Dovecot SASL for postfix

Bug #164837 reported by Ante Karamatić on 2007-11-24
8
Affects Status Importance Assigned to Milestone
dovecot (Ubuntu)
Low
Mathias Gug
tasksel (Ubuntu)
Undecided
Unassigned

Bug Description

For out of the box integration of dovecot sasl and postfix, couple of changes are needed in dovecot.conf. There are also changes needed in postfix configuration. Changes are described at http://www.postfix.org/SASL_README.html#server_dovecot

Since /etc/dovecot/dovecot.conf isn't a conffile, it could be changed from tasksel postinst script. Postfix offers interface to it's configuration trough postconf, so it could be also set up trough postinst.

Ante Karamatić (ivoks) wrote :

Example how this can be done from tasksel.

This changes in postfix and dovecot should be enough for start. I don't thing we should do anything more, like disabling plain-text auth over non-SSL/TLS connection. Those are the things we should document, but, imho, not enable by default.

Mathias Gug (mathiaz) wrote :

Thanks Ante for your patch.

Could you update your debdiff against the latest version of tasksel ? I think you don't need to fix the Makefile anymore.

You're patching the dovecot configuration file during the postinstall script (which is fine I think wrt to the debian policy).

However dovecot.conf is handled via ucf. What will happen during a package upgrade ? Will the user be asked to review the changes because a new/different configuration file is available ? Ideally this shouldn't happen if the only change that has been made is the sasl configuration.

Changed in dovecot:
importance: Undecided → Low
status: New → In Progress
Ante Karamatić (ivoks) wrote :

I've created exactly the same dovecot package as the one we have now, but with newer version of the one that was patched trough postinst. There was no prompting on diff and all sasl changes were preserved.

More testing will be done when I finish all pieces of the configuration.

Ante Karamatić (ivoks) wrote :

Suggestion #1

Comments are more than welcome.

Ante Karamatić (ivoks) wrote :

Jump before saying 'Hop!'.

LaMont Jones (lamont) wrote :

If ucf/dovecot don't break with this, and assuming it works as far as the postfix config, this sounds like quite possibly the best solution for hardy.

Ante Karamatić (ivoks) wrote :

Last patch, ready for tasksel-2.70ubuntu1.

Please review and upload to main.

Ante Karamatić (ivoks) wrote :

Uff, uploaded an old one...

This one is correct.

Daniel Holbach (dholbach) wrote :

Server Team: could you please take a look at it?

Ante Karamatić (ivoks) wrote :

There's new tasksel in archive, so I need to create new debdiff.

Ante Karamatić (ivoks) wrote :

Debdiff for new version

Changed in tasksel:
assignee: nobody → kitterman
status: New → In Progress
Scott Kitterman (kitterman) wrote :

I don't think the Dovecot changes should be done in tasksel. They seem suitable for the Dovecot package, but not tasksel. /etc/dovecot/dovecot.conf is a conffile.

Changed in tasksel:
assignee: kitterman → nobody
status: In Progress → Confirmed
Mathias Gug (mathiaz) wrote :

postinst scripts in tasksel are considered as maintainer scripts. So they cannot modify a configuration file. Patching dovecot.conf from the task postinstall script is forbidden.

So another solution would be:
 * modify the default dovecot.conf file to enable sasl by default in the dovecot package.
 * create a new package with a postinst script that would setup postfix with the postconf commands and depend on postfix
 * add the new package to the mail-server task so that dovecot and postfix are automatically integrated when the mail-server task is installed.

Changed in tasksel:
status: Confirmed → Invalid
Changed in dovecot:
status: In Progress → Triaged

On Wed, 12 Mar 2008 23:41:06 -0000
Mathias Gug <email address hidden> wrote:

> postinst scripts in tasksel are considered as maintainer scripts. So
> they cannot modify a configuration file. Patching dovecot.conf from the
> task postinstall script is forbidden.

Em... I taught we agreed that we will do this trough tasksel.

/etc/dovecot/dovecot.conf is not a conffile
(cat /var/lib/dpkg/info/dovecot-common.conffiles) and we already alter
it trough maintainer scripts (dovecot-pop3d.postinst and
dovecot-imapd.postinst).

Ante Karamatić (ivoks) wrote :

I've read conversation between Mathias, Steve and Adam. I agree that
tasksel's postinst is an ugly way to do it, but I don't think it's
wrong/ilegal.

I'm all for meta package; this was my first suggestion anyway.

Colin Watson (cjwatson) wrote :

I'm not at all happy with doing this in tasksel; sorry.

