dovecot: added optional dependencies; added security patches; set correct rundir; enable sqlite and libtirpc by default (#8)
Hi Jürgen, this is a bit bigger and if you are not opposed, I'll continue with openldap/krb5 👼 1. Included a few security patches 2. Add support for a bunch of optional dependencies 3. set the correct rundir with `configure` 4. Enables the use of core/libtirpc and core/libcap by default I have been running this in a productive environment and it works great (e.g. ldap support, argon password hashes and postgres backend). If you agree to the changes, a squash commit via gitea ui will suffice 😄 Thanks! Reviewed-on: #8 Co-authored-by: Tim Biermann <tbier@posteo.de> Co-committed-by: Tim Biermann <tbier@posteo.de>
This commit is contained in:
parent
6b388376d5
commit
17c4671a40
@ -1,7 +1,9 @@
|
||||
untrusted comment: verify with /etc/ports/opt.pub
|
||||
RWSE3ohX2g5d/VWVbKfoqmDa40OAo2IHODTIqKD79fXn+PY5ttbbIIcBm4iaeMtNNN44Fg/+qwkeOfJkz0JAL5J1/wcN9WtYRwI=
|
||||
SHA256 (Pkgfile) = 9337bdb7620b3da0d37d1cf6092196ff8bd2c1e676e9157ff26005215fa440a7
|
||||
RWSE3ohX2g5d/Q08YPGmdtgSDW/hzh+wkok5jio/X7jNVotrkYdAbfaAJI6atnA9zd1t0XJ00cnMdLSqW+2sK21tPetQ8JVdHgk=
|
||||
SHA256 (Pkgfile) = e3bb603ff97435fe66b405bc816a6d67695e2ec880f3fd2241553f67c84d4c12
|
||||
SHA256 (.footprint) = 9ce92920e115b45f8344dfe4a614d3d5ffaf44b0bedcd80ec11dc110e15c78ec
|
||||
SHA256 (dovecot-2.3.21.tar.gz) = 05b11093a71c237c2ef309ad587510721cc93bbee6828251549fc1586c36502d
|
||||
SHA256 (dovecot-2.3.21-openssl3_fixes-1.patch) = 1742462cf50be084d9b7972fd1aaf2d8180a6fda6c7fb103e1df6ff68e8b7633
|
||||
SHA256 (dovecot-2.3.21-security_fix-1.patch) = e4e140b3c2f787913dfab7c84a8ed424aa6b26da27adb1a1b7fa2629a529dd31
|
||||
SHA256 (dovecot.rc) = 5c42d68ba066ecb27571ab85da98e4aba6c9a91c3289066a461283c54d175db5
|
||||
SHA256 (dovecot.pam) = 9aa8bd8871560e4e3c255ca3e8ed9c99d6b29620e375155ef6c4118b5b7da4af
|
||||
|
@ -1,24 +1,47 @@
|
||||
# Description: IMAP and POP3 server with ssl/ipv6 support, written with security primarily in mind
|
||||
# URL: https://dovecot.org
|
||||
# Maintainer: Juergen Daubert, jue at crux dot nu
|
||||
# Depends on: zlib bzip2 xz openssl libcap linux-pam
|
||||
# Depends on: bzip2 libcap linux-pam openssl sqlite xz zlib
|
||||
# Optional: clucene cyrus-sasl icu krb5 libsodium lua53 lz4 mariadb nss openldap postgresql
|
||||
|
||||
name=dovecot
|
||||
version=2.3.21
|
||||
release=1
|
||||
source=(https://dovecot.org/releases/2.3/$name-$version.tar.gz
|
||||
dovecot-2.3.21-openssl3_fixes-1.patch
|
||||
dovecot-2.3.21-security_fix-1.patch
|
||||
dovecot.rc dovecot.pam)
|
||||
|
||||
build() {
|
||||
cd $name-$version
|
||||
|
||||
./configure \
|
||||
patch -Np1 -i $SRC/dovecot-2.3.21-openssl3_fixes-1.patch
|
||||
patch -Np1 -i $SRC/dovecot-2.3.21-security_fix-1.patch
|
||||
autoreconf -fvi
|
||||
|
||||
prt-get isinst clucene && PKGMK_DOVECOT+=' --with-lucene'
|
||||
prt-get isinst icu && PKGMK_DOVECOT+=' --with-icu'
|
||||
prt-get isinst krb5 && PKGMK_DOVECOT+=' --with-gssapi'
|
||||
prt-get isinst libsodium && PKGMK_DOVECOT+=' --with-sodium'
|
||||
prt-get isinst lua53 && PKGMK_DOVECOT+=' --with-lua=plugin'
|
||||
prt-get isinst mariadb && PKGMK_DOVECOT+=' --with-mysql'
|
||||
prt-get isinst nss && PKGMK_DOVECOT+=' --with-nss'
|
||||
prt-get isinst openldap && PKGMK_DOVECOT+=' --with-ldap=plugin'
|
||||
prt-get isinst postgresql && PKGMK_DOVECOT+=' --with-pgsql'
