-#!/bin/sh -e
+#!/bin/sh
+
+set -e
[ "$1" = "configure" ] || exit 0
[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx
# Load CARNet Tools
. /usr/share/carnet-tools/functions.sh
+
+move_certs() {
+ if [ -f /etc/dovecot/private/dovecot.pem -a ! -f /etc/dovecot/private/dovecot.key ]; then
+ mv -f /etc/dovecot/private/dovecot.pem /etc/dovecot/private/dovecot.key || true
+ fi
+
+ if [ -f /etc/dovecot/dovecot.pem ]; then
+ mv -f /etc/dovecot/dovecot.pem /etc/dovecot/private/dovecot.pem || true
+ fi
+}
+
+put_new_certs() {
+# postavlja cert i key na nove putanje iz bustera
+ cp_check_and_sed '#ssl_key = </etc/dovecot/private/dovecot.pem' \
+ 's|#ssl_key = </etc/dovecot/private/dovecot.pem|ssl_key = </etc/dovecot/private/dovecot.key|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+ cp_check_and_sed '#ssl_cert = </etc/dovecot/dovecot.pem' \
+ 's|#ssl_cert = </etc/dovecot/dovecot.pem|ssl_cert = </etc/dovecot/private/dovecot.pem|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+ cp_check_and_sed 'ssl_cert = </etc/dovecot/dovecot.pem' \
+ 's|ssl_cert = </etc/dovecot/dovecot.pem|ssl_cert = </etc/dovecot/private/dovecot.pem|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+ cp_check_and_sed 'ssl_key = </etc/dovecot/private/dovecot.pem' \
+ 's|ssl_key = </etc/dovecot/private/dovecot.pem|ssl_key = </etc/dovecot/private/dovecot.key|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+ cp_check_and_sed '#ssl_cert = </etc/dovecot/private/dovecot.pem' \
+ 's|#ssl_cert = </etc/dovecot/private/dovecot.pem|ssl_cert = </etc/dovecot/private/dovecot.pem|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+ cp_check_and_sed '#ssl_key = </etc/dovecot/private/dovecot.key' \
+ 's|#ssl_key = </etc/dovecot/private/dovecot.key|ssl_key = </etc/dovecot/private/dovecot.key|g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+}
+
+
cp_check_and_sed '#disable_plaintext_auth' \
's/#disable_plaintext_auth/disable_plaintext_auth/g' \
/etc/dovecot/conf.d/10-auth.conf || true
's/disable_plaintext_auth.*$/disable_plaintext_auth = no/g' \
/etc/dovecot/conf.d/10-auth.conf || true
+if ! grep -q "mail_privileged_group.*mail$" /etc/dovecot/conf.d/10-mail.conf; then
+ cp_check_and_sed 'mail_privileged_group' \
+ 's/mail_privileged_group.*$/mail_privileged_group = mail/g' \
+ /etc/dovecot/conf.d/10-mail.conf || true
+fi
+
cp_check_and_sed '#imap_client_workarounds' \
's/#imap_client_workarounds/imap_client_workarounds/g' \
/etc/dovecot/conf.d/20-imap.conf || true
/etc/dovecot/conf.d/20-pop3.conf || true
cp_check_and_sed '#ssl_cipher_list' \
- 's/#ssl_cipher_list.*/ssl_cipher_list = ALL:!aNULL:!eNULL:!ADH!LOW:!MEDIUM:!EXP:!SSLv2:HIGH/g' \
+ 's/#ssl_cipher_list.*/ssl_cipher_list = ALL:!aNULL:!eNULL:!ADH!LOW:!MEDIUM:!EXP:HIGH/g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+
+# izbacujemo SSLv2
+cp_check_and_sed 'ssl_cipher_list' \
+ 's/:\!SSLv2//g' \
/etc/dovecot/conf.d/10-ssl.conf || true
# trazio zelja
's/^#ssl =/ssl =/g' \
/etc/dovecot/conf.d/10-ssl.conf || true
-# restart
-if [ -x /usr/sbin/invoke-rc.d ]; then
- [ -x /etc/init.d/dovecot ] && invoke-rc.d dovecot restart
+# trazio zelja
+cp_check_and_sed 'ssl = no' \
+ 's/^ssl = no/ssl = yes/g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+
+
+dovecert="$(doveconf ssl_cert)"
+dovekey="$(doveconf ssl_key)"
+
+if [ -n "$dovecert" -a -n "$dovekey" ]; then
+ echo -n "CN: Opcije ssl_cert i ssl_key su pronađene"
+
+ cfile=$(grep -l ^ssl_cert /etc/dovecot/conf.d/*.conf | tail -1)
+ kfile=$(grep -l ^ssl_key /etc/dovecot/conf.d/*.conf | tail -1)
+
+ if grep -q ^ssl_cert $cfile && grep -q ^ssl_key $kfile; then
+ if [ "$cfile" != "/etc/dovecot/conf.d/10-ssl.conf" -o "$kfile" != "/etc/dovecot/conf.d/10-ssl.conf" ]; then
+ echo " izvan 10-ssl.conf (u $cfile), preskačem rekonfiguraciju..."
+ else
+ echo " u /etc/dovecot/conf.d/10-ssl.conf. Postavljam default vrijednosti iz Debiana 10..."
