From owner-freebsd-ports-bugs@FreeBSD.ORG Sat Jun 28 07:10:13 2003 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83D2D37B401 for ; Sat, 28 Jun 2003 07:10:13 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4EB6C43FFB for ; Sat, 28 Jun 2003 07:10:12 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h5SEACUp081075 for ; Sat, 28 Jun 2003 07:10:12 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h5SEACKa081074; Sat, 28 Jun 2003 07:10:12 -0700 (PDT) Resent-Date: Sat, 28 Jun 2003 07:10:12 -0700 (PDT) Resent-Message-Id: <200306281410.h5SEACKa081074@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Dominic Marks Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D18E437B401 for ; Sat, 28 Jun 2003 07:08:06 -0700 (PDT) Received: from cus.org.uk (host213-106-240-81.no-dns-yet.ntli.net [213.106.240.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4261243FAF for ; Sat, 28 Jun 2003 07:08:04 -0700 (PDT) (envelope-from dom@cus.org.uk) Received: from cus.org.uk (localhost.cus.org.uk [127.0.0.1]) by cus.org.uk (8.12.6/8.12.6) with ESMTP id h5SE825h007987 for ; Sat, 28 Jun 2003 15:08:02 +0100 (BST) (envelope-from dom@cus.org.uk) Received: (from dom@localhost) by cus.org.uk (8.12.6/8.12.6/Submit) id h5SE82wS007986; Sat, 28 Jun 2003 15:08:02 +0100 (BST) Message-Id: <200306281408.h5SE82wS007986@cus.org.uk> Date: Sat, 28 Jun 2003 15:08:02 +0100 (BST) From: Dominic Marks To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: ports/53875: Maintainer Update: mail/dovecot X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Dominic Marks List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jun 2003 14:10:14 -0000 >Number: 53875 >Category: ports >Synopsis: Maintainer Update: mail/dovecot >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Sat Jun 28 07:10:11 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Dominic Marks >Release: FreeBSD 4.7-STABLE i386 >Organization: >Environment: System: FreeBSD moo.cus.org.uk 4.7-STABLE FreeBSD 4.7-STABLE #4: Wed Apr 16 15:13:46 BST 2003 root@moo.cus.org.uk:/usr/obj/usr/src/sys/BAA i386 >Description: mail/dovecot 0.99.10 o Synchronise README.FreeBSD with current reality. o Improve security a little by adding a 'dovecot-auth' user and group. Not really worth a PORTREVISION bump. The pkg-install could be simplified, the duplication was fast to do but is inefficient. >How-To-Repeat: NA. >Fix: Index: pkg-install =================================================================== RCS file: /vol/cvs/freebsd/ports/mail/dovecot/pkg-install,v retrieving revision 1.2 diff -u -r1.2 pkg-install --- pkg-install 3 May 2003 21:50:26 -0000 1.2 +++ pkg-install 28 Jun 2003 13:40:52 -0000 @@ -52,7 +52,7 @@ fi fi - if /usr/sbin/pw user show "${USER}" 2>/dev/null; then + if /usr/sbin/pw usershow "${USER}" 2>/dev/null; then echo "You already have a user \"${USER}\", so I will use it." else if /usr/sbin/pw useradd ${USER} -g ${GROUP} -h - \ @@ -67,4 +67,34 @@ fi fi + USER=dovecot-auth + GROUP=dovecot-auth + + if /usr/sbin/pw groupshow "${GROUP}" 2>/dev/null; then + echo "You already have a group \"${GROUP}\", so I will use it." + else + if /usr/sbin/pw groupadd ${GROUP} -h - + then + echo "Added group \"${GROUP}\"." + else + echo "Adding group \"${GROUP}\" failed..." + echo "Please create it, and try again." + exit 1 + fi + fi + + if /usr/sbin/pw usershow "${USER}" 2>/dev/null; then + echo "You already have a user \"${USER}\", so I will use it." + else + if /usr/sbin/pw useradd ${USER} -g ${GROUP} -h - \ + -s /sbin/nologin \ + -c "Dovecot Auth" + then + echo "Added user \"${USER}\"." + else + echo "Adding user \"${USER}\" failed..." + echo "Please create it, and try again." + exit 1 + fi + fi fi Index: files/README.FreeBSD =================================================================== RCS file: /vol/cvs/freebsd/ports/mail/dovecot/files/README.FreeBSD,v