|
||||
|
||||
CPPFLAGS="-I/usr/include/tirpc" \
|
||||
LDFLAGS+=" -ltirpc" \
|
||||
./configure $PKGMK_DOVECOT \
|
||||
--prefix=/usr \
|
||||
--libexecdir=/usr/lib \
|
||||
--sysconfdir=/etc \
|
||||
--localstatedir=/var \
|
||||
--with-rundir=/run/dovecot \
|
||||
--with-moduledir=/usr/lib/dovecot/modules \
|
||||
--with-rundir=/run/dovecot \
|
||||
--with-sql \
|
||||
--with-sqlite \
|
||||
--with-libcap \
|
||||
--with-pam \
|
||||
--with-ssl=openssl
|
||||
|
||||
|
45
dovecot/dovecot-2.3.21-openssl3_fixes-1.patch
Normal file
45
dovecot/dovecot-2.3.21-openssl3_fixes-1.patch
Normal file
@ -0,0 +1,45 @@
|
||||
Submitted By: Douglas R. Reno <renodr at linuxfromscratch dot org>
|
||||
Date: 2022-02-12
|
||||
Initial Package Version: 2.3.18
|
||||
Upstream Status: Not Applied
|
||||
Origin: Red Hat (https://bugzilla-attachments.redhat.com/attachment.cgi?id=1788877)
|
||||
Description: Fixes a runtime issue with OpenSSL-3 when exchanging
|
||||
certificates with another system during the initial
|
||||
connection phase by implementing OpenSSL-3 compatible
|
||||
versions of the EVP_PKEY_get0_EC_KEY and
|
||||
EVP_PKEY_get1_EC_KEY functions.
|
||||
|
||||
diff -Naurp dovecot-2.3.18.orig/src/lib-dcrypt/dcrypt-openssl.c dovecot-2.3.18/src/lib-dcrypt/dcrypt-openssl.c
|
||||
--- dovecot-2.3.18.orig/src/lib-dcrypt/dcrypt-openssl.c 2022-02-02 05:42:23.000000000 -0600
|
||||
+++ dovecot-2.3.18/src/lib-dcrypt/dcrypt-openssl.c 2022-02-12 21:20:13.766911113 -0600
|
||||
@@ -73,10 +73,30 @@
|
||||
2<tab>key algo oid<tab>1<tab>symmetric algo name<tab>salt<tab>hash algo<tab>rounds<tab>E(RSA = i2d_PrivateKey, EC=Private Point)<tab>key id
|
||||
**/
|
||||
|
||||
+#if OPENSSL_VERSION_MAJOR == 3
|
||||
+static EC_KEY *EVP_PKEY_get0_EC_KEYv3(EVP_PKEY *key)
|
||||
+{
|
||||
+ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
|
||||
+ EVP_PKEY_set1_EC_KEY(key, eck);
|
||||
+ EC_KEY_free(eck);
|
||||
+ return eck;
|
||||
+}
|
||||
+
|
||||
+static EC_KEY *EVP_PKEY_get1_EC_KEYv3(EVP_PKEY *key)
|
||||
+{
|
||||
+ EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
|
||||
+ EVP_PKEY_set1_EC_KEY(key, eck);
|
||||
+ return eck;
|
||||
+}
|
||||
+
|
||||
+#define EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_EC_KEYv3
|
||||
+#define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEYv3
|
||||
+#else
|
||||
#ifndef HAVE_EVP_PKEY_get0
|
||||
#define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec
|
||||
#define EVP_PKEY_get0_RSA(x) x->pkey.rsa
|
||||
#endif
|
||||
+#endif
|
||||
|
||||
#ifndef HAVE_OBJ_LENGTH
|
||||
#define OBJ_length(o) ((o)->length)
|
132
dovecot/dovecot-2.3.21-security_fix-1.patch
Normal file
132
dovecot/dovecot-2.3.21-security_fix-1.patch
Normal file
@ -0,0 +1,132 @@
|
||||
Submitted By: Douglas R. Reno <renodr at linuxfromscratch dot org>
|
||||
Date: 2022-07-13
|
||||
Updated Date: 2023-09-16
|
||||
Initial Package Version: 2.3.19.1
|
||||
Origin: Upstream (see https://seclists.org/oss-sec/2022/q3/33)
|
||||
Upstream Status: Applied
|
||||
Description: Fixes CVE-2022-30550 in Dovecot, where privilege
|
||||
escalation is possible when similar master and
|
||||
non-master password databases are used. This occurs
|
||||
when an administrator has inadvertently set multiple
|
||||
configuration entries pointing towards the same files
|
||||
for password databases, with identical settings.
