Apply patches for wheezy

debian/changelog

@@ -1,3 +1,10 @@
+alternc (3.2.10) oldstable; urgency=low
+
+  * Version identical to 3.1 for Squeeze
+  * Includes a small dovecot patch / dependency for dovecot 2.0 for Wheezy
+
+ -- Benjamin Sonntag <benjamin@sonntag.fr>  Fri, 15 Jan 2016 15:26:00 +0100
+
 alternc (3.1.11) oldoldstable; urgency=low
 
   * fix This is a big security upgrade of AlternC 3.x

debian/control

@@ -38,16 +38,19 @@ Depends: debianutils (>= 1.13.1)
        , sudo
        , adduser
        , dnsutils
-       , dovecot-common (>=1:1.2.15)
+       , dovecot-common (>=1:2.1.7)
-       , dovecot-common(<< 1:2.0)
+       , dovecot-imapd
-       , dovecot-imapd (>= 1:1.2.15)
+       , dovecot-pop3d
-       , dovecot-pop3d (>= 1:1.2.15)
+       , dovecot-mysql
        , vlogger
        , mailutils | mailx
        , zip
        , incron
        , cron
        , opendkim
+       , opendkim-tools
+       , dovecot-sieve
+       , dovecot-managesieved
        , mysql-client(>= 5.0) | mariadb-client
        , php5-curl | php7.0-curl
        , quota
@@ -123,15 +126,18 @@ Depends: debianutils (>= 1.13.1)
          , gettext (>= 0.10.40-5)
          , adduser
          , sudo
-         , dovecot-common (>=1:1.2.15)
+         , dovecot-common (>=1:2.1.7)
-         , dovecot-common(<< 1:2.0)
+         , dovecot-imapd
-         , dovecot-imapd (>= 1:1.2.15)
+         , dovecot-pop3d
-         , dovecot-pop3d (>= 1:1.2.15)
+         , dovecot-mysql
          , vlogger
          , mailutils | mailx
          , incron
          , cron
          , opendkim
+         , opendkim-tools
+         , dovecot-sieve
+         , dovecot-managesieved
          , mysql-client(>= 5.0) | mariadb-client
          , php5-curl
          , ${misc:Depends}

etc/alternc/templates/dovecot/alternc-sql.conf

@@ -3,10 +3,9 @@
 # and launch alternc.install if you want 
 # to modify this file.
 # 
-
 # This file is opened as root, so it should be owned by root and mode 0600.
 #
-# http://wiki.dovecot.org/AuthDatabase/SQL
+# http://wiki2.dovecot.org/AuthDatabase/SQL
 #
 # For the sql passdb module, you'll need a database with a table that
 # contains fields for at least the username and password. If you want to
@@ -36,9 +35,14 @@ driver = mysql
 
 # Database connection string. This is driver-specific setting.
 #
+# HA / round-robin load-balancing is supported by giving multiple host
+# settings, like: host=sql1.host.org host=sql2.host.org
+#
 # pgsql:
 #   For available options, see the PostgreSQL documention for the
 #   PQconnectdb function of libpq.
+#   Use maxconns=n (default 5) to change how many connections Dovecot can
+#   create to pgsql.
 #
 # mysql:
 #   Basic options emulate PostgreSQL option names:
@@ -53,11 +57,9 @@ driver = mysql
 #                           the default my.cnf location
 #     option_group        - Read options from the given group (default: client)
 # 
-#   You can connect to UNIX sockets by using host: host=/var/run/mysqld/mysqld.sock
+#   You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
 #   Note that currently you can't use spaces in parameters.
 #
-#   MySQL supports multiple host parameters for load balancing / HA.
-#
 # sqlite:
 #   The path to the database file.
 #
@@ -71,7 +73,7 @@ connect = host=%%dbhost%% dbname=%%dbname%% user=%%db_mail_user%% password=%%db_
 # Default password scheme.
 #
 # List of supported schemes is in
-# http://wiki.dovecot.org/Authentication/PasswordSchemes
+# http://wiki2.dovecot.org/Authentication/PasswordSchemes
 #
 default_pass_scheme = MD5
 
@@ -86,9 +88,9 @@ default_pass_scheme = MD5
 # and "domain" fields instead of "user".
 #
 # The query can also return other fields which have a special meaning, see
-# http://wiki.dovecot.org/PasswordDatabase/ExtraFields
+# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
 #
-# Commonly used available substitutions (see http://wiki.dovecot.org/Variables
+# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
 # for full list):
 #   %u = entire user@domain
 #   %n = user part of user@domain
@@ -115,7 +117,7 @@ default_pass_scheme = MD5
 # None of these are strictly required. If you use a single UID and GID, and
 # home or mail directory fits to a template string, you could use userdb static
 # instead. For a list of all fields that can be returned, see
-# http://wiki.dovecot.org/UserDatabase/ExtraFields
+# http://wiki2.dovecot.org/UserDatabase/ExtraFields
 #
 # Examples:
 #   user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
@@ -128,5 +130,8 @@ user_query = SELECT userdb_home AS home, userdb_uid AS uid, 1998 AS gid, userdb_
 # userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
 # also have to return userdb fields in password_query prefixed with "userdb_"
 # string. For example:
+# 
 password_query = SELECT user, password, userdb_home, userdb_uid, 1998 AS userdb_gid,userdb_quota_rule FROM dovecot_view where user= '%u'; 
 
+# Query to get a list of all usernames.
+#iterate_query = SELECT username AS user FROM users

etc/alternc/templates/dovecot/conf.d/95_alternc.conf

@@ -0,0 +1,344 @@
+# AUTO GENERATED FILE
+# Modify template in /etc/alternc/templates/
+# and launch alternc.install if you want 
+# to modify this file.
+#
+## Dovecot configuration file
+# This is a concatenation of all /etc/dovecot/conf.d/* from DEBIAN package
+# with rules adapted to AlternC best practices and link with MySQL tables.
+
+protocols = imap pop3 sieve
+
+default_process_limit = 1000
+
+## -------------------------------------------------------------------------
+## 10-auth
+
+# Disable LOGIN command and all other plaintext authentications unless
+# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
+# matches the local IP (ie. you're connecting from the same computer), the
+# connection is considered secure and plaintext authentication is allowed.
+disable_plaintext_auth = no
+
+# Space separated list of wanted authentication mechanisms:
+#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
+#   gss-spnego
+# NOTE: See also disable_plaintext_auth setting.
+auth_mechanisms = plain login
+
+##
+## Password and user databases
+##
+
+#
+# Password database is used to verify user's password (and nothing more).
+# You can have multiple passdbs and userdbs. This is useful if you want to
+# allow both system users (/etc/passwd) and virtual users to login without
+# duplicating the system users into virtual database.
+#
+# <doc/wiki/PasswordDatabase.txt>
+#
+# User database specifies where mails are located and what user/group IDs
+# own them. For single-UID configuration use "static" userdb.
+#
+# <doc/wiki/UserDatabase.txt>
+
+#!include auth-deny.conf.ext
+#!include auth-master.conf.ext
+
+#!include auth-system.conf.ext
+#!include auth-sql.conf.ext
+#!include auth-ldap.conf.ext
+#!include auth-passwdfile.conf.ext
+#!include auth-checkpassword.conf.ext
+#!include auth-vpopmail.conf.ext
+#!include auth-static.conf.ext
+
+
+# ----------------------------------------------------------------------------
+# 10-login.conf
+
+# Prefix for each line written to log file. % codes are in strftime(3)
+# format.
+#log_timestamp = "%b %d %H:%M:%S "
+log_timestamp = "%Y-%m-%d %H:%M:%S "
+
+# ----------------------------------------------------------------------------
+# 10-mail.conf
+
+
+# Location for users' mailboxes. This is the same as the old default_mail_env
+# setting. The default is empty, which means that Dovecot tries to find the
+# mailboxes automatically. This won't work if the user doesn't have any mail
+# yet, so you should explicitly tell Dovecot the full location.
+#
+# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
+# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
+# kept. This is called the "root mail directory", and it must be the first
+# path given in the mail_location setting.
+#
+# There are a few special variables you can use, eg.:
+#
+#   %u - username
+#   %n - user part in user@domain, same as %u if there's no domain
+#   %d - domain part in user@domain, empty if there's no domain
+#   %h - home directory
+#
+# See </usr/share/doc/dovecot-common/wiki/Variables.txt> for full list.
+# Some examples:
+#
+#   mail_location = maildir:~/Maildir
+#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
+#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
+#
+# </usr/share/doc/dovecot-common/wiki/MailLocation.txt>
+#
+mail_location = maildir:~/Maildir
+
+
+# Group to enable temporarily for privileged operations. Currently this is
+# used only with INBOX when either its initial creation or dotlocking fails.
+# Typically this is set to "mail" to give access to /var/mail.
+#mail_privileged_group =
+mail_privileged_group = vmail
+
+
+# Valid UID range for users, defaults to 500 and above. This is mostly
+# to make sure that users can't log in as daemons or other system users.
+# Note that denying root logins is hardcoded to dovecot binary and can't
+# be done even if first_valid_uid is set to 0.
+first_valid_uid = 2000
+last_valid_uid = 65000
+
+# ----------------------------------------------------------------------------
+# 10-master.conf
+
+passdb {
+  driver = sql
+  args = /etc/dovecot/alternc-sql.conf
+}
+
+userdb {
+  driver = sql
+  args = /etc/dovecot/alternc-sql.conf
+}
+userdb {
+  driver = prefetch
+}
+
+service auth {
+  unix_listener /var/spool/postfix/private/auth {
+    group = postfix
+    mode = 0660
+    user = postfix
+  }
+  unix_listener auth-master {
+    mode = 0600
+    user = vmail
+  }
+
+  # set this to (default_client_limit * number of services using it) 
+  client_limit = 5000
+}
+
+service anvil {
+  # set this to (default_client_limit * number of services using it) 
+  client_limit = 5000
+}
+
+
+# ----------------------------------------------------------------------------
+# 10-ssl.conf
+
+# SSL/TLS support: yes, no, required. </usr/share/doc/dovecot-common/wiki/SSL.txt>
+ssl = yes
+
+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+# dropping root privileges, so keep the key file unreadable by anyone but
+# root.
+#ssl_cert = </etc/dovecot/dovecot.pem
+#ssl_cert_file = /etc/alternc/apache.pem
+#ssl_key = </etc/dovecot/dovecot.pem
+#ssl_key_file = /etc/alternc/apache.pem
+
+
+# ----------------------------------------------------------------------------
+# 15-lda.conf
+
+##
+## LDA specific settings
+##
+
+protocol lda {
+  # Address to use when sending rejection mails (e.g. postmaster@example.com).
+  postmaster_address = postmaster@localhost
+
+  # Hostname to use in various parts of sent mails, eg. in Message-Id.
+  # Default is the system's real hostname.
+  #hostname = 
+
+  # Support for dynamically loadable plugins. mail_plugins is a space separated
+  # list of plugins to load.
+  mail_plugins = quota sieve
+  #mail_plugin_dir = /usr/lib/dovecot/modules/lda
+
+
+  # UNIX socket path to master authentication server to find users.
+  auth_socket_path = /var/run/dovecot/auth-master
+}
+
+
+# ----------------------------------------------------------------------------
+# 20-imap.conf
+
+protocol imap {
+  # Support for dynamically loadable plugins. mail_plugins is a space separated
+  # list of plugins to load.
+  mail_plugins = quota imap_quota 
+  #mail_plugin_dir = /usr/lib/dovecot/modules/imap
+  mail_max_userip_connections = 500
+}
+
+service imap {
+  executable = imap imap-postlogin
+  vsz_limit = 512M
+}
+
+service imap-postlogin {
+	executable =   script-login /usr/lib/alternc/popimap-log-login.sh
+  # the script process runs as the user specified here (v2.0.14+):
+#  user = $default_internal_user
+  # this UNIX socket listener must use the same name as given to imap executable
+  unix_listener imap-postlogin {
+  }
+}
+
+# ----------------------------------------------------------------------------
+# 20-managesieve.conf
+
+protocol sieve {
+  managesieve_notify_capability = mailto
+  managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
+}
+
+service managesieve {
+  executable = /usr/lib/dovecot/managesieve
+}
+
+
+
+# ----------------------------------------------------------------------------
+# 20-pop3.conf
+
+protocol pop3 {
+
+  # POP3 UIDL (unique mail identifier) format to use. You can use following
+  # variables, along with the variable modifiers described in
+  # </usr/share/doc/dovecot-common/wiki/Variables.txt> (e.g. %Uf for the
+  # filename in uppercase)
+  #
+  #  %v - Mailbox's IMAP UIDVALIDITY
+  #  %u - Mail's IMAP UID
+  #  %m - MD5 sum of the mailbox headers in hex (mbox only)
+  #  %f - filename (maildir only)
+  #
+  # If you want UIDL compatibility with other POP3 servers, use:
+  #  UW's ipop3d         : %08Xv%08Xu
+  #  Courier             : %f or %v-%u (both might be used simultaneosly)
+  #  Cyrus (<= 2.1.3)    : %u
+  #  Cyrus (>= 2.1.4)    : %v.%u
+  #  Dovecot v0.99.x     : %v.%u
+  #  tpop3d              : %Mf
+  #
+  # Note that Outlook 2003 seems to have problems with %v.%u format which was
+  # Dovecot's default, so if you're building a new server it would be a good
+  # idea to change this. %08Xu%08Xv should be pretty fail-safe.
+  #
+  pop3_uidl_format = %08Xu%08Xv
+
+  # Support for dynamically loadable plugins. mail_plugins is a space separated
+  # list of plugins to load.
+  mail_plugins = quota
+  #mail_plugin_dir = /usr/lib/dovecot/modules/pop3
+
+}
+
+service pop3 {
+  executable = /usr/lib/alternc/popimap-log-login.sh /usr/lib/dovecot/pop3
+}
+
+# ----------------------------------------------------------------------------
+# 90-plugin.conf
+
+plugin {
+
+  # Quota plugin. Multiple backends are supported:
+  #   dirsize: Find and sum all the files found from mail directory.
+  #            Extremely SLOW with Maildir. It'll eat your CPU and disk I/O.
+  #   dict: Keep quota stored in dictionary (eg. SQL)
+  #   maildir: Maildir++ quota
+  #   fs: Read-only support for filesystem quota
+  #
+  # Quota limits are set using "quota_rule" parameters, either in here or in
+  # userdb. It's also possible to give mailbox-specific limits, for example:
+  #   quota_rule = *:storage=1048576
+     quota_rule = *:storage=100M
+     quota_rule2 = Trash:storage=+10%%
+  #   quota_rule2 = Trash:storage=102400
+  # User has now 1GB quota, but when saving to Trash mailbox the user gets
+  # additional 100MB.
+  #
+  # Multiple quota roots are also possible, for example:
+  #   quota = dict:user::proxy::quota
+  #   quota2 = dict:domain:%d:proxy::quota_domain
+  #   quota_rule = *:storage=102400
+  #   quota2_rule = *:storage=1048576
+  # Gives each user their own 100MB quota and one shared 1GB quota within
+  # the domain.
+  #
+  # You can execute a given command when user exceeds a specified quota limit.
+  # Each quota root has separate limits. Only the command for the first
+  # exceeded limit is excecuted, so put the highest limit first.
+  # Note that % needs to be escaped as %%, otherwise "% " expands to empty.
+  #   quota_warning = storage=95%% /usr/local/bin/quota-warning.sh 95
+  #   quota_warning2 = storage=80%% /usr/local/bin/quota-warning.sh 80
+     quota_warning = storage=95%% /usr/lib/alternc/quota-warning.sh 95
+     quota_warning2 = storage=80%% /usr/lib/alternc/quota-warning.sh 80
+  #quota = maildir
+  quota = dict:user::proxy::quotadict
+
+
+  # Sieve plugin (http://wiki.dovecot.org/LDA/Sieve) and ManageSieve service
+  #
+  # Location of the active script. When ManageSieve is used this is actually
+  # a symlink pointing to the active script in the sieve storage directory.
+  sieve=~/.dovecot.sieve
+  #
+  # The path to the directory where the personal Sieve scripts are stored. For
+  # ManageSieve this is where the uploaded scripts are stored.
+  sieve_dir=~/sieve
+}
+
+# Dictionary can be used by some plugins to store key=value lists, such as
+# quota, expire and acl plugins. The dictionary can be used either directly or
+# though a dictionary server. The following dict block maps dictionary names to
+# URIs when the server is used. These can then be referenced using URIs in
+# format "proxy::<name>".
+
+dict {
+  quotadict = mysql:/etc/dovecot/alternc-dict-quota.conf
+  #expire = db:/var/lib/dovecot/expire.db
+}
+
+
+service auth-worker {
+  user = vmail
+}
+
+service dict {
+  unix_listener dict {
+    mode = 0660
+    user = vmail
+    group = vmail
+  }
+}

install/alternc.install

@@ -79,7 +79,7 @@ if [ -e /etc/default/saslauthd ]; then
 fi
 
 if [ -e /etc/dovecot/dovecot.conf ]; then
-    CONFIG_FILES="$CONFIG_FILES etc/dovecot/dovecot.conf etc/dovecot/dovecot-sql.conf etc/dovecot/dovecot-dict-quota.conf"
+    CONFIG_FILES="$CONFIG_FILES etc/dovecot/alternc-sql.conf etc/dovecot/alternc-dict-quota.conf etc/dovecot/conf.d/95_alternc.conf"
 fi
 
 INSTALLED_CONFIG_TAR="/var/lib/alternc/backups/etc-installed.tar.gz"
@@ -317,7 +317,7 @@ if [ -x /usr/sbin/apache2 ]; then
         fi
 
 	# We enable dovecot SSL certificate instructions: (on wheezy we should use a new file in /etc/dovecot/conf.d/ )
-	sed -i -e 's#^ssl_cert_file.*$#ssl_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem#' -e 's#^ssl_key_file.*$#ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key#' /etc/dovecot/dovecot.conf
+	( echo "# Don't change this file, it will be overwriten by alternc.install. Change ssl parameters in a file named 99_ssl.conf instead" ; echo "ssl_cert = </etc/alternc/apache.pem" ; echo "ssl_key = </etc/alternc/apache.pem" ) >/etc/dovecot/conf.d/96_ssl.conf
 
     else
         # We disable proftpd tls module
@@ -326,7 +326,7 @@ if [ -x /usr/sbin/apache2 ]; then
         cp /etc/proftpd/modules.conf /etc/alternc/templates/proftpd/
 
 	# We disable dovecot SSL certificate instructions: (on wheezy we should remove a file in /etc/dovecot/conf.d/ )
-        sed -i -e 's#^ssl_cert_file.*$#ssl_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem#' -e 's#^ssl_key_file.*$#ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key#' /etc/dovecot/dovecot.conf
+	( echo "# Don't change this file, it will be overwriten by alternc.install. Change ssl parameters in a file named 99_ssl.conf instead" ; echo "ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem" ; echo "ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key" ) >/etc/dovecot/conf.d/96_ssl.conf
 
         echo "SSL not configured"
         echo "create a certificate in /etc/alternc/apache.pem and rerun alternc.install"
@@ -582,9 +582,11 @@ else
     mysql --defaults-file=/etc/alternc/my.cnf -e "UPDATE db_servers SET host='$MYSQL_HOST', login='$MYSQL_USER', password='$MYSQL_PASS', client='$MYSQL_HOST_CLIENT' WHERE name='Default';"
 fi
 
-#giving vmail user read access on dovecot sql file
+# giving vmail user read access on dovecot sql file
-chgrp vmail /etc/dovecot/dovecot.conf
+chgrp vmail /etc/dovecot/alternc-sql.conf
-chmod g+r /etc/dovecot/dovecot.conf
+chmod g+r /etc/dovecot/alternc-sql.conf
+# Override some dovecot 2.0 configuration that may have happened during dovecot postinst:
+sed -i -e 's/^ *!include/#!include/' /etc/dovecot/conf.d/10-auth.conf
 
 # We force the re-computing of the DNS zones, since we may have changed the IP address (see #460)
 /usr/bin/mysql --defaults-file="/etc/alternc/my.cnf" -B -e "update domaines set dns_action='UPDATE' WHERE gesdns=1;"