mail/dovecot 0.99.10

o Synchronise README.FreeBSD with current reality.
  o Improve security a little by adding a 'dovecot-auth'
    user and group.

PR:		53875
Submitted by:	Dominic Marks <dominic.marks@btinternet.com> (maintainer)

mail/dovecot-devel/files/README.FreeBSD

@@ -4,13 +4,38 @@
 # $FreeBSD$
 #
 
- o Dovecot currently will not allow users with a user or group id of 0
-   to login. Because of this you will not be able to open root's
-   mailbox, or any of the mailboxes of users in the wheel group. This is
-   intended as a security feature, and isn't an issue on Linux because
-   the concept of wheel is not enforced by GNU su.
+-> 2003/06/28 (NEW)
 
-  + 2003/04/15
+ o The authentication mechanism is different on FreeBSD 4 and 5.
+   For the default configuration set the following variables in
+   your dovecot.conf according to your version of FreeBSD.
+
+  + FreeBSD 4 (DEFAULT)
+
+    auth_passdb = passwd
+    auth_user = dovecot-auth
+
+  + FreeBSD 5
+
+    auth_passdb = pam *
+    auth_user = root
+
+-> 2003/04/15
+
+ o Dovecot will not allow users with a user or group id of 0 to
+   login. Because of this you will not be able to open root's
+   mailbox, or any of the mailboxes of users in the wheel group.
+
+  + 2003/06/28 (NEW)
+     Dovecot now has four configuration variables which allow you to
+     set the high and low boundaries for acceptable user and group ids.
+     You still can not login to root's mailbox with Dovecot however.
+     The default configuration which comes with the port is now
+     configured to accept connections from users in the wheel group,
+     my patch which added the allow_zero_gid variable below has been
+     removed. Update your configurations to match.
+
+  + 2003/04/15 (DEPRECIATED)
      It is now possible to change this behavior to allow wheel users to
      check their mailboxes with Dovecot. Add the following line to your
      dovecot.conf:
@@ -48,11 +73,14 @@
    The variables you will want to set in dovecot.conf to allow a SSL
    secured POP3 and IMAP service are:
 
-    + protocols = imap imaps pop3 pop3s
-    + ssl_disable = no
+    protocols = imap imaps pop3 pop3s
+    ssl_disable = no
 
    You may wish to also change the following variables to reflect the
    location of SSL certificates on your system.
    
-    + ssl_cert_file = /var/dovecot/ssl/certs/imapd.pem
-    + ssl_key_file = /var/dovecot/ssl/private/imapd.pem
+    ssl_cert_file = /var/dovecot/ssl/certs/imapd.pem
+    ssl_key_file = /var/dovecot/ssl/private/imapd.pem
+
+Thanks,
+Dominic Marks <dominic.marks@btinternet.com>

mail/dovecot-devel/files/patch-dovecot-example.conf

@@ -1,5 +1,5 @@
 --- dovecot-example.conf.orig	Thu Jun 26 17:11:06 2003
-+++ dovecot-example.conf	Thu Jun 26 22:36:08 2003
++++ dovecot-example.conf	Sat Jun 28 14:45:41 2003
 @@ -7,11 +7,11 @@
  # --with-ssldir=/etc/ssl
  
@@ -71,7 +71,7 @@
  # Number of login processes to create. If login_process_per_user is
  # yes, this is the number of extra processes waiting for users to log in.
 -#login_processes_count = 3
-+login_processes_count = 1
++#login_processes_count = 1
  
  # Maximum number of extra login processes to create. The extra process count
  # usually stays at login_processes_count, but when multiple users start logging
@@ -213,7 +213,7 @@
  # password databases, nothing else. Only shadow and pam authentication
  # requires roots, so use something else if possible.
 -auth_user = root
-+auth_user = dovecot
++auth_user = dovecot-auth
  
  # Directory where to chroot the process. Most authentication backends don't
  # work if this is set, and there's no point chrooting if auth_user is root.

mail/dovecot-devel/pkg-install

@@ -52,7 +52,7 @@ if [ x"$2" = xPRE-INSTALL ]; then
         fi
     fi
 
-    if /usr/sbin/pw user show "${USER}" 2>/dev/null; then
+    if /usr/sbin/pw usershow "${USER}" 2>/dev/null; then
         echo "You already have a user \"${USER}\", so I will use it."
     else
         if /usr/sbin/pw useradd ${USER} -g ${GROUP} -h - \
@@ -67,4 +67,34 @@ if [ x"$2" = xPRE-INSTALL ]; then
         fi
     fi
 
+    USER=dovecot-auth
+    GROUP=dovecot-auth
+
+    if /usr/sbin/pw groupshow "${GROUP}" 2>/dev/null; then
+	echo "You already have a group \"${GROUP}\", so I will use it."
+    else
+	if /usr/sbin/pw groupadd ${GROUP} -h -
+	then
+	    echo "Added group \"${GROUP}\"."
+	else
+	    echo "Adding group \"${GROUP}\" failed..."
+	    echo "Please create it, and try again."
+	    exit 1
+        fi
+    fi
+
+    if /usr/sbin/pw usershow "${USER}" 2>/dev/null; then
+	echo "You already have a user \"${USER}\", so I will use it."
+    else
+	if /usr/sbin/pw useradd ${USER} -g ${GROUP} -h - \
+	   -s /sbin/nologin \
+	   -c "Dovecot Auth"
+        then
+	    echo "Added user \"${USER}\"."
+	else
+	    echo "Adding user \"${USER}\" failed..."
+	    echo "Please create it, and try again."
+	    exit 1
+        fi
+    fi
 fi

mail/dovecot/files/README.FreeBSD

@@ -4,13 +4,38 @@
 # $FreeBSD$
 #
 
- o Dovecot currently will not allow users with a user or group id of 0
-   to login. Because of this you will not be able to open root's
-   mailbox, or any of the mailboxes of users in the wheel group. This is
-   intended as a security feature, and isn't an issue on Linux because
-   the concept of wheel is not enforced by GNU su.
+-> 2003/06/28 (NEW)
 