|
||||
Updated on 2023-09-16 to remove the .orig files.
|
||||
|
||||
diff -Naurp dovecot-2.3.19.1.orig/src/auth/auth.c dovecot-2.3.19.1/src/auth/auth.c
|
||||
--- dovecot-2.3.19.1.orig/src/auth/auth.c 2022-06-14 01:55:03.000000000 -0500
|
||||
+++ dovecot-2.3.19.1/src/auth/auth.c 2022-07-13 14:53:21.307278772 -0500
|
||||
@@ -93,6 +93,24 @@ auth_passdb_preinit(struct auth *auth, c
|
||||
auth_passdb->override_fields_tmpl =
|
||||
passdb_template_build(auth->pool, set->override_fields);
|
||||
|
||||
+ if (*set->mechanisms == '\0') {
|
||||
+ auth_passdb->mechanisms = NULL;
|
||||
+ } else if (strcasecmp(set->mechanisms, "none") == 0) {
|
||||
+ auth_passdb->mechanisms = (const char *const[]){ NULL };
|
||||
+ } else {
|
||||
+ auth_passdb->mechanisms =
|
||||
+ (const char *const *)p_strsplit_spaces(auth->pool,
|
||||
+ set->mechanisms, " ,");
|
||||
+ }
|
||||
+
|
||||
+ if (*set->username_filter == '\0') {
|
||||
+ auth_passdb->username_filter = NULL;
|
||||
+ } else {
|
||||
+ auth_passdb->username_filter =
|
||||
+ (const char *const *)p_strsplit_spaces(auth->pool,
|
||||
+ set->username_filter, " ,");
|
||||
+ }
|
||||
+
|
||||
/* for backwards compatibility: */
|
||||
if (set->pass)
|
||||
auth_passdb->result_success = AUTH_DB_RULE_CONTINUE;
|
||||
diff -Naurp dovecot-2.3.19.1.orig/src/auth/auth.h dovecot-2.3.19.1/src/auth/auth.h
|
||||
--- dovecot-2.3.19.1.orig/src/auth/auth.h 2022-06-14 01:55:03.000000000 -0500
|
||||
+++ dovecot-2.3.19.1/src/auth/auth.h 2022-07-13 14:53:21.307278772 -0500
|
||||
@@ -41,6 +41,11 @@ struct auth_passdb {
|
||||
struct passdb_template *default_fields_tmpl;
|
||||
struct passdb_template *override_fields_tmpl;
|
||||
|
||||
+ /* Supported authentication mechanisms, NULL is all, {NULL} is none */
|
||||
+ const char *const *mechanisms;
|
||||
+ /* Username filter, NULL is no filter */
|
||||
+ const char *const *username_filter;
|
||||
+
|
||||
enum auth_passdb_skip skip;
|
||||
enum auth_db_rule result_success;
|
||||
enum auth_db_rule result_failure;
|
||||
diff -Naurp dovecot-2.3.19.1.orig/src/auth/auth-request.c dovecot-2.3.19.1/src/auth/auth-request.c
|
||||
--- dovecot-2.3.19.1.orig/src/auth/auth-request.c 2022-06-14 01:55:03.000000000 -0500
|
||||
+++ dovecot-2.3.19.1/src/auth/auth-request.c 2022-07-13 14:53:21.307278772 -0500
|
||||
@@ -553,8 +553,8 @@ auth_request_want_skip_passdb(struct aut
|
||||
struct auth_passdb *passdb)
|
||||
{
|
||||
/* if mechanism is not supported, skip */
|
||||
- const char *const *mechs = passdb->passdb->mechanisms;
|
||||
- const char *const *username_filter = passdb->passdb->username_filter;
|
||||
+ const char *const *mechs = passdb->mechanisms;
|
||||
+ const char *const *username_filter = passdb->username_filter;
|
||||
const char *username;
|
||||
|
||||
username = request->fields.user;
|
||||
@@ -567,7 +567,7 @@ auth_request_want_skip_passdb(struct aut
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
