Hello community, here is the log from the commit of package dovecot22 for openSUSE:Factory checked in at 2015-06-23 12:00:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dovecot22 (Old) and /work/SRC/openSUSE:Factory/.dovecot22.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dovecot22" Changes: -------- --- /work/SRC/openSUSE:Factory/dovecot22/dovecot22.changes 2015-05-26 12:33:56.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.dovecot22.new/dovecot22.changes 2015-06-23 12:00:47.000000000 +0200 @@ -1,0 +2,27 @@ +Mon Jun 15 15:14:57 UTC 2015 - [email protected] + +- added dovecot-2.2.18-better_ssl_defaults.patch: (boo #854512) + - set the default cipher suite to: + ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH + - disable not just SSLv2 by default but also SSLv3 + - set default dh params length to 2048 + - prefer server side cipher order + - disable compression +- dropped all config changing via sed and folded them into this + patch + + Upgrade note: if you want to benefit from those changes you have + to merge your /etc/dovecot/conf.d/10-ssl.conf with + /usr/share/doc/packages/dovecot/example-config/conf.d/10-ssl.conf + +------------------------------------------------------------------- +Mon Jun 15 11:22:01 UTC 2015 - [email protected] + +- added dovecot-2.2.18-dont_use_etc_ssl_certs.patch: + Remove all references /etc/ssl/certs/. It should not be used + anymore. (boo #932386) + + Please make sure you read README.SUSE after installing this + update. + +------------------------------------------------------------------- New: ---- dovecot-2.2.18-better_ssl_defaults.patch dovecot-2.2.18-dont_use_etc_ssl_certs.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dovecot22.spec ++++++ --- /var/tmp/diff_new_pack.ljQQro/_old 2015-06-23 12:00:48.000000000 +0200 +++ /var/tmp/diff_new_pack.ljQQro/_new 2015-06-23 12:00:48.000000000 +0200 @@ -127,6 +127,8 @@ Source5: dovecot-2.2.configfiles Source6: dovecot-2.1-pigeonhole.configfiles Source7: dovecot-2.2-pigeonhole.configfiles +Patch: dovecot-2.2.18-dont_use_etc_ssl_certs.patch +Patch1: dovecot-2.2.18-better_ssl_defaults.patch Summary: IMAP and POP3 Server Written Primarily with Security in Mind License: BSD-3-Clause and LGPL-2.1+ and MIT Group: Productivity/Networking/Email/Servers @@ -304,12 +306,9 @@ %prep %setup -q -n %{pkg_name}-%{dovecot_version} -a 1 +%patch -p1 +%patch1 -p1 %{__gzip} -9v ChangeLog -# Disable ssl per default. -%{__sed} -i 's|#ssl = yes|ssl = no|' doc/example-config/conf.d/10-ssl.conf -# Also do not include non-existant key and cert files for SSL bnc#696919. -%{__sed} -i 's|^ssl_cert = |#ssl_cert = |' doc/example-config/conf.d/10-ssl.conf -%{__sed} -i 's|^ssl_key = |#ssl_key = |' doc/example-config/conf.d/10-ssl.conf # Fix plugins dir. %{__sed} -i 's|#mail_plugin_dir = /usr/lib/dovecot|mail_plugin_dir = %{_libdir}/dovecot/modules|' doc/example-config/conf.d/10-mail.conf ++++++ dovecot-2.2.18-better_ssl_defaults.patch ++++++ Index: dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf =================================================================== --- dovecot-2.2.18.orig/doc/example-config/conf.d/10-ssl.conf +++ dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf @@ -9,8 +9,8 @@ # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = </etc/ssl/private/dovecot.crt -ssl_key = </etc/ssl/private/dovecot.pem +#ssl_cert = </etc/ssl/private/dovecot.crt +#ssl_key = </etc/ssl/private/dovecot.pem # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often @@ -43,20 +43,20 @@ ssl_key = </etc/ssl/private/dovecot.pem #ssl_cert_username_field = commonName # DH parameters length to use. -#ssl_dh_parameters_length = 1024 +ssl_dh_parameters_length = 2048 # SSL protocols to use -#ssl_protocols = !SSLv2 +ssl_protocols = !SSLv2 !SSLv3 # SSL ciphers to use -#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL +ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # Prefer the server's order of ciphers over client's. -#ssl_prefer_server_ciphers = no +ssl_prefer_server_ciphers = yes # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device = # SSL extra options. Currently supported options are: # no_compression - Disable compression. -#ssl_options = +ssl_options = no_compression Index: dovecot-2.2.18/src/lib-master/master-service-ssl-settings.c =================================================================== --- dovecot-2.2.18.orig/src/lib-master/master-service-ssl-settings.c +++ dovecot-2.2.18/src/lib-master/master-service-ssl-settings.c @@ -43,8 +43,8 @@ static const struct master_service_ssl_s .ssl_cert = "", .ssl_key = "", .ssl_key_password = "", - .