dovecot: migrate to dovecot 2.4

2026-04-18 16:15:29 +02:00
parent 7dce7fbd5a
commit f9d1435378
6 changed files with 391 additions and 359 deletions
@@ -18,7 +18,6 @@ let
  alicePassword = "testalice";
  bobPassword = "testbob";
  carolPassword = "testcarol";
-  frankPassword = "testfrank";
  malloryPassword = "testmallory";
 in
 {
@@ -76,7 +75,8 @@ in
              objectClass: simpleSecurityObject
              objectClass: top
              cn: mail
-              userPassword: ${bindPassword}
+              # unsafegibberish
+              userPassword: {SSHA}JNr6l3s/RHo1LKRXqFsJg8sXznyRid8L

              dn: ou=users,dc=example
              objectClass: organizationalUnit
@@ -88,7 +88,8 @@ in
              uid: alice
              sn: Foo
              mail: alice@example.com
-              userPassword: ${alicePassword}
+              # testalice
+              userPassword: {SSHA}gkJq4Dm4jfIKjxviR0WD63wMt0Ti6zMB

              dn: cn=bob,ou=users,dc=example
              entryUUID: f3b4e8ea-087f-42cc-95f0-cbfd99386092
@@ -100,7 +101,8 @@ in
              sn: Bar
              mail: bob@example.com
              homeDirectory: /home/bob
-              userPassword: ${bobPassword}
+              # testbob
+              userPassword: {SSHA}qqUveZGZrDrjYFnREXLDZc//y89RppVN

              dn: cn=carol,ou=users,dc=example
              entryUUID: 41240499-27e2-4fa2-be4f-4113a77661b1
@@ -108,7 +110,8 @@ in
              uid: carol
              sn: Baz
              mail: carol@example.com
-              userPassword: ${carolPassword}
+              # testcarol
+              userPassword: {SSHA}69HOuP+OPWE+3+tDucFZxzXDC7p4e3ML

              dn: cn=frank,ou=users,dc=example
              entryUUID: ca16f594-f6b2-418f-87d3-0d02d746461f
@@ -116,17 +119,23 @@ in
              uid: frank
              sn: Moo
              mail: frank@example.com
-              userPassword: ${frankPassword}
+              # testfrank
+              userPassword: {SSHA}xqtMl8/uJ6HEFWDzLYpAE+Wq7FvKrtkm
            '';
        };

+        systemd.services.dovecot.serviceConfig = {
+          CacheDirectory = "dovecot";
+          StateDirectory = "dovecot";
+        };
+
        mailserver = {
          enable = true;
          fqdn = "mail.example.com";
          domains = [ "example.com" ];
          localDnsResolver = false;
          storage.path = "/var/lib/dovecot/vmail";
-          indexDir = "/var/lib/dovecot/indices";
+          indexDir = "/var/cache/dovecot/indices";

          aliases = {
            # Steal frank@example.com from LDAP user frank
@@ -215,11 +224,11 @@ in
        machine.succeed("doveadm user -f gid bob@example.com | grep ${toString nodes.machine.mailserver.storage.uid}")

        machine.succeed("doveadm user -f home bob@example.com | grep ${nodes.machine.mailserver.storage.path}/ldap/f3b4e8ea-087f-42cc-95f0-cbfd99386092")
-        machine.succeed("doveadm user -f mail bob@example.com | grep 'maildir:~/mail:INDEX=${nodes.machine.mailserver.indexDir}/ldap/f3b4e8ea-087f-42cc-95f0-cbfd99386092'")
+        machine.succeed("doveadm user -f mail_path bob@example.com | grep ${nodes.machine.mailserver.storage.path}/ldap/f3b4e8ea-087f-42cc-95f0-cbfd99386092")
+        machine.succeed("doveadm user -f mail_index_path bob@example.com | grep ${nodes.machine.mailserver.indexDir}/ldap/f3b4e8ea-087f-42cc-95f0-cbfd99386092")

      with subtest("Files containing secrets are only readable by root"):
        machine.succeed("ls -l /run/postfix/*.cf | grep -e '-rw------- 1 root root'")
-        machine.succeed("ls -l /run/dovecot2/dovecot-ldap.conf.ext | grep -e '-rw------- 1 root root'")

      with subtest("Test account/mail address binding via explicit TLS"):
        machine.fail(" ".join([