From 38d9a6700d7248f523c8c9d056f1470f99eb7eef Mon Sep 17 00:00:00 2001
From: Zeljko Boros <Zeljko.Boros@carnet.hr>
Date: Sun, 23 May 2021 20:53:30 +0200
Subject: [PATCH] velike izmjene u postinstu i mkcert.sh zbog TLS putanja iz
bustera
---
debian/postinst | 85 +++++++++++++++++++++++++++++++++++++++++++------------
mkcert.sh | 12 ++++----
2 files changed, 73 insertions(+), 24 deletions(-)
diff --git a/debian/postinst b/debian/postinst
index e02759c..b9202d1 100755
--- a/debian/postinst
+++ b/debian/postinst
@@ -8,6 +8,40 @@ set -e
# Load CARNet Tools
. /usr/share/carnet-tools/functions.sh
+
+function move_certs() {
+ if [ -f /etc/dovecot/private/dovecot.pem -a ! -f /etc/dovecot/private/dovecot.key ]; then
+ mv -f /etc/dovecot/private/dovecot.pem /etc/dovecot/private/dovecot.key || true
+ fi
+
+ if [ -f /etc/dovecot/dovecot.pem ]; then
+ mv -f /etc/dovecot/dovecot.pem /etc/dovecot/private/dovecot.pem || true
+ fi
+}
+
+function put_new_certs() {
+# postavlja cert i key na nove putanje iz bustera
+ cp_check_and_sed '#ssl_key = </etc/dovecot/private/dovecot.pem' \
+ 's|#ssl_key = </etc/dovecot/private/dovecot.pem|ssl_key = </etc/dovecot/private/dovecot.key|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+ cp_check_and_sed '#ssl_cert = </etc/dovecot/dovecot.pem' \
+ 's|#ssl_cert = </etc/dovecot/dovecot.pem|ssl_cert = </etc/dovecot/private/dovecot.pem|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+ cp_check_and_sed 'ssl_cert = </etc/dovecot/dovecot.pem' \
+ 's|ssl_cert = </etc/dovecot/dovecot.pem|ssl_cert = </etc/dovecot/private/dovecot.pem|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+ cp_check_and_sed 'ssl_key = </etc/dovecot/private/dovecot.pem' \
+ 's|ssl_key = </etc/dovecot/private/dovecot.pem|ssl_key = </etc/dovecot/private/dovecot.key|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+ cp_check_and_sed '#ssl_cert = </etc/dovecot/private/dovecot.pem' \
+ 's|#ssl_cert = </etc/dovecot/private/dovecot.pem|ssl_cert = </etc/dovecot/private/dovecot.pem|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+ cp_check_and_sed '#ssl_key = </etc/dovecot/private/dovecot.key' \
+ 's|#ssl_key = </etc/dovecot/private/dovecot.key|ssl_key = </etc/dovecot/private/dovecot.key|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+}
+
+
cp_check_and_sed '#disable_plaintext_auth' \
's/#disable_plaintext_auth/disable_plaintext_auth/g' \
/etc/dovecot/conf.d/10-auth.conf || true
@@ -16,7 +50,7 @@ cp_check_and_sed 'disable_plaintext_auth.*yes' \
's/disable_plaintext_auth.*$/disable_plaintext_auth = no/g' \
/etc/dovecot/conf.d/10-auth.conf || true
-if ! grep -q "mail_privileged_group.*mail$" /etc/dovecot/conf.d/10-mail.conf \
+if ! grep -q "mail_privileged_group.*mail$" /etc/dovecot/conf.d/10-mail.conf; then
cp_check_and_sed 'mail_privileged_group' \
's/mail_privileged_group.*$/mail_privileged_group = mail/g' \
/etc/dovecot/conf.d/10-mail.conf || true
@@ -57,26 +91,41 @@ cp_check_and_sed 'ssl = no' \
's/^ssl = no/ssl = yes/g' \
/etc/dovecot/conf.d/10-ssl.conf || true
-if ! grep -q ^ssl_cert /etc/dovecot/conf.d/10-ssl.conf \
- && ! grep -q ^ssl_key /etc/dovecot/conf.d/10-ssl.conf; then
-
- if [ ! -f /etc/dovecot/dovecot.pem -a ! -f /etc/dovecot/private/dovecot.pem ]; then
- echo "CN: Generating certificate and key..."