Colin Watson (cjwatson) wrote :

To answer some confusion on #ubuntu-devel: task "maintainer scripts" are run by tasksel when installing (or removing) a task. They are not run by 'apt-get install task^', and so you should not rely on them for correctness. The only ones we have at the moment simply tweak package installation order to make things work a little better in the installer, but it wouldn't be a tragedy if they never got run. (Indeed, they never do get run during live filesystem builds, and it doesn't matter in that case.)

If you need an extra script to be run to deal with the integration, then this change absolutely needs to be done in a metapackage, not in tasksel.

Colin Watson (cjwatson) wrote :

I've committed Ante's Makefile fix in tasksel, which is accurate although it doesn't actually cause a problem without the other changes.

Ante Karamatić (ivoks) wrote :

According to everything we said, this is preliminary debdiff which addes new binary package to dovecot. There are some issues left to be resolved, but the idea behind the concept is in this debdiff.

Ante Karamatić (ivoks) wrote :

OK, this is patch based on a Colin's advice of how we should solve this. It adds dovecot-postfix binary which then deploys special dovecot's configuration file and modifies the postfix configuration trough postconf. Dovecot's init scripts for existence of that configuration file and, if existing, uses it instead of default dovecot.conf.

Mathias Gug (mathiaz) on 2009-02-11
Changed in dovecot:
assignee: nobody → mathiaz
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :
Download full text (4.6 KiB)

This bug was fixed in the package dovecot - 1:1.1.11-0ubuntu1

---------------
dovecot (1:1.1.11-0ubuntu1) jaunty; urgency=low

  [ Ante Karamatic ]
    Add new binary pkg dovecot-postfix that integrates postfix and dovecot
    automatically: (LP: #164837)
    - debian/control:
      + add new binary with short description.
    - debian/dovecot-postfix.postinst:
      + create initial certificate symlinks to snakeoil.
      + set up postfix with postconf to:
        - use Maildir/ as the default mailbox.
        - use dovecot as the sasl authentication server.
        - use dovecot LDA (deliver).
        - use tls for smtp{d} services.
      + restart postfix and dovecot.
    - debian/dovecot-postfix.postrm:
      + remove all dovecot related configuration from postfix.
      + restart postfix and dovecot.
    - debian/dovecot-common.init:
      + check if /etc/dovecot/dovecot-postfix.conf exists and use it
        as the configuration file if so.
    - debian/patches/warning-ubuntu-postfix.dpatch
      + add warning about dovecot-postfix.conf in dovecot default
        configuration file.
    - debian/patches/dovecot-postfix.conf.diff:
      + Ubuntu server custom changes to the default dovecot configuration for
        better integration with postfix:
        - enable imap, pop3, imaps, pop3s and managesieve by default.
        - enable dovecot LDA (deliver).
        - enable SASL auth socket in postfix private directory.
    - debian/rules:
      + copy, patch and install dovecot-postfix.conf in /etc/dovecot/.

  [ Mathias Gug ]
  * New upstream release:
  * Update dovecot-managesieve to 0.10.5. Fixes:
    - check if names of sieve scripts contain '/' (LP: #307291)
  * Update dovecot-managesieve patch for 1.1.11 and 0.10.5.
  * Update dovecot-sieve plugin to 1.1.6.
  * Merge from debian experimental, remaining changes:
    - Use Snakeoil SSL certificates by default.
      + debian/control: Depend on ssl-cert
      + debian/paptches/ssl-cert-snakeoil.dpatch: Change default SSL cert
        paths to snakeoil.
      + debian/dovecot-common.postinst: Relax grep for SSL_* a bit.
    - Add autopkgtest in debian/tests/*.
    - debian/dovecot-common.init: Check to see if there is an /etc/inetd.conf.
      (LP: #208411)
    - Fast TearDown: Update lsb init header to not stop in level 6.
    - Add status action to the init script:
      + debian/control: Depend on lsb >= 3.2.12ubuntu3.
      + debian/dovecot-common-init: Add the 'status' action (LP: #247096).
    - debian/rules:
      - Copy config.{guess,sub} after running libtoolize.
      - Clean dovecot-managesieve directory.
    - Add ufw integration:
      - Created debian/dovecot-common.ufw.profile
      - debian/rules:
        + install profile
      - debian/control
        + Suggest ufw
    - debian/{control,rules}: enable PIE hardening.
    - Updated dovecot.common.README.Debian with information on what has changed
      between 1.0 and 1.1.1. Fixes (LP: #257625)
    - dovecot-imapd, dovecot-pop3: Replaces dovecot-common (<< 1:1.1). LP: #254721.
    - debian/control:
      + Update Vcs-* headers.
  * debian/rules:
    - Create emtpy stamp.h.in files in dovecot-sieve/ and dovecot-managesi...

Read more...

Changed in dovecot:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers