X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=debian%2Fpostinst;h=e02759cec0620a22cb5c0af8d23c00ba548b3552;hb=0425a071bf6c08b013b9dcd92f03fe0c2e5067ad;hp=6ecc8f60a2b9f3ff9158d6e5fec2bf914e734e65;hpb=a80671d5f813a53e6199cd63c7db8e89ba8c0d87;p=dovecot-cn.git diff --git a/debian/postinst b/debian/postinst index 6ecc8f6..e02759c 100755 --- a/debian/postinst +++ b/debian/postinst @@ -1,4 +1,6 @@ -#!/bin/sh -e +#!/bin/sh + +set -e [ "$1" = "configure" ] || exit 0 [ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx @@ -14,6 +16,12 @@ cp_check_and_sed 'disable_plaintext_auth.*yes' \ 's/disable_plaintext_auth.*$/disable_plaintext_auth = no/g' \ /etc/dovecot/conf.d/10-auth.conf || true +if ! grep -q "mail_privileged_group.*mail$" /etc/dovecot/conf.d/10-mail.conf \ + cp_check_and_sed 'mail_privileged_group' \ + 's/mail_privileged_group.*$/mail_privileged_group = mail/g' \ + /etc/dovecot/conf.d/10-mail.conf || true +fi + cp_check_and_sed '#imap_client_workarounds' \ 's/#imap_client_workarounds/imap_client_workarounds/g' \ /etc/dovecot/conf.d/20-imap.conf || true @@ -31,7 +39,12 @@ cp_check_and_sed 'pop3_client_workarounds' \ /etc/dovecot/conf.d/20-pop3.conf || true cp_check_and_sed '#ssl_cipher_list' \ - 's/#ssl_cipher_list.*/ssl_cipher_list = ALL:!aNULL:!eNULL:!ADH!LOW:!MEDIUM:!EXP:!SSLv2:HIGH/g' \ + 's/#ssl_cipher_list.*/ssl_cipher_list = ALL:!aNULL:!eNULL:!ADH!LOW:!MEDIUM:!EXP:HIGH/g' \ + /etc/dovecot/conf.d/10-ssl.conf || true + +# izbacujemo SSLv2 +cp_check_and_sed 'ssl_cipher_list' \ + 's/:\!SSLv2//g' \ /etc/dovecot/conf.d/10-ssl.conf || true # trazio zelja @@ -46,30 +59,93 @@ cp_check_and_sed 'ssl = no' \ if ! grep -q ^ssl_cert /etc/dovecot/conf.d/10-ssl.conf \ && ! grep -q ^ssl_key /etc/dovecot/conf.d/10-ssl.conf; then + + if [ ! -f /etc/dovecot/dovecot.pem -a ! -f /etc/dovecot/private/dovecot.pem ]; then + echo "CN: Generating certificate and key..." + /usr/share/dovecot-cn/mkcert.sh || true + fi + cp_check_and_sed '#ssl_cert = /dev/null +### buster ima ssl_min_protocol umjesto ssl_protocols +# ne radimo ništa ako već postoji ^ssl_min_protocol = TLS*, možda je sistemac smanjivao level TLS-a + +if ! grep -q "^ssl_min_protocol = TLS" /etc/dovecot/conf.d/10-ssl.conf; then + # postavlja minimalni TLS protokol i mijenja ime varijable + cp_check_and_sed '#ssl_protocols =' \ + 's/^#ssl_protocols.*/ssl_min_protocol = TLSv1.2/g' \ + /etc/dovecot/conf.d/10-ssl.conf || true + + # postavlja minimalni TLS protokol ako je varijabla već uključena + cp_check_and_sed 'ssl_protocols =' \ + 's/^ssl_protocols.*/ssl_min_protocol = TLSv1.2/g' \ + /etc/dovecot/conf.d/10-ssl.conf || true + + # samo popravlja inačicu protokola i uključuje varijablu + cp_check_and_sed '#ssl_min_protocol =' \ + 's/^#ssl_min_protocol.*/ssl_min_protocol = TLSv1.2/g' \ + /etc/dovecot/conf.d/10-ssl.conf || true + + # popravlja inačicu protokola ako je varijabla već uključena (ako je zaostao SSLv2 i SSLv3) + cp_check_and_sed 'ssl_min_protocol =' \ + 's/^ssl_min_protocol.*/ssl_min_protocol = TLSv1.2/g' \ + /etc/dovecot/conf.d/10-ssl.conf || true fi +### buster ima DH ključ koji se nalazi u paketu dovecot-core +# ne radimo ništa ako već postoji ^ssl_dh koji nije prazan +if ! grep -q "^ssl_dh = /" /etc/dovecot/conf.d/10-ssl.conf; then + # postavlja DH i uključuje varijablu + cp_check_and_sed '#ssl_dh =' \ + 's,^#ssl_dh.*,ssl_dh =