dovecot: migrate to dovecot 2.4

2026-04-18 16:15:29 +02:00
parent 7dce7fbd5a
commit f9d1435378
6 changed files with 391 additions and 359 deletions
@@ -81,7 +81,7 @@
            };
            "lowquota@example.com" = {
              hashedPassword = "$6$u61JrAtuI0a$nGEEfTP5.eefxoScUGVG/Tl0alqla2aGax4oTd85v3j3xSmhv/02gNfSemv/aaMinlv9j/ZABosVKBrRvN5Qv0";
-              quota = "1B";
+              quota = "1K";
            };
          };

@@ -98,13 +98,13 @@
          fullTextSearch = {
            enable = true;
            autoIndex = true;
-            # special use depends on https://github.com/NixOS/nixpkgs/pull/93201
-            autoIndexExclude = [
-              (if (pkgs.lib.versionAtLeast pkgs.lib.version "21") then "\\Junk" else "Junk")
-            ];
-            enforced = "yes";
+            fallback = false;
          };
        };
+
+        # by default quota can be exceeded once with this amount (default: 10M)
+        # this is required to make the quota subtest hard fail on the first attempt.
+        services.dovecot2.settings.quota_storage_grace = "0";
      };
    client =
      { nodes, pkgs, ... }:
@@ -306,7 +306,21 @@

              Hello User1,

-              how are you doing today?
+              how are you doing today? I have this exciting text for you, that helps fill
+              your quota.
+
+              Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod
+              tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At
+              vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren,
+              no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit
+              amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut
+              labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam
+              et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata
+              sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur
+              sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore
+              magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo
+              dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est
+              Lorem ipsum dolor sit amet.

              XOXO User1
            '';
@@ -514,6 +528,8 @@
          client.execute("rm ~/mail/*")
          client.execute("mv ~/.fetchmailRcLowQuota ~/.fetchmailrc")

+          server.log(server.succeed("doveadm quota get -u lowquota@example.com"))
+
          client.succeed(
              "msmtp -a test3 --tls=on --tls-certcheck=off --auth=on lowquota@example.com < /etc/root/email2 >&2"
          )
@@ -78,6 +78,8 @@ in
          };
        };

+        systemd.services.dovecot.serviceConfig.CacheDirectory = "dovecot";
+
        mailserver = {
          enable = true;
          fqdn = "mail.example.com";
@@ -114,7 +116,7 @@ in
            group = "vmail";
          };

-          indexDir = "/var/lib/dovecot/indices";
+          indexDir = "/var/cache/dovecot/fts";

          enableImap = false;
        };
@@ -219,7 +221,8 @@ in
      with subtest("Check dovecot maildir and index locations"):
          # If these paths change we need a migration
          machine.succeed("doveadm user -f home user1@example.com | grep ${nodes.machine.mailserver.storage.path}/example.com/user1")
-          machine.succeed("doveadm user -f mail user1@example.com | grep 'maildir:~/mail:INDEX=${nodes.machine.mailserver.indexDir}/example.com/user1'")
+          machine.succeed("doveadm user -f mail_path user1@example.com | grep ${nodes.machine.mailserver.storage.path}/example.com/user1/mail")
+          machine.succeed("doveadm user -f mail_index_path user1@example.com | grep ${nodes.machine.mailserver.indexDir}/example.com/user1")

      with subtest("mail to send only accounts is rejected"):
          machine.wait_for_open_port(25)
@@ -18,7 +18,6 @@ let
  alicePassword = "testalice";
  bobPassword = "testbob";
  carolPassword = "testcarol";
-  frankPassword = "testfrank";
  malloryPassword = "testmallory";
 in
 {
@@ -76,7 +75,8 @@ in
              objectClass: simpleSecurityObject
              objectClass: top
              cn: mail
-              userPassword: ${bindPassword}
+              # unsafegibberish
+              userPassword: {SSHA}JNr6l3s/RHo1LKRXqFsJg8sXznyRid8L

              dn: ou=users,dc=example
              objectClass: organizationalUnit
@@ -88,7 +88,8 @@ in
              uid: alice
              sn: Foo
              mail: alice@example.com
-              userPassword: ${alicePassword}
+              # testalice
+              userPassword: {SSHA}gkJq4Dm4jfIKjxviR0WD63wMt0Ti6zMB

              dn: cn=bob,ou=users,dc=example
              entryUUID: f3b4e8ea-087f-42cc-95f0-cbfd99386092
@@ -100,7 +101,8 @@ in
              sn: Bar
              mail: bob@example.com
              homeDirectory: /home/bob
-              userPassword: ${bobPassword}
+              # testbob
+              userPassword: {SSHA}qqUveZGZrDrjYFnREXLDZc//y89RppVN

              dn: cn=carol,ou=users,dc=example
              entryUUID: 41240499-27e2-4fa2-be4f-4113a77661b1
@@ -108,7 +110,8 @@ in
              uid: carol
              sn: Baz
              mail: carol@example.com
-              userPassword: ${carolPassword}
+              # testcarol
+              userPassword: {SSHA}69HOuP+OPWE+3+tDucFZxzXDC7p4e3ML

              dn: cn=frank,ou=users,dc=example
              entryUUID: ca16f594-f6b2-418f-87d3-0d02d746461f
@@ -116,17 +119,23 @@ in
              uid: frank
              sn: Moo
              mail: frank@example.com
-              userPassword: ${frankPassword}
+              # testfrank
+              userPassword: {SSHA}xqtMl8/uJ6HEFWDzLYpAE+Wq7FvKrtkm
            '';
        };

+        systemd.services.dovecot.serviceConfig = {
+          CacheDirectory = "dovecot";
+          StateDirectory = "dovecot";
+        };
+
        mailserver = {
          enable = true;
          fqdn = "mail.example.com";
          domains = [ "example.com" ];
          localDnsResolver = false;
          storage.path = "/var/lib/dovecot/vmail";
-          indexDir = "/var/lib/dovecot/indices";
+          indexDir = "/var/cache/dovecot/indices";

          aliases = {
            # Steal frank@example.com from LDAP user frank
@@ -215,11 +224,11 @@ in
        machine.succeed("doveadm user -f gid bob@example.com | grep ${toString nodes.machine.mailserver.storage.uid}")

        machine.succeed("doveadm user -f home bob@example.com | grep ${nodes.machine.mailserver.storage.path}/ldap/f3b4e8ea-087f-42cc-95f0-cbfd99386092")
-        machine.succeed("doveadm user -f mail bob@example.com | grep 'maildir:~/mail:INDEX=${nodes.machine.mailserver.indexDir}/ldap/f3b4e8ea-087f-42cc-95f0-cbfd99386092'")
+        machine.succeed("doveadm user -f mail_path bob@example.com | grep ${nodes.machine.mailserver.storage.path}/ldap/f3b4e8ea-087f-42cc-95f0-cbfd99386092")
+        machine.succeed("doveadm user -f mail_index_path bob@example.com | grep ${nodes.machine.mailserver.indexDir}/ldap/f3b4e8ea-087f-42cc-95f0-cbfd99386092")

      with subtest("Files containing secrets are only readable by root"):
        machine.succeed("ls -l /run/postfix/*.cf | grep -e '-rw------- 1 root root'")
-        machine.succeed("ls -l /run/dovecot2/dovecot-ldap.conf.ext | grep -e '-rw------- 1 root root'")

      with subtest("Test account/mail address binding via explicit TLS"):
        machine.fail(" ".join([