From 8f34f0af6f8b4dbb7152f98774abd318b1660209 Mon Sep 17 00:00:00 2001 From: Spitap Date: Thu, 27 Oct 2022 17:00:58 +0200 Subject: [PATCH] Fixes ssl permission error, updated ssl_protocol parameter --- modoboa_installer/scripts/dovecot.py | 10 ++++++++-- .../files/dovecot/conf.d/10-ssl-keys.try.tpl | 6 ++++++ .../scripts/files/dovecot/conf.d/10-ssl.conf.tpl | 13 ++++++------- 3 files changed, 20 insertions(+), 9 deletions(-) create mode 100644 modoboa_installer/scripts/files/dovecot/conf.d/10-ssl-keys.try.tpl diff --git a/modoboa_installer/scripts/dovecot.py b/modoboa_installer/scripts/dovecot.py index f015a7a..f9bb641 100644 --- a/modoboa_installer/scripts/dovecot.py +++ b/modoboa_installer/scripts/dovecot.py @@ -26,7 +26,7 @@ class Dovecot(base.Installer): } config_files = [ "dovecot.conf", "dovecot-dict-sql.conf.ext", "conf.d/10-ssl.conf", - "conf.d/10-master.conf", "conf.d/20-lmtp.conf"] + "conf.d/10-master.conf", "conf.d/20-lmtp.conf", "conf.d/10-ssl-keys.try"] with_user = True def get_config_files(self): @@ -58,8 +58,13 @@ class Dovecot(base.Installer): """Additional variables.""" context = super(Dovecot, self).get_template_context() pw = pwd.getpwnam(self.user) + dovecot_package = {"deb": "dovecot-core", "rpm": "dovecot"} + ssl_protocol_parameter = "ssl_protocols" + if package.backend.get_installed_version(dovecot_package[package.backend.FORMAT]).startswith("2.3"): + ssl_protocol_parameter = "ssl_min_protocol" ssl_protocols = "!SSLv2 !SSLv3" - if package.backend.get_installed_version("openssl").startswith("1.1"): + if package.backend.get_installed_version("openssl").startswith("1.1") \ + or package.backend.get_installed_version("openssl").startswith("3"): ssl_protocols = "!SSLv3" if "centos" in utils.dist_name(): protocols = "protocols = imap lmtp sieve" @@ -79,6 +84,7 @@ class Dovecot(base.Installer): "modoboa_dbpassword": self.config.get("modoboa", "dbpassword"), "protocols": protocols, "ssl_protocols": ssl_protocols, + "ssl_protocol_parameter": ssl_protocol_parameter, "radicale_user": self.config.get("radicale", "user"), "radicale_auth_socket_path": os.path.basename( self.config.get("dovecot", "radicale_auth_socket_path")) diff --git a/modoboa_installer/scripts/files/dovecot/conf.d/10-ssl-keys.try.tpl b/modoboa_installer/scripts/files/dovecot/conf.d/10-ssl-keys.try.tpl new file mode 100644 index 0000000..e44abb8 --- /dev/null +++ b/modoboa_installer/scripts/files/dovecot/conf.d/10-ssl-keys.try.tpl @@ -0,0 +1,6 @@ +# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before +# dropping root privileges, so keep the key file unreadable by anyone but +# root. Included doc/mkcert.sh can be used to easily generate self-signed +# certificate, just make sure to update the domains in dovecot-openssl.cnf +ssl_cert = <%tls_cert_file +ssl_key = <%tls_key_file \ No newline at end of file diff --git a/modoboa_installer/scripts/files/dovecot/conf.d/10-ssl.conf.tpl b/modoboa_installer/scripts/files/dovecot/conf.d/10-ssl.conf.tpl index 10c127b..9b058e6 100644 --- a/modoboa_installer/scripts/files/dovecot/conf.d/10-ssl.conf.tpl +++ b/modoboa_installer/scripts/files/dovecot/conf.d/10-ssl.conf.tpl @@ -5,12 +5,11 @@ # SSL/TLS support: yes, no, required. #ssl = yes -# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before -# dropping root privileges, so keep the key file unreadable by anyone but -# root. Included doc/mkcert.sh can be used to easily generate self-signed -# certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = <%tls_cert_file -ssl_key = <%tls_key_file +# Workarround https://github.com/modoboa/modoboa/issues/2570 +# We try to load the key and pass if it fails +# Keys require root permissions, standard commands would be blocked +# by permissions +!include_try = /etc/dovecot/conf.d/10-ssl-keys.try # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often @@ -41,7 +40,7 @@ ssl_key = <%tls_key_file #ssl_parameters_regenerate = 168 # SSL protocols to use -ssl_protocols = %ssl_protocols +%ssl_protocol_parameter = %ssl_protocols # SSL ciphers to use