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL", - .ssl_protocols = "!SSLv2", + .ssl_cipher_list = "ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH", + .ssl_protocols = "!SSLv2 !SSLv3", .ssl_cert_username_field = "commonName", .ssl_crypto_device = "", .ssl_verify_client_cert = FALSE, Index: dovecot-2.2.18/src/lib-sql/driver-mysql.c =================================================================== --- dovecot-2.2.18.orig/src/lib-sql/driver-mysql.c +++ dovecot-2.2.18/src/lib-sql/driver-mysql.c @@ -156,7 +156,7 @@ static void driver_mysql_parse_connect_s const char *const *args, *name, *value; const char **field; - db->ssl_cipher = "HIGH"; + db->ssl_cipher = "ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH"; db->ssl_verify_server_cert = 0; /* FIXME: change to 1 for v2.3 */ args = t_strsplit_spaces(connect_string, " "); ++++++ dovecot-2.2.18-dont_use_etc_ssl_certs.patch ++++++ Index: dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf =================================================================== --- dovecot-2.2.18.orig/doc/example-config/conf.d/10-ssl.conf +++ dovecot-2.2.18/doc/example-config/conf.d/10-ssl.conf @@ -9,7 +9,7 @@ # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = </etc/ssl/certs/dovecot.pem +ssl_cert = </etc/ssl/private/dovecot.crt ssl_key = </etc/ssl/private/dovecot.pem # If key file is password protected, give the password here. Alternatively Index: dovecot-2.2.18/doc/man/doveconf.1.in =================================================================== --- dovecot-2.2.18.orig/doc/man/doveconf.1.in +++ dovecot-2.2.18/doc/man/doveconf.1.in @@ -126,7 +126,7 @@ Dump settings in simplified machine pars .TP .B \-x Expand configuration variables (e.g. \(Domail_plugins \(rA quota) and show -file contents (from e.g. ssl_cert = </etc/ssl/certs/dovecot.pem). +file contents (from e.g. ssl_cert = </etc/ssl/private/dovecot.crt). .\"--------------------------------- .TP .I section_name @@ -207,4 +207,4 @@ dict/quota = pgsql:@pkgsysconfdir@/dovec .BR doveadm (1), .BR dovecot (1), .BR dovecot\-lda (1), -.BR dsync (1) \ No newline at end of file +.BR dsync (1) Index: dovecot-2.2.18/doc/mkcert.sh =================================================================== --- dovecot-2.2.18.orig/doc/mkcert.sh +++ dovecot-2.2.18/doc/mkcert.sh @@ -7,10 +7,10 @@ OPENSSL=${OPENSSL-openssl} SSLDIR=${SSLDIR-/etc/ssl} OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf} -CERTDIR=$SSLDIR/certs +CERTDIR=$SSLDIR/private KEYDIR=$SSLDIR/private -CERTFILE=$CERTDIR/dovecot.pem +CERTFILE=$CERTDIR/dovecot.crt KEYFILE=$KEYDIR/dovecot.pem if [ ! -d $CERTDIR ]; then Index: dovecot-2.2.18/doc/wiki/CompilingSource.txt =================================================================== --- dovecot-2.2.18.orig/doc/wiki/CompilingSource.txt +++ dovecot-2.2.18/doc/wiki/CompilingSource.txt @@ -140,7 +140,7 @@ non-standard path. Make sure you have th installed, and if it is not in the standard location, set 'CPPFLAGS' and 'LDFLAGS' as shown in <the first section above.> [CompilingSource.txt] -By default the SSL certificate is read from '/etc/ssl/certs/dovecot.pem' and +By default the SSL certificate is read from '/etc/ssl/private/dovecot.crt' and the private key from '/etc/ssl/private/dovecot.pem'. The '/etc/ssl' directory can be changed using the '--with-ssldir=DIR' configure option. Both can of course be overridden from the configuration file. Index: dovecot-2.2.18/doc/wiki/SSL.CertificateCreation.txt =================================================================== --- dovecot-2.2.18.orig/doc/wiki/SSL.CertificateCreation.txt +++ dovecot-2.2.18/doc/wiki/SSL.CertificateCreation.txt @@ -39,7 +39,7 @@ CN matches the connected host name, othe invalid. It's also possible to use wildcards (eg. *.domain.com) in the host name. They should work with most clients. -By default the certificate is created to '/etc/ssl/certs/dovecot.pem' and the +By default the certificate is created to '/etc/ssl/private/dovecot.crt' and the private key file is created to '/etc/ssl/private/dovecot.pem'. Also by default the certificate will expire in 365 days. If you wish to change any of these, modify the mkcert.sh script. Index: dovecot-2.2.18/doc/wiki/SSL.DovecotConfiguration.txt =================================================================== --- dovecot-2.2.18.orig/doc/wiki/SSL.DovecotConfiguration.txt +++ dovecot-2.2.18/doc/wiki/SSL.DovecotConfiguration.txt @@ -6,7 +6,7 @@ The most important SSL settings are (in ---%<------------------------------------------------------------------------- ssl = yes # Preferred permissions: root:root 0444 -ssl_cert = </etc/ssl/certs/dovecot.pem +ssl_cert = </etc/ssl/private/dovecot.crt # Preferred permissions: root:root 0400 ssl_key = </etc/ssl/private/dovecot.pem ---%<------------------------------------------------------------------------- @@ -35,11 +35,11 @@ override the global setting.: ---%<------------------------------------------------------------------------- protocol imap { - ssl_cert = </etc/ssl/certs/imap.pem + ssl_cert = </etc/ssl/private/imap.crt ssl_key = </etc/ssl/private/imap.pem } protocol pop3 { - ssl_cert = </etc/ssl/certs/pop3.pem + ssl_cert = </etc/ssl/private/pop3.crt ssl_key = </etc/ssl/private/pop3.pem } ---%<------------------------------------------------------------------------- @@ -114,11 +114,11 @@ support SNI. ---%<------------------------------------------------------------------------- local_name imap.example.org { - ssl_cert = </etc/ssl/certs/imap.example.org.crt + ssl_cert = </etc/ssl/private/imap.example.org.crt ssl_key = </etc/ssl/private/imap.example.org.key } local_name imap.example2.org { - ssl_cert = </etc/ssl/certs/imap.example2.org.crt + ssl_cert = </etc/ssl/private/imap.example2.org.crt ssl_key = </etc/ssl/private/imap.example2.org.key } # ..etc..