retrieving revision 1.1 diff -u -r1.1 README.FreeBSD --- files/README.FreeBSD 3 May 2003 21:50:26 -0000 1.1 +++ files/README.FreeBSD 28 Jun 2003 13:46:48 -0000 @@ -4,13 +4,38 @@ # $FreeBSD: ports/mail/dovecot/files/README.FreeBSD,v 1.1 2003/05/03 21:50:26 nork Exp $ # - o Dovecot currently will not allow users with a user or group id of 0 - to login. Because of this you will not be able to open root's - mailbox, or any of the mailboxes of users in the wheel group. This is - intended as a security feature, and isn't an issue on Linux because - the concept of wheel is not enforced by GNU su. +-> 2003/06/28 (NEW) - + 2003/04/15 + o The authentication mechanism is different on FreeBSD 4 and 5. + For the default configuration set the following variables in + your dovecot.conf according to your version of FreeBSD. + + + FreeBSD 4 (DEFAULT) + + auth_passdb = passwd + auth_user = dovecot-auth + + + FreeBSD 5 + + auth_passdb = pam * + auth_user = root + +-> 2003/04/15 + + o Dovecot will not allow users with a user or group id of 0 to + login. Because of this you will not be able to open root's + mailbox, or any of the mailboxes of users in the wheel group. + + + 2003/06/28 (NEW) + Dovecot now has four configuration variables which allow you to + set the high and low boundaries for acceptable user and group ids. + You still can not login to root's mailbox with Dovecot however. + The default configuration which comes with the port is now + configured to accept connections from users in the wheel group, + my patch which added the allow_zero_gid variable below has been + removed. Update your configurations to match. + + + 2003/04/15 (DEPRECIATED) It is now possible to change this behavior to allow wheel users to check their mailboxes with Dovecot. Add the following line to your dovecot.conf: @@ -48,11 +73,14 @@ The variables you will want to set in dovecot.conf to allow a SSL secured POP3 and IMAP service are: - + protocols = imap imaps pop3 pop3s - + ssl_disable = no + protocols = imap imaps pop3 pop3s + ssl_disable = no You may wish to also change the following variables to reflect the location of SSL certificates on your system. - + ssl_cert_file = /var/dovecot/ssl/certs/imapd.pem - + ssl_key_file = /var/dovecot/ssl/private/imapd.pem + ssl_cert_file = /var/dovecot/ssl/certs/imapd.pem + ssl_key_file = /var/dovecot/ssl/private/imapd.pem + +Thanks, +Dominic Marks Index: files/patch-dovecot-example.conf =================================================================== RCS file: /vol/cvs/freebsd/ports/mail/dovecot/files/patch-dovecot-example.conf,v retrieving revision 1.5 diff -u -r1.5 patch-dovecot-example.conf --- files/patch-dovecot-example.conf 27 Jun 2003 04:32:51 -0000 1.5 +++ files/patch-dovecot-example.conf 28 Jun 2003 13:46:11 -0000 @@ -1,5 +1,5 @@ --- dovecot-example.conf.orig Thu Jun 26 17:11:06 2003 -+++ dovecot-example.conf Thu Jun 26 22:36:08 2003 ++++ dovecot-example.conf Sat Jun 28 14:45:41 2003 @@ -7,11 +7,11 @@ # --with-ssldir=/etc/ssl @@ -71,7 +71,7 @@ # Number of login processes to create. If login_process_per_user is # yes, this is the number of extra processes waiting for users to log in. -#login_processes_count = 3 -+login_processes_count = 1 ++#login_processes_count = 1 # Maximum number of extra login processes to create. The extra process count # usually stays at login_processes_count, but when multiple users start logging @@ -213,7 +213,7 @@ # password databases, nothing else. Only shadow and pam authentication # requires roots, so use something else if possible. -auth_user = root -+auth_user = dovecot ++auth_user = dovecot-auth # Directory where to chroot the process. Most authentication backends don't # work if this is set, and there's no point chrooting if auth_user is root. >Release-Note: >Audit-Trail: >Unformatted: