dovecot: added optional dependencies; added security patches; set correct rundir; enable sqlite and libtirpc by default (#8)

Hi Jürgen, this is a bit bigger and if you are not opposed, I'll continue with openldap/krb5 👼 1. Included a few security patches 2. Add support for a bunch of optional dependencies 3. set the correct rundir with `configure` 4. Enables the use of core/libtirpc and core/libcap by default I have been running this in a productive environment and it works great (e.g. ldap support, argon password hashes and postgres backend). If you agree to the changes, a squash commit via gitea ui will suffice 😄 Thanks! Reviewed-on: #8 Co-authored-by: Tim Biermann <tbier@posteo.de> Co-committed-by: Tim Biermann <tbier@posteo.de>
2024-08-05 10:50:13 +02:00 · 2024-08-05 10:50:13 +02:00 · 17c4671a40
commit 17c4671a40
parent 6b388376d5
4 changed files with 206 additions and 4 deletions
--- a/dovecot/.signature
+++ b/dovecot/.signature
@ -1,7 +1,9 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/VWVbKfoqmDa40OAo2IHODTIqKD79fXn+PY5ttbbIIcBm4iaeMtNNN44Fg/+qwkeOfJkz0JAL5J1/wcN9WtYRwI=
-SHA256 (Pkgfile) = 9337bdb7620b3da0d37d1cf6092196ff8bd2c1e676e9157ff26005215fa440a7
+RWSE3ohX2g5d/Q08YPGmdtgSDW/hzh+wkok5jio/X7jNVotrkYdAbfaAJI6atnA9zd1t0XJ00cnMdLSqW+2sK21tPetQ8JVdHgk=
+SHA256 (Pkgfile) = e3bb603ff97435fe66b405bc816a6d67695e2ec880f3fd2241553f67c84d4c12
 SHA256 (.footprint) = 9ce92920e115b45f8344dfe4a614d3d5ffaf44b0bedcd80ec11dc110e15c78ec
 SHA256 (dovecot-2.3.21.tar.gz) = 05b11093a71c237c2ef309ad587510721cc93bbee6828251549fc1586c36502d
+SHA256 (dovecot-2.3.21-openssl3_fixes-1.patch) = 1742462cf50be084d9b7972fd1aaf2d8180a6fda6c7fb103e1df6ff68e8b7633
+SHA256 (dovecot-2.3.21-security_fix-1.patch) = e4e140b3c2f787913dfab7c84a8ed424aa6b26da27adb1a1b7fa2629a529dd31
 SHA256 (dovecot.rc) = 5c42d68ba066ecb27571ab85da98e4aba6c9a91c3289066a461283c54d175db5
 SHA256 (dovecot.pam) = 9aa8bd8871560e4e3c255ca3e8ed9c99d6b29620e375155ef6c4118b5b7da4af
--- a/dovecot/Pkgfile
+++ b/dovecot/Pkgfile
@ -1,24 +1,47 @@
 # Description: IMAP and POP3 server with ssl/ipv6 support, written with security primarily in mind
 # URL: https://dovecot.org
 # Maintainer: Juergen Daubert, jue at crux dot nu
-# Depends on: zlib bzip2 xz openssl libcap linux-pam
+# Depends on: bzip2 libcap linux-pam openssl sqlite xz zlib
+# Optional: clucene cyrus-sasl icu krb5 libsodium lua53 lz4 mariadb nss openldap postgresql

 name=dovecot
 version=2.3.21
 release=1
 source=(https://dovecot.org/releases/2.3/$name-$version.tar.gz
+	dovecot-2.3.21-openssl3_fixes-1.patch
+	dovecot-2.3.21-security_fix-1.patch
 	dovecot.rc dovecot.pam)

 build() {
 	cd $name-$version

-	./configure \
+	patch -Np1 -i $SRC/dovecot-2.3.21-openssl3_fixes-1.patch
+	patch -Np1 -i $SRC/dovecot-2.3.21-security_fix-1.patch
+	autoreconf -fvi
+
+	prt-get isinst clucene && PKGMK_DOVECOT+=' --with-lucene'
+	prt-get isinst icu && PKGMK_DOVECOT+=' --with-icu'
+	prt-get isinst krb5 && PKGMK_DOVECOT+=' --with-gssapi'
+	prt-get isinst libsodium && PKGMK_DOVECOT+=' --with-sodium'
+	prt-get isinst lua53 && PKGMK_DOVECOT+=' --with-lua=plugin'
+	prt-get isinst mariadb && PKGMK_DOVECOT+=' --with-mysql'
+	prt-get isinst nss && PKGMK_DOVECOT+=' --with-nss'
+	prt-get isinst openldap && PKGMK_DOVECOT+=' --with-ldap=plugin'