- /usr/share/dovecot-cn/mkcert.sh || true
- fi
- cp_check_and_sed '#ssl_cert = </etc/dovecot/dovecot.pem' \
- 's|#ssl_cert = </etc/dovecot/dovecot.pem|ssl_cert = </etc/dovecot/dovecot.pem|g' \
- /etc/dovecot/conf.d/10-ssl.conf || true
- cp_check_and_sed '#ssl_key = </etc/dovecot/private/dovecot.pem' \
- 's|#ssl_key = </etc/dovecot/private/dovecot.pem|ssl_key = </etc/dovecot/private/dovecot.pem|g' \
- /etc/dovecot/conf.d/10-ssl.conf || true
- # negdje se pojavljuje dovecot.key umjesto dovecot.pem
- cp_check_and_sed 'ssl_key = </etc/dovecot/private/dovecot.key' \
- 's|ssl_key = </etc/dovecot/private/dovecot.key|ssl_key = </etc/dovecot/private/dovecot.pem|g' \
- /etc/dovecot/conf.d/10-ssl.conf || true
+dovecert="$(doveconf ssl_cert)"
+dovekey="$(doveconf ssl_key)"
+
+if [ -n "$dovecert" -a -n "$dovekey" ]; then
+ echo -n "CN: Opcije ssl_cert i ssl_key su pronaÄene"
+
+ cfile=$(grep -l ^ssl_cert /etc/dovecot/conf.d/*.conf | tail -1)
+ kfile=$(grep -l ^ssl_key /etc/dovecot/conf.d/*.conf | tail -1)
+
+ if grep -q ^ssl_cert $cfile && grep -q ^ssl_key $kfile; then
+ if [ "$cfile" != "/etc/dovecot/conf.d/10-ssl.conf" -o "$kfile" != "/etc/dovecot/conf.d/10-ssl.conf" ]; then
+ echo " izvan 10-ssl.conf (u $cfile), preskaÄem rekonfiguraciju..."
+ else
+ echo " u /etc/dovecot/conf.d/10-ssl.conf. Postavljam default vrijednosti iz Debiana 10..."
+ put_new_certs
+ move_certs
+ fi
+ fi
+else
+ echo "CN: ssl_cert i ssl_key nisu definirani, postavljam default vrijednosti iz Debiana 10!"
+ # ako postoji, pomaknut Äemo stari certifikat na novo mjesto i preimenovati kljuc
+ # ako ne postoje certifikati generiraj ih i postavi na prava mjesta
+
+ move_certs
+
+ if [ ! -f /etc/dovecot/private/dovecot.pem -a ! -f /etc/dovecot/private/dovecot.key ]; then
+ echo "CN: Pravim certifikat i kljuc i postavljam ih u /etc/dovecot/private..."
+ /usr/share/dovecot-cn/mkcert.sh || true
+ fi
+ put_new_certs
fi
+
+
### buster ima ssl_min_protocol umjesto ssl_protocols
# ne radimo niÅ¡ta ako veÄ postoji ^ssl_min_protocol = TLS*, možda je sistemac smanjivao level TLS-a
diff --git a/mkcert.sh b/mkcert.sh
index 3689b17..8a38b5f 100755
--- a/mkcert.sh
+++ b/mkcert.sh
@@ -2,24 +2,24 @@
# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.
+# edit by Zeljko Boros
umask 077
OPENSSL=${OPENSSL-openssl}
SSLDIR=${SSLDIR-/etc/ssl}
OPENSSLCONFIG=${OPENSSLCONFIG-/usr/share/dovecot-cn/dovecot-openssl.cnf}
-CERTDIR=/etc/dovecot
-KEYDIR=/etc/dovecot/private
+CERTKEYDIR=/etc/dovecot/private
-CERTFILE=$CERTDIR/dovecot.pem
-KEYFILE=$KEYDIR/dovecot.pem
+CERTFILE=$CERTKEYDIR/dovecot.pem
+KEYFILE=$CERTKEYDIR/dovecot.key
-if [ ! -d $CERTDIR ]; then
+if [ ! -d $CERTKEYDIR ]; then
echo "$SSLDIR/certs directory doesn't exist"
exit 1
fi
-if [ ! -d $KEYDIR ]; then
+if [ ! -d $CERTKEYDIR ]; then
echo "$SSLDIR/private directory doesn't exist"
exit 1
fi
--
1.7.10.4