main/dovecot: more secure default config

3 files changed, 36 insertions, 2 deletions

diff --git a/main/dovecot/APKBUILD b/main/dovecot/APKBUILD
index 3e1e0b9490..c2c8a3e867 100644
--- a/main/dovecot/APKBUILD
+++ b/main/dovecot/APKBUILD
@@ -5,7 +5,7 @@
 pkgname=dovecot
 pkgver=2.3.2.1
 _pkgvermajor=2.3
-pkgrel=0
+pkgrel=1
 _pigeonholever=0.5.2
 _pigeonholevermajor=${_pigeonholever%.*}
 pkgdesc="IMAP and POP3 server"
@@ -28,6 +28,7 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-openrc
 source="https://www.dovecot.org/releases/$_pkgvermajor/$pkgname-$pkgver.tar.gz
 	https://pigeonhole.dovecot.org/releases/$_pkgvermajor/$pkgname-$_pkgvermajor-pigeonhole-$_pigeonholever.tar.gz
 	skip-iconv-check.patch
+	default-config.patch
 	dovecot.logrotate
 	dovecot.initd
 	"
@@ -206,5 +207,6 @@ _fts_lucene() {
 sha512sums="c085a0d04925485423086736a3c7d919ad0ca9efeff005890382da5333edb68c7d23ccb89fbe2ac44f8f016fc993bf2c669e450794c3ab13463676cbb47c7bf7  dovecot-2.3.2.1.tar.gz
 6bc24d9241f94db795a012346d9bc94b5cc7d7ce0175c03213c2b5d179d80dec95e9bdbd50bed628c8f9f7c51639e692ba5e429212a3b4a654c1e4764ac4f11c  dovecot-2.3-pigeonhole-0.5.2.tar.gz
 fe4fbeaedb377d809f105d9dbaf7c1b961aa99f246b77189a73b491dc1ae0aa9c68678dde90420ec53ec877c08f735b42d23edb13117d7268420e001aa30967a  skip-iconv-check.patch
+ba76394aac0dc16209855f7a9a66d6828e7cb198400d199cbb129a787f8037c2979eed1cb460bd9ed0914d084d8913959c0293c6dd29ea6b1c12c277fd643df0  default-config.patch
 9f19698ab45969f1f94dc4bddf6de59317daee93c9421c81f2dbf8a7efe6acf89689f1d30f60f536737bb9526c315215d2bce694db27e7b8d7896036a59c31f0  dovecot.logrotate
 d2758a22e5b3d1d1be867fd237466a1b5fe7ecd4355fdc51fa9e5ceab48a862f8a5d83992d2ae17a3e0b2c611ff92d0de833d7e1c5f00c6f4bfb94403dbda8e4  dovecot.initd"
diff --git a/main/dovecot/default-config.patch b/main/dovecot/default-config.patch
new file mode 100644
index 0000000000..17e2077cec
--- /dev/null
+++ b/main/dovecot/default-config.patch
@@ -0,0 +1,32 @@
+--- a/doc/example-config/conf.d/10-mail.conf
++++ b/doc/example-config/conf.d/10-mail.conf
+@@ -322,6 +322,7 @@ protocol !indexer-worker {
+ # them simultaneously.
+ #mbox_read_locks = fcntl
+ #mbox_write_locks = dotlock fcntl
++mbox_write_locks = fcntl
+ 
+ # Maximum time to wait for lock (all of them) before aborting.
+ #mbox_lock_timeout = 5 mins
+--- a/doc/example-config/conf.d/10-ssl.conf
++++ b/doc/example-config/conf.d/10-ssl.conf
+@@ -3,7 +3,10 @@
+ ##
+ 
+ # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+-#ssl = yes
++# Disable plain (unencrypted) POP3 and IMAP, allowed are only POP3+TLS,
++# POP3S, IMAP+TLS and IMAPS.
++# Plain IMAP and POP3 are still allowed for local connections.
++ssl = required
+ 
+ # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+ # dropping root privileges, so keep the key file unreadable by anyone but
+@@ -57,6 +59,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
+ #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+ # To disable non-EC DH, use:
+ #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
++ssl_cipher_list = PROFILE=SYSTEM
+ 
+ # Colon separated list of elliptic curves to use. Empty value (the default)
+ # means use the defaults from the SSL library. P-521:P-384:P-256 would be an
diff --git a/main/dovecot/dovecot.post-install b/main/dovecot/dovecot.post-install
index c014fcbb47..5053dddc33 100644
--- a/main/dovecot/dovecot.post-install
+++ b/main/dovecot/dovecot.post-install
@@ -3,7 +3,7 @@
 # based on  doc/mkcert.sh
 
 # if ssl disabled then lets just exit
-doveconf ssl 2>/dev/null | grep -q 'yes' || exit 0 
+doveconf ssl 2>/dev/null | grep -Eq '(yes|required)' || exit 0 
 # Generates a self-signed certificate.
 
 OPENSSL=${OPENSSL-openssl}