-  + 2003/04/15
+ o The authentication mechanism is different on FreeBSD 4 and 5.
+   For the default configuration set the following variables in
+   your dovecot.conf according to your version of FreeBSD.
+
+  + FreeBSD 4 (DEFAULT)
+
+    auth_passdb = passwd
+    auth_user = dovecot-auth
+
+  + FreeBSD 5
+
+    auth_passdb = pam *
+    auth_user = root
+
+-> 2003/04/15
+
+ o Dovecot will not allow users with a user or group id of 0 to
+   login. Because of this you will not be able to open root's
+   mailbox, or any of the mailboxes of users in the wheel group.
+
+  + 2003/06/28 (NEW)
+     Dovecot now has four configuration variables which allow you to
+     set the high and low boundaries for acceptable user and group ids.
+     You still can not login to root's mailbox with Dovecot however.
+     The default configuration which comes with the port is now
+     configured to accept connections from users in the wheel group,
+     my patch which added the allow_zero_gid variable below has been
+     removed. Update your configurations to match.
+
+  + 2003/04/15 (DEPRECIATED)
      It is now possible to change this behavior to allow wheel users to
      check their mailboxes with Dovecot. Add the following line to your
      dovecot.conf:
@@ -48,11 +73,14 @@
    The variables you will want to set in dovecot.conf to allow a SSL
    secured POP3 and IMAP service are:
 
-    + protocols = imap imaps pop3 pop3s
-    + ssl_disable = no
+    protocols = imap imaps pop3 pop3s
+    ssl_disable = no
 
    You may wish to also change the following variables to reflect the
    location of SSL certificates on your system.
    
-    + ssl_cert_file = /var/dovecot/ssl/certs/imapd.pem
-    + ssl_key_file = /var/dovecot/ssl/private/imapd.pem
+    ssl_cert_file = /var/dovecot/ssl/certs/imapd.pem
+    ssl_key_file = /var/dovecot/ssl/private/imapd.pem
+
+Thanks,
+Dominic Marks <dominic.marks@btinternet.com>

mail/dovecot/files/patch-dovecot-example.conf

@@ -1,5 +1,5 @@
 --- dovecot-example.conf.orig	Thu Jun 26 17:11:06 2003
-+++ dovecot-example.conf	Thu Jun 26 22:36:08 2003
++++ dovecot-example.conf	Sat Jun 28 14:45:41 2003
 @@ -7,11 +7,11 @@
  # --with-ssldir=/etc/ssl
  
@@ -71,7 +71,7 @@
  # Number of login processes to create. If login_process_per_user is
  # yes, this is the number of extra processes waiting for users to log in.
 -#login_processes_count = 3
-+login_processes_count = 1
++#login_processes_count = 1
  
  # Maximum number of extra login processes to create. The extra process count
  # usually stays at login_processes_count, but when multiple users start logging
@@ -213,7 +213,7 @@
  # password databases, nothing else. Only shadow and pam authentication
  # requires roots, so use something else if possible.
 -auth_user = root
-+auth_user = dovecot
++auth_user = dovecot-auth
  
  # Directory where to chroot the process. Most authentication backends don't
  # work if this is set, and there's no point chrooting if auth_user is root.

mail/dovecot/pkg-install

@@ -52,7 +52,7 @@ if [ x"$2" = xPRE-INSTALL ]; then
         fi
     fi
 
-    if /usr/sbin/pw user show "${USER}" 2>/dev/null; then
+    if /usr/sbin/pw usershow "${USER}" 2>/dev/null; then
         echo "You already have a user \"${USER}\", so I will use it."
     else
         if /usr/sbin/pw useradd ${USER} -g ${GROUP} -h - \
@@ -67,4 +67,34 @@ if [ x"$2" = xPRE-INSTALL ]; then
         fi
     fi
 
+    USER=dovecot-auth
+    GROUP=dovecot-auth
+
+    if /usr/sbin/pw groupshow "${GROUP}" 2>/dev/null; then
+	echo "You already have a group \"${GROUP}\", so I will use it."
+    else
+	if /usr/sbin/pw groupadd ${GROUP} -h -
+	then
+	    echo "Added group \"${GROUP}\"."
+	else
+	    echo "Adding group \"${GROUP}\" failed..."
+	    echo "Please create it, and try again."
+	    exit 1
+        fi
+    fi
+
+    if /usr/sbin/pw usershow "${USER}" 2>/dev/null; then
+	echo "You already have a user \"${USER}\", so I will use it."
+    else
+	if /usr/sbin/pw useradd ${USER} -g ${GROUP} -h - \
+	   -s /sbin/nologin \
+	   -c "Dovecot Auth"
+        then
+	    echo "Added user \"${USER}\"."
+	else
+	    echo "Adding user \"${USER}\" failed..."
+	    echo "Please create it, and try again."
+	    exit 1
+        fi
+    fi
 fi