diff -u dovecot-1.1.4/debian/rules dovecot-1.1.4/debian/rules --- dovecot-1.1.4/debian/rules +++ dovecot-1.1.4/debian/rules @@ -149,6 +149,10 @@ rm $(CURDIR)/debian/dovecot-common/etc/dovecot/dovecot-sql-example.conf chmod 0700 $(CURDIR)/debian/dovecot-common/var/run/dovecot chmod 0750 $(CURDIR)/debian/dovecot-common/var/run/dovecot/login + cp $(CURDIR)/debian/dovecot-common/usr/share/dovecot/dovecot.conf $(CURDIR)/debian/dovecot-postfix/usr/share/dovecot/dovecot-postfix.conf + patch -p0 -d $(CURDIR)/debian/dovecot-postfix/usr/share/dovecot/ -i $(CURDIR)/debian/patches/dovecot-postfix.conf.diff + [ -f $(CURDIR)/debian/dovecot-postfix/usr/share/dovecot/dovecot-postfix.conf.orig ] && rm $(CURDIR)/debian/dovecot-postfix/usr/share/dovecot/dovecot-postfix.conf.orig + # Build architecture-independent files here. binary-indep: build install diff -u dovecot-1.1.4/debian/control dovecot-1.1.4/debian/control --- dovecot-1.1.4/debian/control +++ dovecot-1.1.4/debian/control @@ -62,0 +63,11 @@ + +Package: dovecot-postfix +Architecture: any +Depends: dovecot-common, dovecot-imapd, dovecot-pop3d, postfix +Description: full mail server stack provided by Ubuntu server team + Ubuntu's mail stack provides fully operational mail server with + safe defaults and additional options. Out of the box it supports IMAP, + POP3 and SMTP services with SASL authentication and Maildir as default + storage engine. + . + This package contains configuration file for dovecot. diff -u dovecot-1.1.4/debian/changelog dovecot-1.1.4/debian/changelog --- dovecot-1.1.4/debian/changelog +++ dovecot-1.1.4/debian/changelog @@ -1,3 +1,29 @@ +dovecot (1:1.1.4-0ubuntu2) jaunty; urgency=low + + * Add new binary dovecot-postfix (LP: #164837) + - debian/control: + + add new binary with short description + - debian/rules: + + copy and patch and install dovecot-postfix.conf in dovecot-postfix + - debian/dovecot-postfix.postinst: + + create initial certificate symlinks to snakeoil + + set up postfix with postconf API + + restart postfix and dovecot + - debian/dovecot-postfix.postrm: + + remove all dovecot depended configuration from postfix + + restart postfix and dovecot + - debian/dovecot-common.init: + + check if /etc/dovecot/dovecot-postfix.conf exist and use it + + as a configuration file + - debian/patches/warning-ubuntu-postfix.dpatch + + add warning about dovecot-postfix.conf configuration file + - debian/patches/dovecot-postfix.conf.diff: + + Ubuntu server custom changes diff + * debian/patches/managesieve-vritual-users-fix.dpatch: + - check if names of sieve scripts contain '/' (LP: #307291) + + -- Ante Karamatic Tue, 10 Feb 2009 18:23:09 +0000 + dovecot (1:1.1.4-0ubuntu1.2) intrepid-security; urgency=low * SECURITY UPDATE: denial of service via malformed headers. diff -u dovecot-1.1.4/debian/dovecot-common.init dovecot-1.1.4/debian/dovecot-common.init --- dovecot-1.1.4/debian/dovecot-common.init +++ dovecot-1.1.4/debian/dovecot-common.init @@ -33,6 +33,9 @@ # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 +# If dovecot-postfix.conf exist, use it instead +[ -f "/etc/dovecot/dovecot-postfix.conf" ] && CONF=/etc/dovecot/dovecot-postfix.conf && DAEMON_ARGS="$DAEMON_ARGS -c $CONF" + # Exit if the configuration file doesn't exist [ -f "$CONF" ] || exit 0 diff -u dovecot-1.1.4/debian/patches/00list dovecot-1.1.4/debian/patches/00list --- dovecot-1.1.4/debian/patches/00list +++ dovecot-1.1.4/debian/patches/00list @@ -13,0 +14,2 @@ +managesieve-vritual-users-fix +warning-ubuntu-postfix only in patch2: unchanged: --- dovecot-1.1.4.orig/debian/dovecot-postfix.postrm +++ dovecot-1.1.4/debian/dovecot-postfix.postrm @@ -0,0 +1,38 @@ +#!/bin/sh +set -e + +PATH=/usr/sbin:$PATH +export PATH + +if [ "$1" = "purge" ] ; then + if which ucf >/dev/null; then + rm -rf /etc/dovecot/dovecot-postfix.conf + ucf --purge /etc/dovecot/dovecot-postfix.conf + ucfr --purge dovecot-postfix /etc/dovecot/dovecot-postfix.conf + fi + if [ -x "/usr/sbin/postconf" ]; then + if postconf mailbox_command | grep -q dovecot; then + postconf -e "mailbox_command = " + fi + if postconf smtpd_sasl_type | grep -q dovecot; then + postconf -e "smtpd_sasl_type = " + postconf -e "smtpd_sasl_path = " + fi + fi + if [ -x "/etc/init.d/postfix" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d postfix reload + else + /etc/init.d/postfix reload + fi + fi + if [ -x "/etc/init.d/dovecot" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d dovecot restart + else + /etc/init.d/dovecot restart + fi + fi +fi + +#DEBHELPER# only in patch2: unchanged: --- dovecot-1.1.4.orig/debian/dovecot-postfix.dirs +++ dovecot-1.1.4/debian/dovecot-postfix.dirs @@ -0,0 +1,3 @@ +usr +usr/share +usr/share/dovecot only in patch2: unchanged: --- dovecot-1.1.4.orig/debian/dovecot-postfix.postinst +++ dovecot-1.1.4/debian/dovecot-postfix.postinst @@ -0,0 +1,56 @@ +#!/bin/sh + +set -e + +if [ "$1" = "configure" -a -z "$2" ]; then + ucfr dovecot-postfix /etc/dovecot/dovecot-postfix.conf + + # Write new configuration file + ucf /usr/share/dovecot/dovecot-postfix.conf /etc/dovecot/dovecot-postfix.conf + + # Create initial symlinks for certificates + if [ ! -f "/etc/ssl/private/ssl-mail.key" ]; then + ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/ssl-mail.key + fi + if [ ! -f "/etc/ssl/certs/ssl-mail.pem" ]; then + ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/ssl-mail.pem + fi + if [ -x "/usr/sbin/postconf" ]; then + postconf -e "home_mailbox = Maildir/" + postconf -e "smtpd_sasl_auth_enable = yes" + postconf -e "smtpd_sasl_type = dovecot" + postconf -e "smtpd_sasl_path = private/dovecot-auth" + postconf -e "smtpd_sasl_authenticated_header = yes" + postconf -e "smtpd_sasl_security_options = noanonymous" + postconf -e "smtpd_sasl_local_domain = $myhostname" + postconf -e "broken_sasl_auth_clients = yes" + postconf -e "smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated" + postconf -e "mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot-postfix.conf -n -m \"\${EXTENSION}\"" + postconf -e "smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.crt" + postconf -e "smtpd_tls_key_file = /etc/ssl/private/ssl-mail.pem" + postconf -e "smtpd_use_tls = yes" + postconf -e "smtp_use_tls = yes" + postconf -e "smtpd_tls_received_header = yes" + postconf -e "smtpd_tls_mandatory_protocols = SSLv3, TLSv1" + postconf -e "smtpd_tls_mandatory_ciphers = medium, high" + postconf -e "smtpd_tls_auth_only = yes" + postconf -e "tls_random_source = dev:/dev/urandom" + + if [ -x "/etc/init.d/postfix" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d postfix reload + else + /etc/init.d/postfix reload + fi + fi + fi +if [ -x "/etc/init.d/dovecot" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d dovecot restart + else + /etc/init.d/dovecot restart + fi + fi +fi + +#DEBHELPER# only in patch2: unchanged: --- dovecot-1.1.4.orig/debian/patches/warning-ubuntu-postfix.dpatch +++ dovecot-1.1.4/debian/patches/warning-ubuntu-postfix.dpatch @@ -0,0 +1,28 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## warning-ubuntu-postfix.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad dovecot-1.1.4~/dovecot-example.conf dovecot-1.1.4/dovecot-example.conf +--- dovecot-1.1.4~/dovecot-example.conf 2009-02-10 18:42:49.000000000 +0000 ++++ dovecot-1.1.4/dovecot-example.conf 2009-02-10 18:48:50.000000000 +0000 +@@ -2,6 +2,17 @@ + + # If you're in a hurry, see http://wiki.dovecot.org/QuickConfiguration + ++# ------------------------------ WARNING ------------------------------- ++ ++# If there's a file /dev/dovecot/dovecot-postfix.conf, which is part of ++# dovecot-postfix package, it will be used instead of dovecot.conf. ++ ++# Keep in mind that, if that file exist, none of the changes in ++# /etc/dovecot/dovecot.conf will have effect on dovecot's configuration. ++# In that case you should customize /etc/dovecot/dovecot-postfix.conf. ++ ++# ------------------------------ WARNING ------------------------------- ++ + # "dovecot -n" command gives a clean output of the changed settings. Use it + # instead of copy&pasting this file when posting to the Dovecot mailing list. + only in patch2: unchanged: --- dovecot-1.1.4.orig/debian/patches/dovecot-postfix.conf.diff +++ dovecot-1.1.4/debian/patches/dovecot-postfix.conf.diff @@ -0,0 +1,182 @@ +--- dovecot-postfix.conf 2009-02-09 16:08:40.000000000 +0000 ++++ dovecot-postfix.conf 2009-02-09 16:25:00.000000000 +0000 +@@ -21,7 +21,7 @@ + # Protocols we want to be serving: imap imaps pop3 pop3s managesieve + # If you only want to use dovecot-auth, you can set this to "none". + #protocols = imap imaps +-protocols = none ++protocols = imap pop3 imaps pop3s managesieve + + # A space separated list of IP or host addresses where to listen in for + # connections. "*" listens in all IPv4 interfaces. "[::]" listens in all IPv6 +@@ -49,7 +49,7 @@ + # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP + # matches the local IP (ie. you're connecting from the same computer), the + # connection is considered secure and plaintext authentication is allowed. +-#disable_plaintext_auth = yes ++disable_plaintext_auth = yes + + # Should all IMAP and POP3 processes be killed when Dovecot master process + # shuts down. Setting this to "no" means that Dovecot can be upgraded without +@@ -90,13 +90,13 @@ + #ssl_listen = + + # Disable SSL/TLS support. +-#ssl_disable = no ++ssl_disable = no + + # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before + # dropping root privileges, so keep the key file unreadable by anyone but + # root. +-#ssl_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem +-#ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key ++ssl_cert_file = /etc/ssl/certs/ssl-mail.pem ++ssl_key_file = /etc/ssl/private/ssl-mail.key + + # If key file is password protected, give the password here. Alternatively + # give it when starting dovecot with -p parameter. +@@ -122,7 +122,7 @@ + #ssl_parameters_regenerate = 168 + + # SSL ciphers to use +-#ssl_cipher_list = ALL:!LOW:!SSLv2 ++ssl_cipher_list = ALL:!LOW:!SSLv2:ALL:!aNULL:!ADH:!eNULL:!EXP:RC4+RSA:+HIGH:+MEDIUM + + # Show protocol level SSL errors. + #verbose_ssl = no +@@ -219,7 +219,7 @@ + # + # + # +-#mail_location = ++mail_location = maildir:~/Maildir + + # If you need to set multiple mailbox locations or want to change default + # namespace settings, you can do it by defining namespace sections. +@@ -533,7 +533,7 @@ + + # Maximum number of IMAP connections allowed for a user from each IP address. + # NOTE: The username is compared case-sensitively. +- #mail_max_userip_connections = 10 ++ mail_max_userip_connections = 5 + + # Support for dynamically loadable plugins. mail_plugins is a space separated + # list of plugins to load. +@@ -543,7 +543,7 @@ + # Send IMAP capabilities in greeting message. This makes it unnecessary for + # clients to request it with CAPABILITY command, so it saves one round-trip. + # Many clients however don't understand it and ask the CAPABILITY anyway. +- #login_greeting_capability = no ++ login_greeting_capability = yes + + # IMAP logout format string: + # %i - total number of bytes read from client +@@ -572,7 +572,7 @@ + # but not both. Thunderbird separates these two by forcing server to + # accept '/' suffix in mailbox names in subscriptions list. + # The list is space-separated. +- #imap_client_workarounds = ++ imap_client_workarounds = outlook-idle delay-newmail + } + + ## +@@ -640,7 +640,7 @@ + + # Maximum number of POP3 connections allowed for a user from each IP address. + # NOTE: The username is compared case-sensitively. +- #mail_max_userip_connections = 3 ++ mail_max_userip_connections = 5 + + # Support for dynamically loadable plugins. mail_plugins is a space separated + # list of plugins to load. +@@ -655,7 +655,7 @@ + # Outlook Express and Netscape Mail breaks if end of headers-line is + # missing. This option simply sends it if it's missing. + # The list is space-separated. +- #pop3_client_workarounds = ++ pop3_client_workarounds = outlook-no-nuls oe-ns-eoh + } + + ## +@@ -704,9 +704,9 @@ + ## LDA specific settings + ## + +-#protocol lda { ++protocol lda { + # Address to use when sending rejection mails. +- #postmaster_address = postmaster@example.com ++ postmaster_address = postmaster + + # Hostname to use in various parts of sent mails, eg. in Message-Id. + # Default is the system's real hostname. +@@ -719,25 +719,25 @@ + + # If user is over quota, return with temporary failure instead of + # bouncing the mail. +- #quota_full_tempfail = no ++ quota_full_tempfail = yes + + # Format to use for logging mail deliveries. You can use variables: + # %$ - Delivery status message (e.g. "saved to INBOX") + # %m - Message-ID + # %s - Subject + # %f - From address +- #deliver_log_format = msgid=%m: %$ ++ deliver_log_format = msgid=%m: %$ + + # Binary to use for sending mails. + #sendmail_path = /usr/lib/sendmail + + # Human readable error message for rejection mails. Use can use variables: + # %n = CRLF, %r = reason, %s = subject, %t = recipient +- #rejection_reason = Your message to <%t> was automatically rejected:%n%r ++ rejection_reason = Your message to <%t> was automatically rejected:%n%r + + # UNIX socket path to master authentication server to find users. + #auth_socket_path = /var/run/dovecot/auth-master +-#} ++} + + ## + ## Authentication processes +@@ -777,7 +777,7 @@ + # an extra check to make sure user can't exploit any potential quote escaping + # vulnerabilities with SQL/LDAP databases. If you want to allow all characters, + # set this value to empty. +-#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ ++auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ + + # Username character translations before it's looked up from databases. The + # value contains series of from -> to characters. For example "#@/@" means +@@ -1059,7 +1059,7 @@ + #ssl_username_from_cert = no + + # It's possible to export the authentication interface to other programs: +- #socket listen { ++ socket listen { + #master { + # Master socket provides access to userdb information. It's typically + # used to give Dovecot's local delivery agent access to userdb so it +@@ -1070,14 +1070,16 @@ + #user = + #group = + #} +- #client { ++ client { + # The client socket is generally safe to export to everyone. Typical use + # is to export it to your SMTP server so it can do SMTP AUTH lookups + # using it. +- #path = /var/run/dovecot/auth-client +- #mode = 0660 +- #} +- #} ++ path = /var/spool/postfix/private/dovecot-auth ++ mode = 0660 ++ user = postfix ++ group = postfix ++ } ++ } + } + + # If you wish to use another authentication server than dovecot-auth, you can only in patch2: unchanged: --- dovecot-1.1.4.orig/debian/patches/managesieve-vritual-users-fix.dpatch +++ dovecot-1.1.4/debian/patches/managesieve-vritual-users-fix.dpatch @@ -0,0 +1,41 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## managesieve-vritual-users-fix.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad dovecot-1.1.4~/dovecot-managesieve/src/lib-sievestorage/sieve-storage-save.c dovecot-1.1.4/dovecot-managesieve/src/lib-sievestorage/sieve-storage-save.c +--- dovecot-1.1.4~/dovecot-managesieve/src/lib-sievestorage/sieve-storage-save.c 2009-02-10 17:03:06.000000000 +0000 ++++ dovecot-1.1.4/dovecot-managesieve/src/lib-sievestorage/sieve-storage-save.c 2009-02-10 17:33:41.000000000 +0000 +@@ -154,6 +154,13 @@ + pool_t pool; + const char *path; + ++ /* Disallow '/' characters in script name */ ++ if ( strchr(scriptname, '/') != NULL ) { ++ sieve_storage_set_error(storage, "Invalid script name '%s'.", ++ scriptname); ++ return NULL; ++ } ++ + /* Prevent overwriting the active script link when it resides in the + * sieve storage directory. + */ +diff -urNad dovecot-1.1.4~/dovecot-managesieve/src/lib-sievestorage/sieve-storage-script.c dovecot-1.1.4/dovecot-managesieve/src/lib-sievestorage/sieve-storage-script.c +--- dovecot-1.1.4~/dovecot-managesieve/src/lib-sievestorage/sieve-storage-script.c 2009-02-10 17:03:06.000000000 +0000 ++++ dovecot-1.1.4/dovecot-managesieve/src/lib-sievestorage/sieve-storage-script.c 2009-02-10 17:33:41.000000000 +0000 +@@ -73,6 +73,13 @@ + struct sieve_script *script; + const char *path; + ++ /* Disallow '/' characters in script name */ ++ if ( strchr(scriptname, '/') != NULL ) { ++ sieve_storage_set_error(storage, "Invalid script name '%s'.", ++ scriptname); ++ return NULL; ++ } ++ + T_BEGIN { + path = t_strconcat( storage->dir, "/", scriptname, ".sieve", NULL ); +