-#!/bin/sh -e
+#!/bin/sh
+
+set -e
[ "$1" = "configure" ] || exit 0
[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx
. /usr/share/carnet-tools/functions.sh
-cp_check_and_sed '^protocols' \
- 's/protocols.*$/protocols = imap imaps pop3 pop3s/g' \
- /etc/dovecot/dovecot.conf || true
+move_certs() {
+ if [ -f /etc/dovecot/private/dovecot.pem -a ! -f /etc/dovecot/private/dovecot.key ]; then
+ mv -f /etc/dovecot/private/dovecot.pem /etc/dovecot/private/dovecot.key || true
+ fi
+
+ if [ -f /etc/dovecot/dovecot.pem ]; then
+ mv -f /etc/dovecot/dovecot.pem /etc/dovecot/private/dovecot.pem || true
+ fi
+}
+
+put_new_certs() {
+# postavlja cert i key na nove putanje iz bustera
+ cp_check_and_sed '#ssl_key = </etc/dovecot/private/dovecot.pem' \
+ 's|#ssl_key = </etc/dovecot/private/dovecot.pem|ssl_key = </etc/dovecot/private/dovecot.key|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+ cp_check_and_sed '#ssl_cert = </etc/dovecot/dovecot.pem' \
+ 's|#ssl_cert = </etc/dovecot/dovecot.pem|ssl_cert = </etc/dovecot/private/dovecot.pem|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+ cp_check_and_sed 'ssl_cert = </etc/dovecot/dovecot.pem' \
+ 's|ssl_cert = </etc/dovecot/dovecot.pem|ssl_cert = </etc/dovecot/private/dovecot.pem|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+ cp_check_and_sed 'ssl_key = </etc/dovecot/private/dovecot.pem' \
+ 's|ssl_key = </etc/dovecot/private/dovecot.pem|ssl_key = </etc/dovecot/private/dovecot.key|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+ cp_check_and_sed '#ssl_cert = </etc/dovecot/private/dovecot.pem' \
+ 's|#ssl_cert = </etc/dovecot/private/dovecot.pem|ssl_cert = </etc/dovecot/private/dovecot.pem|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+ cp_check_and_sed '#ssl_key = </etc/dovecot/private/dovecot.key' \
+ 's|#ssl_key = </etc/dovecot/private/dovecot.key|ssl_key = </etc/dovecot/private/dovecot.key|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+}
+
cp_check_and_sed '#disable_plaintext_auth' \
's/#disable_plaintext_auth/disable_plaintext_auth/g' \
- /etc/dovecot/dovecot.conf || true
+ /etc/dovecot/conf.d/10-auth.conf || true
cp_check_and_sed 'disable_plaintext_auth.*yes' \
's/disable_plaintext_auth.*$/disable_plaintext_auth = no/g' \
- /etc/dovecot/dovecot.conf || true
+ /etc/dovecot/conf.d/10-auth.conf || true
+
+if ! grep -q "mail_privileged_group.*mail$" /etc/dovecot/conf.d/10-mail.conf; then
+ cp_check_and_sed 'mail_privileged_group' \
+ 's/mail_privileged_group.*$/mail_privileged_group = mail/g' \
+ /etc/dovecot/conf.d/10-mail.conf || true
+fi
cp_check_and_sed '#imap_client_workarounds' \
's/#imap_client_workarounds/imap_client_workarounds/g' \
- /etc/dovecot/dovecot.conf || true
+ /etc/dovecot/conf.d/20-imap.conf || true
cp_check_and_sed '#pop3_client_workarounds' \
's/#pop3_client_workarounds/pop3_client_workarounds/g' \
- /etc/dovecot/dovecot.conf || true
+ /etc/dovecot/conf.d/20-pop3.conf || true
cp_check_and_sed 'imap_client_workarounds' \
- 's/imap_client_workarounds.*$/imap_client_workarounds = outlook-idle tb-extra-mailbox-sep netscape-eoh delay-newmail/g' \
- /etc/dovecot/dovecot.conf || true