+	prt-get isinst postgresql && PKGMK_DOVECOT+=' --with-pgsql'
+
+	CPPFLAGS="-I/usr/include/tirpc" \
+	LDFLAGS+=" -ltirpc" \
+	./configure $PKGMK_DOVECOT \
 		--prefix=/usr \
 		--libexecdir=/usr/lib \
 		--sysconfdir=/etc \
 		--localstatedir=/var \
 		--with-rundir=/run/dovecot \
 		--with-moduledir=/usr/lib/dovecot/modules \
+		--with-rundir=/run/dovecot \
+		--with-sql \
+		--with-sqlite \
+		--with-libcap \
 		--with-pam \
 		--with-ssl=openssl

--- a/dovecot/dovecot-2.3.21-openssl3_fixes-1.patch
+++ b/dovecot/dovecot-2.3.21-openssl3_fixes-1.patch
@ -0,0 +1,45 @@
+Submitted By:            Douglas R. Reno <renodr at linuxfromscratch dot org>
+Date:                    2022-02-12
+Initial Package Version: 2.3.18
+Upstream Status:         Not Applied
+Origin:                  Red Hat (https://bugzilla-attachments.redhat.com/attachment.cgi?id=1788877)
+Description:             Fixes a runtime issue with OpenSSL-3 when exchanging
+                         certificates with another system during the initial
+                         connection phase by implementing OpenSSL-3 compatible
+                         versions of the EVP_PKEY_get0_EC_KEY and
+                         EVP_PKEY_get1_EC_KEY functions.
+
+diff -Naurp dovecot-2.3.18.orig/src/lib-dcrypt/dcrypt-openssl.c dovecot-2.3.18/src/lib-dcrypt/dcrypt-openssl.c
+--- dovecot-2.3.18.orig/src/lib-dcrypt/dcrypt-openssl.c	2022-02-02 05:42:23.000000000 -0600
+++ dovecot-2.3.18/src/lib-dcrypt/dcrypt-openssl.c	2022-02-12 21:20:13.766911113 -0600
+@@ -73,10 +73,30 @@
+   2<tab>key algo oid<tab>1<tab>symmetric algo name<tab>salt<tab>hash algo<tab>rounds<tab>E(RSA = i2d_PrivateKey, EC=Private Point)<tab>key id
+ **/
+ 
+#if OPENSSL_VERSION_MAJOR == 3
+static EC_KEY *EVP_PKEY_get0_EC_KEYv3(EVP_PKEY *key)
+{
+   EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
+   EVP_PKEY_set1_EC_KEY(key, eck);
+   EC_KEY_free(eck);
+   return eck;
+}
+
+static EC_KEY *EVP_PKEY_get1_EC_KEYv3(EVP_PKEY *key)
+{
+   EC_KEY *eck = EVP_PKEY_get1_EC_KEY(key);
+   EVP_PKEY_set1_EC_KEY(key, eck);
+   return eck;
+}
+
+#define EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_EC_KEYv3
+#define EVP_PKEY_get1_EC_KEY EVP_PKEY_get1_EC_KEYv3
+#else
+ #ifndef HAVE_EVP_PKEY_get0
+ #define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec
+ #define EVP_PKEY_get0_RSA(x) x->pkey.rsa
+ #endif
+#endif
+ 
+ #ifndef HAVE_OBJ_LENGTH
+ #define OBJ_length(o) ((o)->length)
--- a/dovecot/dovecot-2.3.21-security_fix-1.patch
+++ b/dovecot/dovecot-2.3.21-security_fix-1.patch
@ -0,0 +1,132 @@
+Submitted By:            Douglas R. Reno <renodr at linuxfromscratch dot org>
+Date:                    2022-07-13
+Updated Date:            2023-09-16 
+Initial Package Version: 2.3.19.1
+Origin:                  Upstream (see https://seclists.org/oss-sec/2022/q3/33)
+Upstream Status:         Applied
+Description:             Fixes CVE-2022-30550 in Dovecot, where privilege
+                         escalation is possible when similar master and
+                         non-master password databases are used. This occurs
+                         when an administrator has inadvertently set multiple
+                         configuration entries pointing towards the same files
+                         for password databases, with identical settings.
+                         Updated on 2023-09-16 to remove the .orig files.
+
+diff -Naurp dovecot-2.3.19.1.orig/src/auth/auth.c dovecot-2.3.19.1/src/auth/auth.c
+--- dovecot-2.3.19.1.orig/src/auth/auth.c	2022-06-14 01:55:03.000000000 -0500
+++ dovecot-2.3.19.1/src/auth/auth.c	2022-07-13 14:53:21.307278772 -0500
+@@ -93,6 +93,24 @@ auth_passdb_preinit(struct auth *auth, c
+ 	auth_passdb->override_fields_tmpl =
+ 		passdb_template_build(auth->pool, set->override_fields);
+ 
+	if (*set->mechanisms == '\0') {
+		auth_passdb->mechanisms = NULL;
+	} else if (strcasecmp(set->mechanisms, "none") == 0) {
+		auth_passdb->mechanisms = (const char *const[]){ NULL };
+	} else {
+		auth_passdb->mechanisms =
+			(const char *const *)p_strsplit_spaces(auth->pool,
+				set->mechanisms, " ,");
+	}
+
+	if (*set->username_filter == '\0') {
+		auth_passdb->username_filter = NULL;
+	} else {
+		auth_passdb->username_filter =
+			(const char *const *)p_strsplit_spaces(auth->pool,
+				set->username_filter, " ,");
+	}
+
+ 	/* for backwards compatibility: */
+ 	if (set->pass)
+ 		auth_passdb->result_success = AUTH_DB_RULE_CONTINUE;
+diff -Naurp dovecot-2.3.19.1.orig/src/auth/auth.h dovecot-2.3.19.1/src/auth/auth.h
+--- dovecot-2.3.19.1.orig/src/auth/auth.h	2022-06-14 01:55:03.000000000 -0500
+++ dovecot-2.3.19.1/src/auth/auth.h	2022-07-13 14:53:21.307278772 -0500
+@@ -41,6 +41,11 @@ struct auth_passdb {
+ 	struct passdb_template *default_fields_tmpl;
+ 	struct passdb_template *override_fields_tmpl;
+ 
+	/* Supported authentication mechanisms, NULL is all, {NULL} is none */
+	const char *const *mechanisms;
+	/* Username filter, NULL is no filter */
+	const char *const *username_filter;
+
+ 	enum auth_passdb_skip skip;
+ 	enum auth_db_rule result_success;
+ 	enum auth_db_rule result_failure;
+diff -Naurp dovecot-2.3.19.1.orig/src/auth/auth-request.c dovecot-2.3.19.1/src/auth/auth-request.c
+--- dovecot-2.3.19.1.orig/src/auth/auth-request.c	2022-06-14 01:55:03.000000000 -0500
+++ dovecot-2.3.19.1/src/auth/auth-request.c	2022-07-13 14:53:21.307278772 -0500
+@@ -553,8 +553,8 @@ auth_request_want_skip_passdb(struct aut
+ 			      struct auth_passdb *passdb)
+ {
+ 	/* if mechanism is not supported, skip */
+-	const char *const *mechs = passdb->passdb->mechanisms;
+-	const char *const *username_filter = passdb->passdb->username_filter;
+	const char *const *mechs = passdb->mechanisms;
+	const char *const *username_filter = passdb->username_filter;
+ 	const char *username;
+ 
+ 	username = request->fields.user;
+@@ -567,7 +567,7 @@ auth_request_want_skip_passdb(struct aut
+ 		return TRUE;
+ 	}
+ 
