Stretch backport (#813)

* install dovecot from backports

* dovecot 2.2.33 has a slightly different TLS-configuration than 2.2.27

* want to have both images a the same time

* make use of the /etc/dovecot/ssl as mkcert.sh (2.2.33) is using that folder for certs.
This commit is contained in:
Marek Walczak 2018-02-04 21:27:47 +01:00 committed by Johan Smits
parent c2f4220016
commit b4b19e76b7
6 changed files with 25 additions and 20 deletions

View file

@ -28,13 +28,6 @@ RUN apt-get update -q --fix-missing && \
clamav-daemon \ clamav-daemon \
cpio \ cpio \
curl \ curl \
dovecot-core \
dovecot-imapd \
dovecot-ldap \
dovecot-lmtpd \
dovecot-managesieved \
dovecot-pop3d \
dovecot-sieve \
ed \ ed \
fail2ban \ fail2ban \
fetchmail \ fetchmail \
@ -77,11 +70,20 @@ RUN apt-get update -q --fix-missing && \
&& \ && \
curl https://packages.elasticsearch.org/GPG-KEY-elasticsearch | apt-key add - && \ curl https://packages.elasticsearch.org/GPG-KEY-elasticsearch | apt-key add - && \
echo "deb http://packages.elastic.co/beats/apt stable main" | tee -a /etc/apt/sources.list.d/beats.list && \ echo "deb http://packages.elastic.co/beats/apt stable main" | tee -a /etc/apt/sources.list.d/beats.list && \
echo "deb http://ftp.debian.org/debian stretch-backports main" | tee -a /etc/apt/sources.list.d/stretch-bp.list && \
apt-get update -q --fix-missing && \ apt-get update -q --fix-missing && \
apt-get -y upgrade \ apt-get -y upgrade \
fail2ban \
filebeat \ filebeat \
&& \ && \
apt-get -t stretch-backports -y install --no-install-recommends \
dovecot-core \
dovecot-imapd \
dovecot-ldap \
dovecot-lmtpd \
dovecot-managesieved \
dovecot-pop3d \
dovecot-sieve \
&& \
apt-get autoclean && \ apt-get autoclean && \
rm -rf /var/lib/apt/lists/* && \ rm -rf /var/lib/apt/lists/* && \
rm -rf /usr/share/locale/* && \ rm -rf /usr/share/locale/* && \
@ -107,6 +109,9 @@ RUN sed -i -e 's/include_try \/usr\/share\/dovecot\/protocols\.d/include_try \/e
sed -i -e 's/^.*lda_mailbox_autosubscribe.*/lda_mailbox_autosubscribe = yes/g' /etc/dovecot/conf.d/15-lda.conf && \ sed -i -e 's/^.*lda_mailbox_autosubscribe.*/lda_mailbox_autosubscribe = yes/g' /etc/dovecot/conf.d/15-lda.conf && \
sed -i -e 's/^.*postmaster_address.*/postmaster_address = '${POSTMASTER_ADDRESS:="postmaster@domain.com"}'/g' /etc/dovecot/conf.d/15-lda.conf && \ sed -i -e 's/^.*postmaster_address.*/postmaster_address = '${POSTMASTER_ADDRESS:="postmaster@domain.com"}'/g' /etc/dovecot/conf.d/15-lda.conf && \
sed -i 's/#imap_idle_notify_interval = 2 mins/imap_idle_notify_interval = 29 mins/' /etc/dovecot/conf.d/20-imap.conf && \ sed -i 's/#imap_idle_notify_interval = 2 mins/imap_idle_notify_interval = 29 mins/' /etc/dovecot/conf.d/20-imap.conf && \
# stretch-backport of dovecot needs this folder
mkdir /etc/dovecot/ssl && \
chmod 755 /etc/dovecot/ssl && \
cd /usr/share/dovecot && \ cd /usr/share/dovecot && \
./mkcert.sh && \ ./mkcert.sh && \
mkdir /usr/lib/dovecot/sieve-pipe && \ mkdir /usr/lib/dovecot/sieve-pipe && \

View file

@ -9,8 +9,8 @@
# dropping root privileges, so keep the key file unreadable by anyone but # dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed # root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf # certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/dovecot/dovecot.pem ssl_cert = </etc/dovecot/ssl/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem ssl_key = </etc/dovecot/ssl/dovecot.key
# If key file is password protected, give the password here. Alternatively # If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often # give it when starting dovecot with -p parameter. Since this file is often