+ 's/imap_client_workarounds.*$/imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags/g' \
+ /etc/dovecot/conf.d/20-imap.conf || true
cp_check_and_sed 'pop3_client_workarounds' \
's/pop3_client_workarounds.*$/pop3_client_workarounds = outlook-no-nuls oe-ns-eoh/g' \
- /etc/dovecot/dovecot.conf || true
+ /etc/dovecot/conf.d/20-pop3.conf || true
-cp_check_and_sed 'pop3_uidl_format' \
- 's/pop3_uidl_format.*$/pop3_uidl_format = %v.%u/g' \
- /etc/dovecot/dovecot.conf || true
+cp_check_and_sed '#ssl_cipher_list' \
+ 's/#ssl_cipher_list.*/ssl_cipher_list = ALL:!aNULL:!eNULL:!ADH!LOW:!MEDIUM:!EXP:HIGH/g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
-cp_check_and_sed '#quota = maildir' \
- 's/#quota = maildir/quota = fs/g' \
- /etc/dovecot/dovecot.conf || true
+# izbacujemo SSLv2
+cp_check_and_sed 'ssl_cipher_list' \
+ 's/:\!SSLv2//g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
-# dodano zbog backward compatibility (etch->lenny)
-cp_check_and_sed '^mail_extra_groups' \
- 's/^mail_extra_groups/mail_privileged_group/g' \
- /etc/dovecot/dovecot.conf || true
+# trazio zelja
+cp_check_and_sed '#ssl =' \
+ 's/^#ssl =/ssl =/g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
-cp_check_and_sed '#ssl_cipher_list' \
- 's/#ssl_cipher_list.*/ssl_cipher_list = ALL:!aNULL:!eNULL:!ADH!LOW:!MEDIUM:!EXP:!SSLv2:HIGH/g' \
- /etc/dovecot/dovecot.conf || true
+# trazio zelja
+cp_check_and_sed 'ssl = no' \
+ 's/^ssl = no/ssl = yes/g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
-# ovo je potrebno postaviti u verziji 1.2
-cp_check_and_sed '#mail_location' \
- 's|#mail_location.*|mail_location=mbox:~/mail:INBOX=/var/mail/%u|g' \
- /etc/dovecot/dovecot.conf || true
-# trazio zelja
-cp_check_and_sed '^ssl_disable' \
- 's/^ssl_disable = yes/#ssl_disable = yes/g' \
- /etc/dovecot/dovecot.conf || true
+dovecert="$(doveconf ssl_cert)"
+dovekey="$(doveconf ssl_key)"
-cp_check_and_sed '#ssl = yes' \
- 's/^#ssl = yes/ssl = yes/g' \
- /etc/dovecot/dovecot.conf || true
+if [ -n "$dovecert" -a -n "$dovekey" ]; then
+ echo -n "CN: Opcije ssl_cert i ssl_key su pronađene"
-# restart
-if [ -x /usr/sbin/invoke-rc.d ]; then
- [ -x /etc/init.d/dovecot ] && invoke-rc.d dovecot restart
+ cfile=$(grep -l ^ssl_cert /etc/dovecot/conf.d/*.conf | tail -1)
+ kfile=$(grep -l ^ssl_key /etc/dovecot/conf.d/*.conf | tail -1)
+
+ if grep -q ^ssl_cert $cfile && grep -q ^ssl_key $kfile; then
+ if [ "$cfile" != "/etc/dovecot/conf.d/10-ssl.conf" -o "$kfile" != "/etc/dovecot/conf.d/10-ssl.conf" ]; then
+ echo " izvan 10-ssl.conf (u $cfile), preskačem rekonfiguraciju..."
+ else
+ echo " u /etc/dovecot/conf.d/10-ssl.conf. Postavljam default vrijednosti iz Debiana 10..."
+ put_new_certs
+ move_certs
+ fi
+ fi
else
- [ -x /etc/init.d/dovecot ] && /etc/init.d/dovecot restart
+ echo "CN: ssl_cert i ssl_key nisu definirani, postavljam default vrijednosti iz Debiana 10!"
+ # ako postoji, pomaknut ćemo stari certifikat na novo mjesto i preimenovati kljuc
+ # ako ne postoje certifikati generiraj ih i postavi na prava mjesta
+
+ move_certs
+
+ if [ ! -f /etc/dovecot/private/dovecot.pem -a ! -f /etc/dovecot/private/dovecot.key ]; then
+ echo "CN: Pravim certifikat i kljuc i postavljam ih u /etc/dovecot/private..."
