net-mail/dovecot: Backport fixes

Three fixes backported from the dovecot main tree: - ldap-sasl auth (commit 431e328) - anvil group change (commit beca41c) - crash on config reload (commit 9240e3a) Closes: https://bugs.gentoo.org/962939 Signed-off-by: Eray Aslan <eras@gentoo.org>
2026-01-09 00:10:21 +03:00 · 2025-10-06 09:22:19 +02:00
parent bb03600b8e
commit c313f2e300
4 changed files with 397 additions and 0 deletions
--- a/net-mail/dovecot/dovecot-2.4.1-r5.ebuild
+++ b/net-mail/dovecot/dovecot-2.4.1-r5.ebuild
@@ -0,0 +1,262 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+LUA_COMPAT=( lua5-1 lua5-{3..4} )
+# do not add a ssl USE flag.  ssl is mandatory
+SSL_DEPS_SKIP=1
+inherit autotools eapi9-ver flag-o-matic lua-single ssl-cert systemd toolchain-funcs
+
+MY_P="${P/_/.}-4"
+MY_PV="${PV}-4"
+major_minor="$(ver_cut 1-2)"
+
+DESCRIPTION="An IMAP and POP3 server written with security primarily in mind"
+HOMEPAGE="https://www.dovecot.org/"
+SRC_URI="https://www.dovecot.org/releases/${major_minor}/${MY_P}.tar.gz \
+		-> ${P}.tar.gz
+	sieve? (
+	https://pigeonhole.dovecot.org/releases/${major_minor}/${PN}-pigeonhole-${MY_PV}.tar.gz \
+		-> ${PN}-pigeonhole-${PV}.tar.gz
+	)
+	managesieve? (
+	https://pigeonhole.dovecot.org/releases/${major_minor}/${PN}-pigeonhole-${MY_PV}.tar.gz \
+		-> ${PN}-pigeonhole-${PV}.tar.gz
+	) "
+S="${WORKDIR}/${MY_P}"
+PIEGONHOLE_S="../dovecot-pigeonhole-${MY_PV}"
+LICENSE="LGPL-2.1 MIT"
+SLOT="0/${PV}"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+
+IUSE_DOVECOT_AUTH_DICT="cdb kerberos ldap lua mysql pam postgres sqlite"
+IUSE_DOVECOT_COMPRESS="lz4 zstd"
+IUSE_DOVECOT_FTS="solr stemmer textcat xapian"
+IUSE_DOVECOT_OTHER="argon2 managesieve selinux sieve static-libs suid systemd test unwind"
+
+IUSE="${IUSE_DOVECOT_AUTH_DICT} ${IUSE_DOVECOT_COMPRESS} ${IUSE_DOVECOT_FTS} ${IUSE_DOVECOT_OTHER}"
+
+REQUIRED_USE="lua? ( ${LUA_REQUIRED_USE} )"
+RESTRICT="!test? ( test )"
+
+DEPEND="
+	app-arch/bzip2
+	dev-libs/icu:=
+	dev-libs/openssl:0=
+	net-libs/libtirpc:=
+	net-libs/rpcsvc-proto
+	sys-libs/libcap
+	sys-libs/zlib:=
+	virtual/libiconv
+	argon2? ( dev-libs/libsodium:= )
+	cdb? ( dev-db/tinycdb )
+	kerberos? ( virtual/krb5 )
+	ldap? ( net-nds/openldap:= )
+	lua? ( ${LUA_DEPS} )
+	xapian? ( dev-libs/xapian:= )
+	lz4? ( app-arch/lz4 )
+	mysql? ( dev-db/mysql-connector-c:0= )
+	pam? ( sys-libs/pam:= )
+	postgres? ( dev-db/postgresql:* )
+	selinux? ( sec-policy/selinux-dovecot )
+	solr? ( net-misc/curl dev-libs/expat )
+	sqlite? ( dev-db/sqlite:* )
+	stemmer? ( dev-libs/snowball-stemmer:= )
+	suid? ( acct-group/mail )
+	systemd? ( sys-apps/systemd:= )
+	textcat? ( app-text/libexttextcat )
+	unwind? ( sys-libs/libunwind:= )
+	zstd? ( app-arch/zstd:= )
+	virtual/libcrypt:=
+	"
+
+RDEPEND="
+	${DEPEND}
+	acct-group/dovecot
+	acct-group/dovenull
+	acct-user/dovecot
+	acct-user/dovenull
+	net-mail/mailbase[pam?]
+	"
+
+BDEPEND="virtual/pkgconfig
+	test? (
+		lua? (
+			$(lua_gen_cond_dep '
+				dev-lua/luajson[${LUA_USEDEP}]
+			')
+		)
+	)
+	"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-autoconf-lua-version-v3.patch"
+	"${FILESDIR}/${PN}-2.4.1-gssapi-regression.patch"
+	"${FILESDIR}/${PN}-2.4.1-fix-hardened-crash.patch"
+	"${FILESDIR}/${PN}-2.4.1-fix-musl-build.patch"
+	"${FILESDIR}/${PN}-2.4.1-crash-on-arm.patch"
+	"${FILESDIR}/${PN}-2.4.1-trivial-auto-var-init-attrib.patch"
+	"${FILESDIR}/${PN}-2.4.1-fix-ldap-sasl.patch"
+	"${FILESDIR}/${PN}-2.4.1-anvil-group.patch"
+	"${FILESDIR}/${PN}-2.4.1-config-crash.patch"
+)
+
+pkg_setup() {
+	use lua && lua-single_pkg_setup
+	if use managesieve && ! use sieve; then
+		ewarn "managesieve USE flag selected but sieve USE flag unselected"
+		ewarn "sieve USE flag will be turned on"
+	fi
+}
+
+src_prepare() {
+	default
+	if use sieve || use managesieve; then
+		pushd "${PIEGONHOLE_S}" > /dev/null || die
+		eapply "${FILESDIR}/${PN}-2.4.1-fix-ldap-build.patch"
+		popd > /dev/null || die
+	fi
+
+	# rename default cert files
+	sed -i -e "s:ssl-cert.pem:server.pem:" \
+		-e "s:ssl-key.pem:server.key:" \
+		doc/dovecot.conf.in || die "sed failed"
+
+	# bug 657108, 782631
+	#elibtoolize
+	eautoreconf
+
+	# Bug #727244
+	append-cflags -fasynchronous-unwind-tables
+}
+
+src_configure() {
+	# --disable-hardening because our toolchain already defaults to
+	# these bits on, and it actually regresses the default _FORTIFY_SOURCE
+	# level for hardened at least from 3 to 2.
+	#
+	# turn valgrind tests off. Bug #340791
+	VALGRIND=no \
+	LUAPC="${ELUA}" \
+	systemdsystemunitdir="$(systemd_get_systemunitdir)" \
+	econf \
+		--with-rundir="${EPREFIX}/run/dovecot" \
+		--with-statedir="${EPREFIX}/var/lib/dovecot" \
+		--with-moduledir="${EPREFIX}/usr/$(get_libdir)/dovecot" \
+		--disable-hardening \
+		--disable-rpath \
+		--with-bzlib \
+		--without-libbsd \
+		--with-libcap \
+		--with-icu \
+		--enable-experimental-mail-utf8 \
+		$( use_with argon2 sodium ) \
+		$( use_with cdb) \
+		$( use_with kerberos gssapi ) \
+		$( use_with lua ) \
+		$( use_with ldap ) \
+		$( use_with xapian flatcurve ) \
+		$( use_with lz4 ) \
+		$( use_with mysql ) \
+		$( use_with pam ) \
+		$( use_with postgres pgsql ) \
+		$( use_with sqlite ) \
+		$( use_with solr ) \
+		$( use_with stemmer ) \
+		$( use_with systemd ) \
+		$( use_with textcat ) \
+		$( use_with unwind libunwind ) \
+		$( use_with zstd ) \
+		$( use_enable static-libs static )
+
+	if use sieve || use managesieve; then
+		# The sieve plugin needs this file to be build to determine the plugin
+		# directory and the list of libraries to link to
+		emake dovecot-config
+		pushd "${PIEGONHOLE_S}" > /dev/null || die
+		econf \
+			$( use_enable static-libs static ) \
+			--localstatedir="${EPREFIX}/var" \
+			--enable-shared \
+			--disable-hardening \
+			--with-dovecot="${S}" \
+			$( use_with ldap ) \
+			$( use_with managesieve )
+		popd > /dev/null || die
+	fi
+}
+
+src_compile() {
+	default
+	if use sieve || use managesieve; then
+		pushd "${PIEGONHOLE_S}" > /dev/null || die
+		emake CC="$(tc-getCC)" CFLAGS="${CFLAGS}"
+		popd > /dev/null || die
+	fi
+}
+
+src_test() {
+	# bug #340791 and bug #807178
+	local -x NOVALGRIND=true
+
+	default
+	if use sieve || use managesieve; then
+		pushd "${PIEGONHOLE_S}" > /dev/null || die
+		default
+		popd > /dev/null || die
+	fi
+}
+
+src_install() {
+	default
+
+	if use suid; then
+		einfo "Changing perms to allow deliver to be suided"
+		fowners root:mail "/usr/libexec/dovecot/dovecot-lda"
+		fperms 4750 "/usr/libexec/dovecot/dovecot-lda"
+	fi
+
+	newinitd "${FILESDIR}"/dovecot.init-r6 dovecot
+
+	use pam && dosym imap /etc/pam.d/dovecot
+
+	insinto /etc/dovecot/conf.d
+	doins "${FILESDIR}/50-misc.conf"
+
+	dodoc AUTHORS NEWS README.md TODO
+	docinto stopwords
+	dodoc src/lib-language/stopwords/stopwords*.txt
+
+	if use sieve || use managesieve; then
+		pushd "${PIEGONHOLE_S}" > /dev/null || die
+		emake DESTDIR="${ED}" install
+
+		newdoc README README.pigeonhole
+		insinto /etc/dovecot/conf.d
+		doins doc/example-config/conf.d/90-sieve{,-extprograms}.conf
+		use managesieve && doins doc/example-config/conf.d/20-managesieve.conf
+		popd > /dev/null || die
+	fi
+
+	rm -r "${ED}"/usr/share/dovecot
+	use static-libs || find "${ED}"/usr/lib* -name '*.la' -delete
+}
+
+pkg_postinst() {
+	if ver_replacing -lt 2.4 ; then
+		# This is an upgrade which requires user review
+		ewarn "Dovecot-2.4.x has new settings and WILL NOT work"
+		ewarn "unless the configuration files are updated."
+		ewarn "Please read the migration guide at:"
+		ewarn "  https://doc.dovecot.org/2.4.1/installation/upgrade/2.3-to-2.4.html"
+	fi
+
+	# Let's not make a new certificate if we already have one
+	if ! [[ -e "${ROOT}"/etc/ssl/dovecot/server.pem && \
+		-e "${ROOT}"/etc/ssl/dovecot/server.key ]];	then
+		einfo "Creating SSL	certificate"
+		SSL_ORGANIZATION="${SSL_ORGANIZATION:-Dovecot IMAP Server}"
+		install_cert /etc/dovecot/server
+	fi
+}
--- a/net-mail/dovecot/files/dovecot-2.4.1-anvil-group.patch
+++ b/net-mail/dovecot/files/dovecot-2.4.1-anvil-group.patch
@@ -0,0 +1,26 @@
+# bug 962939
+diff --git a/src/anvil/anvil-settings.c b/src/anvil/anvil-settings.c
+index cf96ae7e1f4..15cd03957a1 100644
+--- a/src/anvil/anvil-settings.c
+++ b/src/anvil/anvil-settings.c
+@@ -33,7 +33,8 @@ const struct setting_keyvalue anvil_service_settings_defaults[] = {
+ 	{ "unix_listener", "anvil anvil-auth-penalty" },
+ 
+ 	{ "unix_listener/anvil/path", "anvil" },
+-	{ "unix_listener/anvil/mode", "0600" },
+	{ "unix_listener/anvil/mode", "0660" },
+	{ "unix_listener/anvil/group", "$SET:default_internal_group" },
+ 
+ 	{ "unix_listener/anvil-auth-penalty/path", "anvil-auth-penalty" },
+ #ifdef DOVECOT_PRO_EDITION
+diff --git a/src/lib-settings/settings-history-core.txt b/src/lib-settings/settings-history-core.txt
+index 2e0a9f6062d..71d08ffaaa5 100644
+--- a/src/lib-settings/settings-history-core.txt
+++ b/src/lib-settings/settings-history-core.txt
+@@ -1,4 +1,6 @@
+ default	service/lmtp/service_restart_request_count	unlimited	2.4.1	
+ default	service/auth/unix_listener/auth-userdb/unix_listener_group		2.4.1	
+default	service/anvil/unix_listener/anvil/unix_listener_mode	0600	2.4.1	
+default	service/anvil/unix_listener/anvil/unix_listener_group		2.4.1	
+ default	mail_cache_fields	flags	2.4.1	
+ default	lmtp_user_concurrency_limit	0	2.4.1	
--- a/net-mail/dovecot/files/dovecot-2.4.1-config-crash.patch
+++ b/net-mail/dovecot/files/dovecot-2.4.1-config-crash.patch
@@ -0,0 +1,44 @@
+From 9240e3a4386808789d593537a8ebe3e873e89683 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Tue, 15 Jul 2025 12:32:23 +0300
+Subject: [PATCH] lib: Fix crash when config is reloaded and logging to syslog
+
+openlog() was called with a string pointing to settings. When settings were
+reloaded, the pointer became invalid, causing syslog() to crash.