View file

@ -736,8 +736,8 @@ function _setup_ssl() {
sed -i -r 's~smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key~smtpd_tls_key_file=/etc/letsencrypt/live/'$HOSTNAME'/'"$KEY"'\.pem~g' /etc/postfix/main.cf sed -i -r 's~smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key~smtpd_tls_key_file=/etc/letsencrypt/live/'$HOSTNAME'/'"$KEY"'\.pem~g' /etc/postfix/main.cf
# Dovecot configuration # Dovecot configuration
sed -i -e 's~ssl_cert = </etc/dovecot/dovecot\.pem~ssl_cert = </etc/letsencrypt/live/'$HOSTNAME'/fullchain\.pem~g' /etc/dovecot/conf.d/10-ssl.conf sed -i -e 's~ssl_cert = </etc/dovecot/ssl/dovecot\.pem~ssl_cert = </etc/letsencrypt/live/'$HOSTNAME'/fullchain\.pem~g' /etc/dovecot/conf.d/10-ssl.conf
sed -i -e 's~ssl_key = </etc/dovecot/private/dovecot\.pem~ssl_key = </etc/letsencrypt/live/'$HOSTNAME'/'"$KEY"'\.pem~g' /etc/dovecot/conf.d/10-ssl.conf sed -i -e 's~ssl_key = </etc/dovecot/ssl/dovecot\.key~ssl_key = </etc/letsencrypt/live/'$HOSTNAME'/'"$KEY"'\.pem~g' /etc/dovecot/conf.d/10-ssl.conf
notify 'inf' "SSL configured with 'letsencrypt' certificates" notify 'inf' "SSL configured with 'letsencrypt' certificates"
fi fi
@ -755,8 +755,8 @@ function _setup_ssl() {
sed -i -r 's~smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key~smtpd_tls_key_file=/etc/postfix/ssl/'$HOSTNAME'-full.pem~g' /etc/postfix/main.cf sed -i -r 's~smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key~smtpd_tls_key_file=/etc/postfix/ssl/'$HOSTNAME'-full.pem~g' /etc/postfix/main.cf
# Dovecot configuration # Dovecot configuration
sed -i -e 's~ssl_cert = </etc/dovecot/dovecot\.pem~ssl_cert = </etc/postfix/ssl/'$HOSTNAME'-full\.pem~g' /etc/dovecot/conf.d/10-ssl.conf sed -i -e 's~ssl_cert = </etc/dovecot/ssl/dovecot\.pem~ssl_cert = </etc/postfix/ssl/'$HOSTNAME'-full\.pem~g' /etc/dovecot/conf.d/10-ssl.conf
sed -i -e 's~ssl_key = </etc/dovecot/private/dovecot\.pem~ssl_key = </etc/postfix/ssl/'$HOSTNAME'-full\.pem~g' /etc/dovecot/conf.d/10-ssl.conf sed -i -e 's~ssl_key = </etc/dovecot/ssl/dovecot\.key~ssl_key = </etc/postfix/ssl/'$HOSTNAME'-full\.pem~g' /etc/dovecot/conf.d/10-ssl.conf
notify 'inf' "SSL configured with 'CA signed/custom' certificates" notify 'inf' "SSL configured with 'CA signed/custom' certificates"
fi fi
@ -777,8 +777,8 @@ function _setup_ssl() {
sed -i -r 's~smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key~smtpd_tls_key_file=/etc/postfix/ssl/key~g' /etc/postfix/main.cf sed -i -r 's~smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key~smtpd_tls_key_file=/etc/postfix/ssl/key~g' /etc/postfix/main.cf
# Dovecot configuration # Dovecot configuration
sed -i -e 's~ssl_cert = </etc/dovecot/dovecot\.pem~ssl_cert = </etc/postfix/ssl/cert~g' /etc/dovecot/conf.d/10-ssl.conf sed -i -e 's~ssl_cert = </etc/dovecot/ssl/dovecot\.pem~ssl_cert = </etc/postfix/ssl/cert~g' /etc/dovecot/conf.d/10-ssl.conf
sed -i -e 's~ssl_key = </etc/dovecot/private/dovecot\.pem~ssl_key = </etc/postfix/ssl/key~g' /etc/dovecot/conf.d/10-ssl.conf sed -i -e 's~ssl_key = </etc/dovecot/ssl/dovecot\.key~ssl_key = </etc/postfix/ssl/key~g' /etc/dovecot/conf.d/10-ssl.conf
notify 'inf' "SSL configured with 'Manual' certificates" notify 'inf' "SSL configured with 'Manual' certificates"
fi fi
@ -806,8 +806,8 @@ function _setup_ssl() {
ln -s /etc/postfix/ssl/cacert.pem "/etc/ssl/certs/cacert-$HOSTNAME.pem" ln -s /etc/postfix/ssl/cacert.pem "/etc/ssl/certs/cacert-$HOSTNAME.pem"
# Dovecot configuration # Dovecot configuration
sed -i -e 's~ssl_cert = </etc/dovecot/dovecot\.pem~ssl_cert = </etc/postfix/ssl/'$HOSTNAME'-combined\.pem~g' /etc/dovecot/conf.d/10-ssl.conf sed -i -e 's~ssl_cert = </etc/dovecot/ssl/dovecot\.pem~ssl_cert = </etc/postfix/ssl/'$HOSTNAME'-combined\.pem~g' /etc/dovecot/conf.d/10-ssl.conf
sed -i -e 's~ssl_key = </etc/dovecot/private/dovecot\.pem~ssl_key = </etc/postfix/ssl/'$HOSTNAME'-key\.pem~g' /etc/dovecot/conf.d/10-ssl.conf sed -i -e 's~ssl_key = </etc/dovecot/ssl/dovecot\.key~ssl_key = </etc/postfix/ssl/'$HOSTNAME'-key\.pem~g' /etc/dovecot/conf.d/10-ssl.conf
notify 'inf' "SSL configured with 'self-signed' certificates" notify 'inf' "SSL configured with 'self-signed' certificates"
fi fi

View file

@ -9,8 +9,8 @@ ssl = required
# dropping root privileges, so keep the key file unreadable by anyone but # dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed # root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf # certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/dovecot/dovecot.pem ssl_cert = </etc/dovecot/ssl/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem ssl_key = </etc/dovecot/ssl/dovecot.key
# If key file is password protected, give the password here. Alternatively # If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often # give it when starting dovecot with -p parameter. Since this file is often