+ /usr/share/dovecot-cn/mkcert.sh || true
+ fi
+ put_new_certs
fi
+
+
+
+### buster ima ssl_min_protocol umjesto ssl_protocols
+# ne radimo ništa ako već postoji ^ssl_min_protocol = TLS*, možda je sistemac smanjivao level TLS-a
+
+if ! grep -q "^ssl_min_protocol = TLS" /etc/dovecot/conf.d/10-ssl.conf; then
+ # postavlja minimalni TLS protokol i mijenja ime varijable
+ cp_check_and_sed '#ssl_protocols =' \
+ 's/^#ssl_protocols.*/ssl_min_protocol = TLSv1.2/g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+
+ # postavlja minimalni TLS protokol ako je varijabla već uključena
+ cp_check_and_sed 'ssl_protocols =' \
+ 's/^ssl_protocols.*/ssl_min_protocol = TLSv1.2/g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+
+ # samo popravlja inačicu protokola i uključuje varijablu
+ cp_check_and_sed '#ssl_min_protocol =' \
+ 's/^#ssl_min_protocol.*/ssl_min_protocol = TLSv1.2/g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+
+ # popravlja inačicu protokola ako je varijabla već uključena (ako je zaostao SSLv2 i SSLv3)
+ cp_check_and_sed 'ssl_min_protocol =' \
+ 's/^ssl_min_protocol.*/ssl_min_protocol = TLSv1.2/g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+fi
+
+### buster ima DH ključ koji se nalazi u paketu dovecot-core
+# ne radimo ništa ako već postoji ^ssl_dh koji nije prazan
+
+if ! grep -q "^ssl_dh = /" /etc/dovecot/conf.d/10-ssl.conf; then
+ # postavlja DH i uključuje varijablu
+ cp_check_and_sed '#ssl_dh =' \
+ 's,^#ssl_dh.*,ssl_dh = </usr/share/dovecot/dh.pem,g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+fi
+
+# maknuti kludge kreiran u carnet-upgrade
+test -f /etc/dovecot/conf.d/95-cn6-upgrade.conf && mv /etc/dovecot/conf.d/95-cn6-upgrade.conf /var/backups || true
+test -f /etc/dovecot/conf.d/95-cn7-upgrade.conf && mv /etc/dovecot/conf.d/95-cn7-upgrade.conf /var/backups || true
+test -f /etc/dovecot/conf.d/95-cn8-upgrade.conf && mv /etc/dovecot/conf.d/95-cn8-upgrade.conf /var/backups || true
+test -f /etc/dovecot/conf.d/95-cn9-upgrade.conf && mv /etc/dovecot/conf.d/95-cn9-upgrade.conf /var/backups || true
+# nije više potrebno editirati dovecot.conf koji je samo hrpa includea
+test -f /etc/dovecot/dovecot.conf.cn6-upgrade && mv /etc/dovecot/dovecot.conf.cn6-upgrade /var/backups || true
+test -f /etc/dovecot/dovecot.conf.cn7-upgrade && mv /etc/dovecot/dovecot.conf.cn7-upgrade /var/backups || true
+test -f /etc/dovecot/dovecot.conf.cn8-upgrade && mv /etc/dovecot/dovecot.conf.cn8-upgrade /var/backups || true
+test -f /etc/dovecot/dovecot.conf.cn9-upgrade && mv /etc/dovecot/dovecot.conf.cn9-upgrade /var/backups || true
+
+# staro, može se brisati
+# dodao ico, gasi SSLv3 protokol
+#cp_check_and_sed '#ssl_protocols =' \
+# 's/^#ssl_protocols.*/ssl_protocols = !SSLv3/g' \
+# /etc/dovecot/conf.d/10-ssl.conf || true
+
+# dodao zelja, gasi stare SSL protokole
+#cp_check_and_sed 'ssl_protocols =' \
+# 's/\!SSLv2 //g' \
+# /etc/dovecot/conf.d/10-ssl.conf || true
+
+# dodao zelja, gasi stare SSL protokole/ciphere u 95-cn9-upgrade.conf ako postoje
+#if [ -f /etc/dovecot/conf.d/95-cn9-upgrade.conf ]; then
+# cp_check_and_sed 'ssl_protocols =' \
+# 's/\!SSLv2 //g' \
+# /etc/dovecot/conf.d/95-cn9-upgrade.conf || true
+# cp_check_and_sed 'ssl_cipher_list' \
+# 's/:\!SSLv2//g' \
+# /etc/dovecot/conf.d/95-cn9-upgrade.conf || true
+#fi
+
+# restart
+service dovecot restart || true
+
+#DEBHELPER#
+
+exit 0
projects / dovecot-cn.git / blobdiff