+---
+ src/lib/failures.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/failures.c b/src/lib/failures.c
+index eae2d8ddf88..49b0681607e 100644
+--- a/src/lib/failures.c
+++ b/src/lib/failures.c
+@@ -56,6 +56,7 @@ static struct failure_context failure_ctx_error = { .type = LOG_TYPE_ERROR };
+ 
+ static int log_fd = STDERR_FILENO, log_info_fd = STDERR_FILENO,
+ 	   log_debug_fd = STDERR_FILENO;
+static char *syslog_ident = NULL;
+ static char *log_prefix = NULL;
+ static char *log_stamp_format = NULL, *log_stamp_format_suffix = NULL;
+ static bool failure_ignore_errors = FALSE, log_prefix_sent = FALSE;
+@@ -657,7 +658,11 @@ void i_syslog_error_handler(const struct failure_context *ctx,
+ 
+ void i_set_failure_syslog(const char *ident, int options, int facility)
+ {
+-	openlog(ident, options, facility);
+	/* openlog() keeps using the pointer directly. Duplicate it in case
+	   caller frees the string. */
+	i_free(syslog_ident);
+	syslog_ident = i_strdup(ident);
+	openlog(syslog_ident, options, facility);
+ 
+ 	i_set_fatal_handler(i_syslog_fatal_handler);
+ 	i_set_error_handler(i_syslog_error_handler);
+@@ -1006,6 +1011,7 @@ void failures_deinit(void)
+ 	i_free_and_null(log_prefix);
+ 	i_free_and_null(log_stamp_format);
+ 	i_free_and_null(log_stamp_format_suffix);
+	i_free(syslog_ident);
+ }
+ 
+ #undef i_unreached
--- a/net-mail/dovecot/files/dovecot-2.4.1-fix-ldap-sasl.patch
+++ b/net-mail/dovecot/files/dovecot-2.4.1-fix-ldap-sasl.patch
@@ -0,0 +1,65 @@
+From 431e328b3b035ddb187526cd13bccf29833aed90 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@open-xchange.com>
+Date: Mon, 2 Jun 2025 20:42:03 +0300
+Subject: [PATCH] auth: Fix LDAP SASL support
+
+The settings code didn't see the necessary defines.
+
+Based on patch by Jakob Haufe
+
+Broken by 961275fdb54878fdfa4ee1b9f1a4f00e82bf4a83
+---
+ src/auth/db-ldap-settings.h | 14 ++++++++++++++
+ src/auth/db-ldap.c          | 11 -----------
+ 2 files changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/src/auth/db-ldap-settings.h b/src/auth/db-ldap-settings.h
+index dc341dd3943..a5f2d09fa38 100644
+--- a/src/auth/db-ldap-settings.h
+++ b/src/auth/db-ldap-settings.h
+@@ -1,6 +1,20 @@
+ #ifndef DB_LDAP_SETTINGS_H
+ #define DB_LDAP_SETTINGS_H
+ 
+/* <settings checks> */
+#define HAVE_LDAP_SASL
+#ifdef HAVE_SASL_SASL_H
+#  include <sasl/sasl.h>
+#elif defined (HAVE_SASL_H)
+#  include <sasl.h>
+#else
+#  undef HAVE_LDAP_SASL
+#endif
+#if !defined(SASL_VERSION_MAJOR) || SASL_VERSION_MAJOR < 2
+#  undef HAVE_LDAP_SASL
+#endif
+/* </settings checks> */
+
+ enum db_ldap_lookup_type {
+ 	DB_LDAP_LOOKUP_TYPE_PASSDB,
+ 	DB_LDAP_LOOKUP_TYPE_USERDB,
+diff --git a/src/auth/db-ldap.c b/src/auth/db-ldap.c
+index 9dcebedd57e..302faf38f43 100644
+--- a/src/auth/db-ldap.c
+++ b/src/auth/db-ldap.c
+@@ -22,20 +22,9 @@
+ 
+ #include <unistd.h>
+ 
+-#define HAVE_LDAP_SASL
+-#ifdef HAVE_SASL_SASL_H
+-#  include <sasl/sasl.h>
+-#elif defined (HAVE_SASL_H)
+-#  include <sasl.h>
+-#else
+-#  undef HAVE_LDAP_SASL
+-#endif
+ #ifdef LDAP_OPT_X_TLS
+ #  define OPENLDAP_TLS_OPTIONS
+ #endif
+-#if !defined(SASL_VERSION_MAJOR) || SASL_VERSION_MAJOR < 2
+-#  undef HAVE_LDAP_SASL
+-#endif
+ 
+ #ifndef LDAP_SASL_QUIET
+ #  define LDAP_SASL_QUIET 0 /* Doesn't exist in Solaris LDAP */