From: Zoltán Felleg <zoltan.felleg@userrendszerhaz.hu>
Date: Wed, 17 Dec 2025 10:29:29 +0000 (+0100)
Subject: Updated mx.pm (updated for dovecot-2.4.1).
X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=95c66dce8163be8b6a6240fece37c7dbfa9d06b7;p=user-lxc.git

Updated mx.pm (updated for dovecot-2.4.1).
---

diff --git a/sources/mx.pm/c3d/firstboot/scripts/20_setuppostfix.sh b/sources/mx.pm/c3d/firstboot/scripts/20_setuppostfix.sh
index c110386..524e370 100755
--- a/sources/mx.pm/c3d/firstboot/scripts/20_setuppostfix.sh
+++ b/sources/mx.pm/c3d/firstboot/scripts/20_setuppostfix.sh
@@ -45,6 +45,10 @@ postalias /etc/aliases
 postmap /etc/postfix/vmail_aliases
 postmap /etc/postfix/vmail_maildirs
 
+
+# backup original main.cf
+cp --archive /etc/postfix/main.cf{,.orig}
+
 # change existing parameters
 postconf inet_interfaces=all
 postconf smtpd_tls_cert_file=/etc/letsencrypt/live/useribm/fullchain.pem
diff --git a/sources/mx.pm/c3d/postinstall/install-data/etc/dovecot/conf.d/10-ssl.conf b/sources/mx.pm/c3d/postinstall/install-data/etc/dovecot/conf.d/10-ssl.conf
deleted file mode 100644
index f11520e..0000000
--- a/sources/mx.pm/c3d/postinstall/install-data/etc/dovecot/conf.d/10-ssl.conf
+++ /dev/null
@@ -1,82 +0,0 @@
-##
-## SSL settings
-##
-
-# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
-# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps
-# plain imap and pop3 are still allowed for local connections
-ssl = required
-
-# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
-# dropping root privileges, so keep the key file unreadable by anyone but
-# root. Included doc/mkcert.sh can be used to easily generate self-signed
-# certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/letsencrypt/live/useribm/fullchain.pem
-ssl_key = </etc/letsencrypt/live/useribm/privkey.pem
-
-# If key file is password protected, give the password here. Alternatively
-# give it when starting dovecot with -p parameter. Since this file is often
-# world-readable, you may want to place this setting instead to a different
-# root owned 0600 file by using ssl_key_password = <path.
-#ssl_key_password =
-
-# PEM encoded trusted certificate authority. Set this only if you intend to use
-# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
-# followed by the matching CRL(s). (e.g. ssl_ca = </etc/pki/dovecot/certs/ca.pem)
-#ssl_ca =
-
-# Require that CRL check succeeds for client certificates.
-#ssl_require_crl = yes
-
-# Directory and/or file for trusted SSL CA certificates. These are used only
-# when Dovecot needs to act as an SSL client (e.g. imapc backend or
-# submission service). The directory is usually /etc/pki/dovecot/certs in
-# Debian-based systems and the file is /etc/pki/tls/cert.pem in
-# RedHat-based systems. Note that ssl_client_ca_file isn't recommended with
-# large CA bundles, because it leads to excessive memory usage.
-#ssl_client_ca_dir =
-#ssl_client_ca_file =
-
-# Require valid cert when connecting to a remote server
-#ssl_client_require_valid_cert = yes
-
-# Request client to send a certificate. If you also want to require it, set
-# auth_ssl_require_client_cert=yes in auth section.
-#ssl_verify_client_cert = no
-
-# Which field from certificate to use for username. commonName and
-# x500UniqueIdentifier are the usual choices. You'll also need to set
-# auth_ssl_username_from_cert=yes.
-#ssl_cert_username_field = commonName
-
-# SSL DH parameters
-# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
-# Or migrate from old ssl-parameters.dat file with the command dovecot
-# gives on startup when ssl_dh is unset.
-#ssl_dh = </etc/dovecot/dh.pem
-
-# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
-# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
-#ssl_min_protocol = TLSv1
-
-# SSL ciphers to use, the default is:
-#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
-# To disable non-EC DH, use:
-#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
-ssl_cipher_list = PROFILE=SYSTEM
-
-# Colon separated list of elliptic curves to use. Empty value (the default)
-# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
-# example of a valid value.
-#ssl_curve_list =
-
-# Prefer the server's order of ciphers over client's.
-#ssl_prefer_server_ciphers = no
-
-# SSL crypto device to use, for valid values run "openssl engine"
-#ssl_crypto_device =
-
-# SSL extra options. Currently supported options are:
-#   compression - Enable compression.
-#   no_ticket - Disable SSL session tickets.
-#ssl_options =
diff --git a/sources/mx.pm/c3d/postinstall/install-data/etc/dovecot/dovecot.conf b/sources/mx.pm/c3d/postinstall/install-data/etc/dovecot/dovecot.conf
index 3266edc..f600229 100644
--- a/sources/mx.pm/c3d/postinstall/install-data/etc/dovecot/dovecot.conf
+++ b/sources/mx.pm/c3d/postinstall/install-data/etc/dovecot/dovecot.conf
@@ -1,122 +1,53 @@
 ## Dovecot configuration file
 
-# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
-
-# "doveconf -n" command gives a clean output of the changed settings. Use it
-# instead of copy&pasting files when posting to the Dovecot mailing list.
-
-# '#' character and everything after it is treated as comments. Extra spaces
-# and tabs are ignored. If you want to use either of these explicitly, put the
-# value inside quotes, eg.: key = "# char and trailing whitespace  "
-
-# Most (but not all) settings can be overridden by different protocols and/or
-# source/destination IPs by placing the settings inside sections, for example:
-# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
-
-# Default values are shown for each setting, it's not required to uncomment
-# those. These are exceptions to this though: No sections (e.g. namespace {})
-# or plugin settings are added by default, they're listed only as examples.
-# Paths are also just examples with the real defaults being based on configure
-# options. The paths listed here are for configure --prefix=/usr
-# --sysconfdir=/etc --localstatedir=/var
-
-# Protocols we want to be serving.
-#protocols = imap pop3 lmtp
-
-# A comma separated list of IPs or hosts where to listen in for connections.
-# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
-# If you want to specify non-default ports or anything more complex,
-# edit conf.d/master.conf.
-#listen = *, ::
-
-# Base directory where to store runtime data.
-#base_dir = /var/run/dovecot/
-
-# Name of this instance. In multi-instance setup doveadm and other commands
-# can use -i <instance_name> to select which instance is used (an alternative
-# to -c <config_path>). The instance name is also added to Dovecot processes
-# in ps output.
-#instance_name = dovecot
-
-# Greeting message for clients.
-#login_greeting = Dovecot ready.
-
-# Space separated list of trusted network ranges. Connections from these
-# IPs are allowed to override their IP addresses and ports (for logging and
-# for authentication checks). disable_plaintext_auth is also ignored for
-# these networks. Typically you'd specify your IMAP proxy servers here.
-#login_trusted_networks =
-
-# Space separated list of login access check sockets (e.g. tcpwrap)
-#login_access_sockets =
-
-# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
-# proxying. This isn't necessary normally, but may be useful if the destination
-# IP is e.g. a load balancer's IP.
-#auth_proxy_self =
-
-# Show more verbose process titles (in ps). Currently shows user name and
-# IP address. Useful for seeing who are actually using the IMAP processes
-# (eg. shared mailboxes or if same uid is used for multiple accounts).
-#verbose_proctitle = no
-
-# Should all processes be killed when Dovecot master process shuts down.
-# Setting this to "no" means that Dovecot can be upgraded without
-# forcing existing client connections to close (although that could also be
-# a problem if the upgrade is e.g. because of a security fix).
-#shutdown_clients = yes
-
-# If non-zero, run mail commands via this many connections to doveadm server,
-# instead of running them directly in the same process.
-#doveadm_worker_count = 0
-# UNIX socket or host:port used for connecting to doveadm server
-#doveadm_socket_path = doveadm-server
-
-# Space separated list of environment variables that are preserved on Dovecot
-# startup and passed down to all of its child processes. You can also give
-# key=value pairs to always set specific settings.
-#import_environment = TZ
-
-##
-## Dictionary server settings
-##
-
-# Dictionary can be used to store key=value lists. This is used by several
-# plugins. The dictionary can be accessed either directly or though a
-# dictionary server. The following dict block maps dictionary names to URIs
-# when the server is used. These can then be referenced using URIs in format
-# "proxy::<name>".
-
-dict {
-  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
-  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
+# Dovecot configuration version. This must be the first setting in the
+# configuration file. It specifies the configuration syntax, the used setting
+# names and the expected default values.
+dovecot_config_version = 2.4.1
+
+# Dovecot storage file format version. It specifies the oldest Dovecot version
+# that must be able to read files written by this Dovecot instance. The
+# intention is that when upgrading Dovecot cluster, this setting is first kept
+# as the old Dovecot version. Once the cluster is fully upgraded to a new
+# version and there is no intention to rollback to the old version anymore,
+# this version number can be increased.
+dovecot_storage_version = 2.4.1
+
+# The configuration below is a minimal configuration file using system user authentication.
+# See https://doc.dovecot.org/configuration_manual/quick_configuration/
+
+!include_try conf.d/*.conf
+
+# Enable wanted protocols:
+protocols {
+  imap = yes
+  lmtp = yes
 }
 
-# Most of the actual configuration gets included below. The filenames are
-# first sorted by their ASCII value and parsed in that order. The 00-prefixes
-# in filenames are intended to make it easier to understand the ordering.
-#!include conf.d/*.conf
-!include conf.d/10-ssl.conf
+mail_uid = 250
+mail_gid = 250
+mail_driver = maildir
+mail_home = /var/vmail/%{user}
+mail_path = ~/mail
 
-# A config file can also tried to be included without giving an error if
-# it's not found:
-#!include_try local.conf
+# By default first_valid_uid is 1000. If your vmail user's UID is smaller,
+# you need to modify this:
+first_valid_uid = 200
 
-namespace {
+namespace inbox {
   inbox = yes
   separator = /
 }
 
-first_valid_uid = 200
-mail_home = /var/vmail/%n
-mail_location = maildir:~/mail
-
-passdb {
-  driver = passwd-file
-  args = /etc/dovecot/passwd
+# Authenticate from password file:
+passdb passwd-file {
+  passwd_file_path = /etc/dovecot/passwd
 }
 
-userdb {
-  driver = static
-  args = uid=250 gid=250
+ssl = required
+ssl_cipher_list = PROFILE=SYSTEM
+
+ssl_server {
+  cert_file = /etc/letsencrypt/live/useribm/fullchain.pem
+  key_file = /etc/letsencrypt/live/useribm/privkey.pem
 }