = client->client_cert_common_name; ++ return TRUE; ++ } ++ ++ /* no SSL */ ++ if (client->ssl_iostream == NULL) { ++ *username_r = NULL; ++ return TRUE; ++ } ++ ++ /* no client certificate */ ++ if (!ssl_iostream_has_valid_client_cert(client->ssl_iostream)) { ++ *username_r = NULL; ++ return TRUE; ++ } ++ ++ /* get peer name */ ++ const char *username = ssl_iostream_get_peer_name(client->ssl_iostream); ++ ++ /* if we wanted peer name, but it was not there, fail */ ++ if (client->set->auth_ssl_username_from_cert && ++ (username == NULL || *username == '\0')) { ++ if (client->set->auth_ssl_require_client_cert) { ++ *error_r = "Missing username in certificate"; ++ return FALSE; ++ } ++ } ++ ++ *username_r = username; ++ return TRUE; ++} ++ + void sasl_server_auth_begin(struct client *client, + const char *service, const char *mech_name, + const char *initial_resp_base64, +@@ -345,6 +382,7 @@ void sasl_server_auth_begin(struct client *client, + { + struct auth_request_info info; + const struct auth_mech_desc *mech; ++ const char *error; + + i_assert(auth_client_is_connected(auth_client)); + +@@ -376,9 +414,17 @@ void sasl_server_auth_begin(struct client *client, + info.mech = mech->name; + info.service = service; + info.session_id = client_get_session_id(client); +- if (client->client_cert_common_name != NULL) +- info.cert_username = client->client_cert_common_name; +- else if (client->ssl_iostream != NULL) { ++ ++ if (!get_cert_username(client, &info.cert_username, &error)) { ++ client_log_err(client, t_strdup_printf("Cannot get username " ++ "from certificate: %s", error)); ++ sasl_server_auth_failed(client, ++ "Unable to validate certificate", ++ AUTH_CLIENT_FAIL_CODE_AUTHZFAILED); ++ return; ++ } ++ ++ if (client->ssl_iostream != NULL) { + info.cert_username = ssl_iostream_get_peer_name(client->ssl_iostream); + info.ssl_cipher = ssl_iostream_get_cipher(client->ssl_iostream, + &info.ssl_cipher_bits); +-- +2.11.0 diff --git a/CVE-2019-7524-1.patch b/CVE-2019-7524-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..cd90980a656bb59db8c281c37ff1a36a66e77bcf --- /dev/null +++ b/CVE-2019-7524-1.patch @@ -0,0 +1,34 @@ +From 578cf77e84b3d25e2f95f08133a2b0b212aa77cc Mon Sep 17 00:00:00 2001 +From: Timo Sirainen +Date: Mon, 4 Feb 2019 19:23:02 -0800 +Subject: [PATCH 1/2] lib-storage: Fix buffer overflow when reading oversized + hdr-pop3-uidl header + +--- + src/lib-storage/index/index-pop3-uidl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/lib-storage/index/index-pop3-uidl.c b/src/lib-storage/index/index-pop3-uidl.c +index 13b7363ef..e537e9ff5 100644 +--- a/src/lib-storage/index/index-pop3-uidl.c ++++ b/src/lib-storage/index/index-pop3-uidl.c +@@ -37,7 +37,7 @@ bool index_pop3_uidl_can_exist(struct mail *mail) + /* this header isn't set yet */ + return TRUE; + } +- memcpy(&uidl, data, size); ++ memcpy(&uidl, data, sizeof(uidl)); + return mail->uid <= uidl.max_uid_with_pop3_uidl; + } + +@@ -95,7 +95,7 @@ void index_pop3_uidl_update_exists_finish(struct mailbox_transaction_context *tr + + /* check if we have already the same header */ + if (size >= sizeof(uidl)) { +- memcpy(&uidl, data, size); ++ memcpy(&uidl, data, sizeof(uidl)); + if (trans->highest_pop3_uidl_uid == uidl.max_uid_with_pop3_uidl) + return; + } +-- +2.11.0 diff --git a/CVE-2019-7524.patch