+ put_new_certs
+ move_certs
+ fi
+ fi
else
- [ -x /etc/init.d/dovecot ] && /etc/init.d/dovecot restart
+ echo "CN: ssl_cert i ssl_key nisu definirani, postavljam default vrijednosti iz Debiana 10!"
+ # ako postoji, pomaknut ćemo stari certifikat na novo mjesto i preimenovati kljuc
+ # ako ne postoje certifikati generiraj ih i postavi na prava mjesta
+
+ move_certs
+
+ if [ ! -f /etc/dovecot/private/dovecot.pem -a ! -f /etc/dovecot/private/dovecot.key ]; then
+ echo "CN: Pravim certifikat i kljuc i postavljam ih u /etc/dovecot/private..."
+ /usr/share/dovecot-cn/mkcert.sh || true
+ fi
+ put_new_certs
+fi
+
+
+
+### buster ima ssl_min_protocol umjesto ssl_protocols
+# ne radimo ništa ako već postoji ^ssl_min_protocol = TLS*, možda je sistemac smanjivao level TLS-a
+
+if ! grep -q "^ssl_min_protocol = TLS" /etc/dovecot/conf.d/10-ssl.conf; then
+ # postavlja minimalni TLS protokol i mijenja ime varijable
+ cp_check_and_sed '#ssl_protocols =' \
+ 's/^#ssl_protocols.*/ssl_min_protocol = TLSv1.2/g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+
+ # postavlja minimalni TLS protokol ako je varijabla već uključena
+ cp_check_and_sed 'ssl_protocols =' \
+ 's/^ssl_protocols.*/ssl_min_protocol = TLSv1.2/g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+
+ # samo popravlja inačicu protokola i uključuje varijablu
+ cp_check_and_sed '#ssl_min_protocol =' \
+ 's/^#ssl_min_protocol.*/ssl_min_protocol = TLSv1.2/g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+
+ # popravlja inačicu protokola ako je varijabla već uključena (ako je zaostao SSLv2 i SSLv3)
+ cp_check_and_sed 'ssl_min_protocol =' \
+ 's/^ssl_min_protocol.*/ssl_min_protocol = TLSv1.2/g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
fi
+### buster ima DH ključ koji se nalazi u paketu dovecot-core
+# ne radimo ništa ako već postoji ^ssl_dh koji nije prazan
+
+if ! grep -q "^ssl_dh = /" /etc/dovecot/conf.d/10-ssl.conf; then
+ # postavlja DH i uključuje varijablu
+ cp_check_and_sed '#ssl_dh =' \
+ 's,^#ssl_dh.*,ssl_dh = </usr/share/dovecot/dh.pem,g' \
+ /etc/dovecot/conf.d/10-ssl.conf || true
+fi
+
+# maknuti kludge kreiran u carnet-upgrade
+test -f /etc/dovecot/conf.d/95-cn6-upgrade.conf && mv /etc/dovecot/conf.d/95-cn6-upgrade.conf /var/backups || true
+test -f /etc/dovecot/conf.d/95-cn7-upgrade.conf && mv /etc/dovecot/conf.d/95-cn7-upgrade.conf /var/backups || true
+test -f /etc/dovecot/conf.d/95-cn8-upgrade.conf && mv /etc/dovecot/conf.d/95-cn8-upgrade.conf /var/backups || true
+test -f /etc/dovecot/conf.d/95-cn9-upgrade.conf && mv /etc/dovecot/conf.d/95-cn9-upgrade.conf /var/backups || true
+# nije više potrebno editirati dovecot.conf koji je samo hrpa includea
+test -f /etc/dovecot/dovecot.conf.cn6-upgrade && mv /etc/dovecot/dovecot.conf.cn6-upgrade /var/backups || true
+test -f /etc/dovecot/dovecot.conf.cn7-upgrade && mv /etc/dovecot/dovecot.conf.cn7-upgrade /var/backups || true
+test -f /etc/dovecot/dovecot.conf.cn8-upgrade && mv /etc/dovecot/dovecot.conf.cn8-upgrade /var/backups || true
+test -f /etc/dovecot/dovecot.conf.cn9-upgrade && mv /etc/dovecot/dovecot.conf.cn9-upgrade /var/backups || true
+
+# staro, može se brisati
+# dodao ico, gasi SSLv3 protokol
+#cp_check_and_sed '#ssl_protocols =' \
+# 's/^#ssl_protocols.*/ssl_protocols = !SSLv3/g' \
+# /etc/dovecot/conf.d/10-ssl.conf || true
+
+# dodao zelja, gasi stare SSL protokole
+#cp_check_and_sed 'ssl_protocols =' \
+# 's/\!SSLv2 //g' \
+# /etc/dovecot/conf.d/10-ssl.conf || true
+
+# dodao zelja, gasi stare SSL protokole/ciphere u 95-cn9-upgrade.conf ako postoje
+#if [ -f /etc/dovecot/conf.d/95-cn9-upgrade.conf ]; then
+# cp_check_and_sed 'ssl_protocols =' \
+# 's/\!SSLv2 //g' \
+# /etc/dovecot/conf.d/95-cn9-upgrade.conf || true
+# cp_check_and_sed 'ssl_cipher_list' \
+# 's/:\!SSLv2//g' \
+# /etc/dovecot/conf.d/95-cn9-upgrade.conf || true
+#fi
+
+# restart
+service dovecot restart || true
+
#DEBHELPER#
exit 0