+-	if (passdb->passdb->username_filter != NULL &&
+	if (passdb->username_filter != NULL &&
+ 	    !auth_request_username_accepted(username_filter, username)) {
+ 		auth_request_log_debug(request,
+ 				       request->mech != NULL ? AUTH_SUBSYS_MECH
+diff -Naurp dovecot-2.3.19.1.orig/src/auth/passdb.c dovecot-2.3.19.1/src/auth/passdb.c
+--- dovecot-2.3.19.1.orig/src/auth/passdb.c	2022-06-14 01:55:03.000000000 -0500
+++ dovecot-2.3.19.1/src/auth/passdb.c	2022-07-13 14:53:21.307278772 -0500
+@@ -224,19 +224,8 @@ passdb_preinit(pool_t pool, const struct
+ 	passdb->id = ++auth_passdb_id;
+ 	passdb->iface = *iface;
+ 	passdb->args = p_strdup(pool, set->args);
+-	if (*set->mechanisms == '\0') {
+-		passdb->mechanisms = NULL;
+-	} else if (strcasecmp(set->mechanisms, "none") == 0) {
+-		passdb->mechanisms = (const char *const[]){NULL};
+-	} else {
+-		passdb->mechanisms = (const char* const*)p_strsplit_spaces(pool, set->mechanisms, " ,");
+-	}
+-
+-	if (*set->username_filter == '\0') {
+-		passdb->username_filter = NULL;
+-	} else {
+-		passdb->username_filter = (const char* const*)p_strsplit_spaces(pool, set->username_filter, " ,");
+-	}
+	/* NOTE: if anything else than driver & args are added here,
+	   passdb_find() also needs to be updated. */
+ 	array_push_back(&passdb_modules, &passdb);
+ 	return passdb;
+ }
+diff -Naurp dovecot-2.3.19.1.orig/src/auth/passdb.h dovecot-2.3.19.1/src/auth/passdb.h
+--- dovecot-2.3.19.1.orig/src/auth/passdb.h	2022-06-14 01:55:03.000000000 -0500
+++ dovecot-2.3.19.1/src/auth/passdb.h	2022-07-13 14:53:21.307278772 -0500
+@@ -63,10 +63,6 @@ struct passdb_module {
+ 	/* Default password scheme for this module.
+ 	   If default_cache_key is set, must not be NULL. */
+ 	const char *default_pass_scheme;
+-	/* Supported authentication mechanisms, NULL is all, [NULL] is none*/
+-	const char *const *mechanisms;
+-	/* Username filter, NULL is no filter */
+-	const char *const *username_filter;
+ 
+ 	/* If blocking is set to TRUE, use child processes to access
+ 	   this passdb. */
+diff -Naurp dovecot-2.3.19.1.orig/src/auth/userdb.c dovecot-2.3.19.1/src/auth/userdb.c
+--- dovecot-2.3.19.1.orig/src/auth/userdb.c	2022-06-14 01:55:03.000000000 -0500
+++ dovecot-2.3.19.1/src/auth/userdb.c	2022-07-13 14:53:21.307278772 -0500
+@@ -158,7 +158,8 @@ userdb_preinit(pool_t pool, const struct
+ 	userdb->id = ++auth_userdb_id;
+ 	userdb->iface = iface;
+ 	userdb->args = p_strdup(pool, set->args);
+-
+	/* NOTE: if anything else than driver & args are added here,
+	   userdb_find() also needs to be updated. */
+ 	array_push_back(&userdb_modules, &userdb);
+ 	return userdb;
+ }