b/CVE-2019-7524.patch new file mode 100644 index 0000000000000000000000000000000000000000..5fd2d70a390a50bfe5c312fcc62a3851973c4675 --- /dev/null +++ b/CVE-2019-7524.patch @@ -0,0 +1,11 @@ +--- a/src/plugins/fts/fts-api.c 2018-04-30 21:52:04.000000000 +0800 ++++ b/src/plugins/fts/fts-api.c 2019-04-04 17:51:00.170000000 +0800 +@@ -425,7 +425,7 @@ bool fts_index_get_header(struct mailbox + i_zero(hdr_r); + ret = FALSE; + } else { +- memcpy(hdr_r, data, data_size); ++ memcpy(hdr_r, data, sizeof(*hdr_r)); + ret = TRUE; + } + mail_index_view_close(&view); diff --git a/dovecot-2.3-pigeonhole-0.5.3.tar.gz b/dovecot-2.3-pigeonhole-0.5.3.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..ef23e092ba57496e924fe94a467feb70ace838bb Binary files /dev/null and b/dovecot-2.3-pigeonhole-0.5.3.tar.gz differ diff --git a/dovecot-2.3.0.1-libxcrypt.patch b/dovecot-2.3.0.1-libxcrypt.patch new file mode 100644 index 0000000000000000000000000000000000000000..4b368f8818b5f71b4a4d9724a8f89c83ee9f04df --- /dev/null +++ b/dovecot-2.3.0.1-libxcrypt.patch @@ -0,0 +1,12 @@ +diff -up dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt dovecot-2.3.0.1/src/auth/mycrypt.c +--- dovecot-2.3.0.1/src/auth/mycrypt.c.libxcrypt 2018-02-28 15:28:58.000000000 +0100 ++++ dovecot-2.3.0.1/src/auth/mycrypt.c 2018-03-27 10:57:38.447769201 +0200 +@@ -14,6 +14,7 @@ + # define _XPG6 /* Some Solaris versions require this, some break with this */ + #endif + #include ++#include + + #include "mycrypt.h" + + diff --git a/dovecot-2.3.3.tar.gz b/dovecot-2.3.3.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..78447efb03dcdbc1588fa801564b8f0f2fd64afe Binary files /dev/null and b/dovecot-2.3.3.tar.gz differ diff --git a/dovecot.pam b/dovecot.pam new file mode 100644 index 0000000000000000000000000000000000000000..5b9f05ff9f9394bc5594d8c4d8c5f2dcaa4a8e66 --- /dev/null +++ b/dovecot.pam @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth required pam_nologin.so +auth include password-auth +account include password-auth +session include password-auth diff --git a/dovecot.spec b/dovecot.spec new file mode 100644 index 0000000000000000000000000000000000000000..5529cdf25e258668320274fa2153d973556d27cb --- /dev/null +++ b/dovecot.spec @@ -0,0 +1,282 @@ +%global __provides_exclude_from %{_docdir} +%global __requires_exclude_from %{_docdir} +%global ssldir %{_sysconfdir}/pki/%{name} +%global restart_flag /var/run/%{name}/%{name}-restart-after-rpm-install +%global _hardened_build 1 + +Name: dovecot +Version: 2.3.3 +Release: 4 +Summary: Dovecot Secure imap server +License: MIT and LGPLv2 +URL: http://www.dovecot.org/ +Epoch: 1 + +Source: http://www.dovecot.org/releases/2.3/%{name}-%{version}%{?prever}.tar.gz +Source2: dovecot.pam +Source8: http://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.3.tar.gz +Source9: dovecot.sysconfig +Source10: dovecot.tmpfilesd + +Patch0001: dovecot-2.3.0.1-libxcrypt.patch +Patch6000: CVE-2019-7524.patch +Patch6001: CVE-2019-3814-1.patch +Patch6002: CVE-2019-3814-2.patch +Patch6003: CVE-2019-3814-3.patch +Patch6004: CVE-2019-7524-1.patch +Patch6005: CVE-2019-10691.patch +Patch6006: CVE-2019-11494-1.patch +Patch6007: CVE-2019-11494-2.patch +Patch6008: CVE-2019-11499.patch + +BuildRequires: gcc-c++ openssl-devel pam-devel zlib-devel bzip2-devel libcap-devel +BuildRequires: libtool autoconf automake pkgconfig sqlite-devel libpq-devel +BuildRequires: mariadb-connector-c-devel libxcrypt-devel openldap-devel krb5-devel +BuildRequires: quota-devel xz-devel gettext-devel clucene-core-devel libcurl-devel expat-devel + +Requires: openssl >= 0.9.7f-4 systemd +Requires(pre): shadow-utils +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +Provides: %{name}-pigeonhole = 1:%{version}-%{release} %{name}-pgsql = 1:%{version}-%{release} +Obsoletes: %{name}-pigeonhole < 1:%{version}-%{release} %{name}-pgsql < 1:%{version}-%{release} +Provides: %{name}-mysql = 1:%{version}-%{release} +Obsoletes: %{name}-mysql < 1:%{version}-%{release} + +%description +Dovecot is an IMAP server for Linux/UNIX-like systemsa wrapper package +that will just handle common things for all versioned dovecot packages. + +%package devel +Requires: %{name} = %{epoch}:%{version}-%{release} +Summary: Development files for dovecot +%description devel +This package provides the development files for dovecot. + +%package help +Summary: Help documentation for %{name} + +%description help +Man pages and other related help documents for %{name}. + + +%prep +%autosetup -n %{name}-%{version}%{?prever} -a 8 -p1 + +sed -i '/DEFAULT_INCLUDES *=/s|$| '"$(pkg-config --cflags libclucene-core)|" src/plugins/fts-lucene/Makefile.in + +%build +export CFLAGS="%{__global_cflags} -fno-strict-aliasing" LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" + +mkdir -p m4 +autoreconf -I . -fiv #required for aarch64 support + +%configure INSTALL_DATA="install -c -p -m644" \ + --docdir=%{_docdir}/%{name} --disable-static --disable-rpath --with-nss \ + --with-shadow --with-pam --with-gssapi=plugin --with-ldap=plugin --with-sql=plugin --with-pgsql --with-mysql \ + --with-sqlite --with-zlib --with-libcap --with-lucene --with-ssl=openssl --with-ssldir=%{ssldir} \ + --with-solr --with-systemdsystemunitdir=%{_unitdir} --with-docs + +sed -i 's|/etc/ssl|/etc/pki/dovecot|' doc/mkcert.sh doc/example-config/conf.d/10-ssl.conf + +%make_build + +cd dovecot-2*3-pigeonhole-0.5.3 + +[ -f configure ] || autoreconf -fiv +[ -f ChangeLog ] || echo "Pigeonhole ChangeLog is not available, yet" >ChangeLog + +%configure \ + INSTALL_DATA="install -c -p -m644" --disable-static --with-dovecot=../ --without-unfinished-features + +%make_build +cd - + +%install +%make_install +mv $RPM_BUILD_ROOT/%{_docdir}/%{name} %{_builddir}/%{name}-%{version}%{?prever}/docinstall + +cd dovecot-2*3-pigeonhole-0.5.3 +%make_install + +mv $RPM_BUILD_ROOT/%{_docdir}/%{name} $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole + +install -m 644 AUTHORS ChangeLog COPYING COPYING.LGPL INSTALL NEWS README $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole +cd - + +install -p -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/dovecot + +install -d $RPM_BUILD_ROOT%{ssldir}/certs +install -d $RPM_BUILD_ROOT%{ssldir}/private +touch $RPM_BUILD_ROOT%{ssldir}/certs/dovecot.pem +chmod 600 $RPM_BUILD_ROOT%{ssldir}/certs/dovecot.pem +touch $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem +chmod 600 $RPM_BUILD_ROOT%{ssldir}/private/dovecot.pem + + +install -p -D -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_tmpfilesdir}/dovecot.conf +install -d $RPM_BUILD_ROOT/var/run/dovecot/{login,empty,token-login} + +install -d $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d +install -p -m 644 docinstall/example-config/dovecot.conf $RPM_BUILD_ROOT%{_sysconfdir}/dovecot +install -p -m 644 docinstall/example-config/conf.d/*.conf $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d +install -p -m 644 $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole/example-config/conf.d/*.conf $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d +install -p -m 644 docinstall/example-config/conf.d/*.conf.ext $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d +install -p -m 644 $RPM_BUILD_ROOT/%{_docdir}/%{name}-pigeonhole/example-config/conf.d/*.conf.ext $RPM_BUILD_ROOT%{_sysconfdir}/dovecot/conf.d ||: + +install -p -m 644 doc/dovecot-openssl.cnf $RPM_BUILD_ROOT%{ssldir}/dovecot-openssl.cnf + +install -p -m755 doc/mkcert.sh $RPM_BUILD_ROOT%{_libexecdir}/%{name}/mkcert.sh + +install -d $RPM_BUILD_ROOT/var/lib/dovecot + +%delete_la + +cd docinstall +rm -f securecoding.txt thread-refs.txt +cd - + + +%pre +getent group dovecot >/dev/null || groupadd -r --gid 97 dovecot +getent passwd dovecot >/dev/null || \ +useradd -r --uid 97 -g dovecot -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot IMAP server" dovecot + +getent group dovenull >/dev/null || groupadd -r dovenull +getent passwd dovenull >/dev/null || \ +useradd -r -g dovenull -d /usr/libexec/dovecot -s /sbin/nologin -c "Dovecot's unauthorized user" dovenull + +if [ "$1" = "2" ]; then + rm -f %restart_flag + /bin/systemctl is-active %{name}.service >/dev/null 2>&1 && touch %restart_flag ||: + /bin/systemctl stop %{name}.service >/dev/null 2>&1 +fi + +%post +if [ $1 -eq 1 ]; then + %systemd_post dovecot.service +fi + +install -d -m 0755 -g dovecot -d /var/run/dovecot +install -d -m 0755 -d /var/run/dovecot/empty +install -d -m 0750 -g dovenull -d /var/run/dovecot/login +install -d -m 0755 -g dovenull -d /var/run/dovecot/token-login +[ -x /sbin/restorecon ] && /sbin/restorecon -R /var/run/dovecot + +%preun +if [ $1 = 0 ]; then + /bin/systemctl disable dovecot.service dovecot.socket >/dev/null 2>&1 || : + /bin/systemctl stop dovecot.service dovecot.socket >/dev/null 2>&1 || : + rm -rf /var/run/dovecot +fi + +%postun +/bin/systemctl daemon-reload >/dev/null 2>&1 || : + + +if [ "$1" -ge "1" -a -e %restart_flag ]; then + /bin/systemctl start dovecot.service >/dev/null 2>&1 || : + rm -f %restart_flag +fi + +%posttrans +if [ -e %restart_flag ]; then + /bin/systemctl start dovecot.service >/dev/null 2>&1 || : + rm -f %restart_flag +fi + +%check +make check +cd dovecot-2*3-pigeonhole-0.5.3 +make check + +%files +%doc docinstall/* AUTHORS ChangeLog COPYING COPYING.LGPL COPYING.MIT NEWS README +%{_sbindir}/dovecot + +%{_bindir}/{doveadm,doveconf,dsync} + +%_tmpfilesdir/dovecot.conf +%{_unitdir}/{dovecot.service,dovecot.socket} + +%dir %{_sysconfdir}/dovecot +%dir %{_sysconfdir}/dovecot/conf.d +%config(noreplace) %{_sysconfdir}/dovecot/dovecot.conf +%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{10-auth.conf,10-director.conf,10-logging.conf,10-mail.conf} +%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{10-master.conf,10-ssl.conf,15-lda.conf,15-mailboxes.conf} +%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{20-imap.conf,20-lmtp.conf,20-pop3.conf,20-submission.conf} +%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{90-acl.conf,90-quota.conf,90-plugin.conf,auth-checkpassword.conf.ext} +%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{auth-deny.conf.ext,auth-dict.conf.ext,auth-ldap.conf.ext} +%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{auth-master.conf.ext,auth-passwdfile.conf.ext,auth-sql.conf.ext} +%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{auth-static.conf.ext,auth-system.conf.ext,auth-vpopmail.conf.ext} + +%config(noreplace) %{_sysconfdir}/pam.d/dovecot +%config(noreplace) %{ssldir}/dovecot-openssl.cnf + +%dir %{ssldir} +%dir %{ssldir}/certs +%dir %{ssldir}/private +%attr(0600,root,root) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %{ssldir}/certs/dovecot.pem +%attr(0600,root,root) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) %{ssldir}/private/dovecot.pem + +%dir %{_libdir}/dovecot +%dir %{_libdir}/dovecot/{auth,dict} +%{_libdir}/dovecot/doveadm +%exclude %{_libdir}/dovecot/doveadm/*sieve* +%{_libdir}/dovecot/*.so.* +%{_libdir}/dovecot/*_plugin.so +%exclude %{_libdir}/dovecot/*_sieve_plugin.so +%{_libdir}/dovecot/auth/{lib20_auth_var_expand_crypt.so,libauthdb_imap.so,libauthdb_ldap.so} +%{_libdir}/dovecot/auth/{libmech_gssapi.so,libdriver_sqlite.so} +%{_libdir}/dovecot/dict/{libdriver_sqlite.so,libdict_ldap.so} +%{_libdir}/dovecot/{libdriver_sqlite.so,libssl_iostream_openssl.so,libfs_compress.so,libfs_crypt.so} +%{_libdir}/dovecot/{libfs_mail_crypt.so,libdcrypt_openssl.so,lib20_var_expand_crypt.so} +%{_libdir}/dovecot/old-stats/{libold_stats_mail.so,libstats_auth.so} + +%dir %{_libdir}/dovecot/settings + +%{_libexecdir}/%{name} + +%ghost /var/run/dovecot +%attr(0750,dovecot,dovecot) /var/lib/dovecot + +%{_datadir}/%{name} + +%{_bindir}/{sieve-dump,sieve-filter,sieve-test,sievec} +%config(noreplace) %{_sysconfdir}/dovecot/conf.d/{20-managesieve.conf,90-sieve.conf,90-sieve-extprograms.conf} + +%{_docdir}/%{name}-pigeonhole + +%{_libexecdir}/%{name}/{managesieve,managesieve-login} + +%{_libdir}/dovecot/doveadm/*sieve* +%{_libdir}/dovecot/*_sieve_plugin.so +%{_libdir}/dovecot/settings/{libmanagesieve_*.so,libpigeonhole_*.so} +%{_libdir}/dovecot/sieve/ +%{_libdir}/%{name}/libdriver_mysql.so +%{_libdir}/%{name}/auth/libdriver_mysql.so +%{_libdir}/%{name}/dict/libdriver_mysql.so +%{_libdir}/%{name}/libdriver_pgsql.so +%{_libdir}/%{name}/auth/libdriver_pgsql.so +%{_libdir}/%{name}/dict/libdriver_pgsql.so + +%exclude %{_sysconfdir}/dovecot/README + +%files devel +%{_includedir}/dovecot +%{_datadir}/aclocal/dovecot*.m4 +%{_libdir}/dovecot/libdovecot*.so +%{_libdir}/dovecot/dovecot-config + + +%files help +%{_mandir}/man1/* +%{_mandir}/man7/doveadm-search-query.7* +%{_mandir}/man7/pigeonhole.7* + + +%changelog +* Mon Dec 2 2019 wangzhishun - 2.3.3-4 +- Package init diff --git a/dovecot.sysconfig b/dovecot.sysconfig new file mode 100644 index 0000000000000000000000000000000000000000..3cb4bd4340679f9db072ba1206d5e1ce4e6a70cc --- /dev/null +++ b/dovecot.sysconfig @@ -0,0 +1,3 @@ +# Here you can specify your dovecot command line options. +# +#OPTIONS="" diff --git a/dovecot.tmpfilesd b/dovecot.tmpfilesd new file mode 100644 index 0000000000000000000000000000000000000000..717849854147501abd2c94c6e7b536bc00165b17 --- /dev/null +++ b/dovecot.tmpfilesd @@ -0,0 +1,2 @@ +d /var/run/dovecot 0755 root dovecot - +