- if (passdb->passdb->username_filter != NULL &&
|
||||
+ if (passdb->username_filter != NULL &&
|
||||
!auth_request_username_accepted(username_filter, username)) {
|
||||
auth_request_log_debug(request,
|
||||
request->mech != NULL ? AUTH_SUBSYS_MECH
|
||||
diff -Naurp dovecot-2.3.19.1.orig/src/auth/passdb.c dovecot-2.3.19.1/src/auth/passdb.c
|
||||
--- dovecot-2.3.19.1.orig/src/auth/passdb.c 2022-06-14 01:55:03.000000000 -0500
|
||||
+++ dovecot-2.3.19.1/src/auth/passdb.c 2022-07-13 14:53:21.307278772 -0500
|
||||
@@ -224,19 +224,8 @@ passdb_preinit(pool_t pool, const struct
|
||||
passdb->id = ++auth_passdb_id;
|
||||
passdb->iface = *iface;
|
||||
passdb->args = p_strdup(pool, set->args);
|
||||
- if (*set->mechanisms == '\0') {
|
||||
- passdb->mechanisms = NULL;
|
||||
- } else if (strcasecmp(set->mechanisms, "none") == 0) {
|
||||
- passdb->mechanisms = (const char *const[]){NULL};
|
||||
- } else {
|
||||
- passdb->mechanisms = (const char* const*)p_strsplit_spaces(pool, set->mechanisms, " ,");
|
||||
- }
|
||||
-
|
||||
- if (*set->username_filter == '\0') {
|
||||
- passdb->username_filter = NULL;
|
||||
- } else {
|
||||
- passdb->username_filter = (const char* const*)p_strsplit_spaces(pool, set->username_filter, " ,");
|
||||
- }
|
||||
+ /* NOTE: if anything else than driver & args are added here,
|
||||
+ passdb_find() also needs to be updated. */
|
||||
array_push_back(&passdb_modules, &passdb);
|
||||
return passdb;
|
||||
}
|
||||
diff -Naurp dovecot-2.3.19.1.orig/src/auth/passdb.h dovecot-2.3.19.1/src/auth/passdb.h
|
||||
--- dovecot-2.3.19.1.orig/src/auth/passdb.h 2022-06-14 01:55:03.000000000 -0500
|
||||
+++ dovecot-2.3.19.1/src/auth/passdb.h 2022-07-13 14:53:21.307278772 -0500
|
||||
@@ -63,10 +63,6 @@ struct passdb_module {
|
||||
/* Default password scheme for this module.
|
||||
If default_cache_key is set, must not be NULL. */
|
||||
const char *default_pass_scheme;
|
||||
- /* Supported authentication mechanisms, NULL is all, [NULL] is none*/
|
||||
- const char *const *mechanisms;
|
||||
- /* Username filter, NULL is no filter */
|
||||
- const char *const *username_filter;
|
||||
|
||||
/* If blocking is set to TRUE, use child processes to access
|
||||
this passdb. */
|
||||
diff -Naurp dovecot-2.3.19.1.orig/src/auth/userdb.c dovecot-2.3.19.1/src/auth/userdb.c
|
||||
--- dovecot-2.3.19.1.orig/src/auth/userdb.c 2022-06-14 01:55:03.000000000 -0500
|
||||
+++ dovecot-2.3.19.1/src/auth/userdb.c 2022-07-13 14:53:21.307278772 -0500
|
||||
@@ -158,7 +158,8 @@ userdb_preinit(pool_t pool, const struct
|
||||
userdb->id = ++auth_userdb_id;
|
||||
userdb->iface = iface;
|
||||
userdb->args = p_strdup(pool, set->args);
|
||||
-
|
||||
+ /* NOTE: if anything else than driver & args are added here,
|
||||
+ userdb_find() also needs to be updated. */
|
||||
array_push_back(&userdb_modules, &userdb);
|
||||
return userdb;
|
||||
}
|
Loading…
Reference in New Issue
Block a user